Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Most Vulnerable Browser, Safari Close

Posted by CmdrTaco on from the say-what-now dept.

An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

3 of 369 comments (clear)

  1. Re:Certified by cmeans · · Score: 5, Informative
    And then there's this:

    http://www.cenzic.com/pr_20061011/

    --
    Give a hand, not a hand-out.
  2. Re:I wonder by natehoy · · Score: 5, Informative

    Have read the article, and the attached PDF, and they only state the conclusions. No mention is made of how they counted vulnerabilities, only that Firefox had 44% of them, and that they represented "Web Vulnerabilities by Major Type". Adding to the confusion was that they also talked about applications and servers and alternated back and forth between the three with little warning.

    Also interesting was that "ActiveX" was listed as a technology separate from Web Browsers, the one time it was mentioned. In other words, their vulnerability percentage, which is already vague, may not include ActiveX vulnerabilities within IE. Or they may. All we know is that they claim IE has 15%.

    Nowhere is there mention of what constitutes a reportable vulnerability, what versions of each browser were counted, how they were classified or even what the classifications were, what sorts of reports were included by browser (did plugins or addons get included in Firefox? ActiveX for IE? For multiplatform browsers like Opera, Firefox, and Safari, were vulnerabilities mitigated by only being exploitable on some platforms and not others, or reported multiple times - once for each vulnerable platform?)

    The PDF was severely [citation needed], but remarkably honest in that it expressed surprise that Firefox was the most vulnerable web browser when compared IE, Safari, and Opera, and comprised almost half the identified vulnerabilities among the four browsers.

    If this is like most reports of the same type, they are using vendor-reported bugs. Firefox would, by definition, have the largest bug list by any stretch in such a report. They are the only web browser development team that allows (and encourages) access to the same bug-tracking database that their developers use. Safari, IE, and Opera only report vulnerabilities when (a) they have been fixed, or (b) when so many reports have come out that they finally have to 'fess up.

    --
    "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  3. Re:Certified by adamchou · · Score: 5, Informative

    You didn't mention how to become an MCP though. Its not just a matter of filling out a form and sending it to Microsoft. These companies go through a rigorous set of evaluations based specifically around Microsoft products in order to become MCP. So although Microsoft might not control them, their pocket books do and they sure as hell invested a lot of money to become MCP's.