Firefox Most Vulnerable Browser, Safari Close

← Back to Stories (view on slashdot.org)

Firefox Most Vulnerable Browser, Safari Close

Posted by CmdrTaco on Wednesday November 11, 2009 @05:45AM from the say-what-now dept.

An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

24 of 369 comments (clear)

Min score:

Reason:

Sort:

I wonder by somersault · 2009-11-11 05:47 · Score: 4, Insightful

How many of these vulnerabilities were due to Firefox itself, and how many due to plugins?

--
which is totally what she said
1. Re:I wonder by Shatrat · 2009-11-11 05:49 · Score: 4, Insightful
  
  Haven't RTFA yet but I bet they are using patch notes as their source of vulnerabilities.
  If that's the case then obviously well-documented and frequently-patched browsers will be over-represented.
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
2. Re:I wonder by PNutts · 2009-11-11 05:59 · Score: 5, Insightful
  
  I haven't read your post yet but you're wrong.
3. Re:I wonder by rudy_wayne · 2009-11-11 06:00 · Score: 4, Insightful
  
  I get your point, but in the end, what is the difference? Many people are die hard users of the plugins (I use firefox and I'll never understand the hype) that they insist they could never go without them, and in many cases it's the primary force in their decision to use firefox.
  
  You're confusing plugins with extensions.
4. Re:I wonder by MozeeToby · 2009-11-11 06:00 · Score: 5, Insightful
  
  Even if their information is accurate, which I don't see how it could possibly be, it is meaningless. Number of flaws is a horrible way to measure system security since it doesn't take into account severity, ease of attack, unreported flaws, or un-acknowledged flaws. When you get down to it, there really isn't any good way to measure security, but I would bet hours spent in code reviews would correlate much better than number of reported flaws.
5. Re:I wonder by LBArrettAnderson · 2009-11-11 06:01 · Score: 3, Insightful
  
  "Haven't RTFA..." -Shatrat
  I guess that's enough for dkleinsc (and most anti-MS slashdotters (slightly redundant, yes)) to jump to conclusions.
6. Re:I wonder by Teflonatron · 2009-11-11 06:03 · Score: 5, Insightful
  
  I didn't see anything in the actual report that explained how their results were arrived at. For that reason alone, this report is worthless. It's just a marketing document for use in selling their own security products.
  However, it did make reference to the numbers being representative of "reported vulnerabilities", which we all know is going to make Firefox look worse that IE. This is verified by realizing Opera (also closed source) scored less than IE.
7. Re:I wonder by Sandbags · 2009-11-11 06:04 · Score: 5, Insightful
  
  Worse, patch SEVERITY was not accounted for in these results, nor was the fact that many patches were for unexploited vulnerabilitys, and others were to close ITW threats...
  FF and Safari rank bad in this article, but when looking at the raw data, patch severity, and explited patch footprint, IE is the worst, even though not patched very often.
  I'd also note that a single patch may include fixes for numerous bugs, and this is additionally not covered in the scope of this article. A single patch in IE recently fixed more than 10 vulnerabilties...
  
  --
  There is no contest in life for which the unprepared have the advantage.
8. Re:I wonder by ircmaxell · 2009-11-11 06:18 · Score: 4, Insightful
  
  What about IE vulnerabilities that are inherent from its close tie to the OS? I'll bet that they didn't count vulnerabilities like today's http://tech.slashdot.org/story/09/11/11/0053244/Microsoft-Plugs-Drive-By-and-14-Other-Holes since it wasn't a flaw in IE itself. It was just attackable through IE....
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
9. Re:I wonder by Galestar · 2009-11-11 06:47 · Score: 5, Insightful
  
  The PDF in the article is mostly marketing, and does not do much in the way of explaining how they arrived at those numbers other than; "Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB as well as other third party databases for Web application security issues reported during the first half of 2009." We can therefore conclude that those numbers are based upon reported vulnerabilities, regardless of whether or not they were fixed. From my experience Firefox has a good habit of quickly patching security vulnerabilities. For example, there is the SSL spoof vulnerability discovered late July that Firefox fixed in 5 days and IE/Safari/Chrome still haven't fixed in over 3 months AFAIK) So there is nothing to indicate that Firefox is necessarily a less secure browser.
  
  --
  AccountKiller
10. Re:I wonder by leonbloy · 2009-11-11 08:11 · Score: 3, Insightful
  
  The funny thing is that the article seems to blame the browser for SQL Injection...
  
  ...all of the exploits blamed on the browsers are based on SQL Injections and propagating malicious code from the originator of the web..
  No. "Vulnerabities in web aplications" is the total set, of which just 8% correspond to web browsers. (From that 8%, the 44% goes to Firefox) The remaining 92% are problems due to web servers and applications (phpMyAdmin, and so); SQL Injections among them. I agree with many other posters, though, in that the report is bullshit, just some graphs and no information about how the data was obtained.
11. Re:I wonder by commodore64_love · 2009-11-11 09:00 · Score: 4, Insightful
  
  The thing noticed is that the "most vulnerable" browsers were open-source (Firefox, Safari) and the least vulnerable were closed-source (Explorer, Opera) with a huge gap in between these two types.
  Could it be that closed-source aps simply don't publish their vulnerabilities, so that makes them look better?
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
12. Re:I wonder by Bigjeff5 · 2009-11-11 09:35 · Score: 4, Insightful
  
  Safari is not open-source, WebKit is. Prove me wrong by finding a copy of Safari 4's source code. Yeah, didn't think so. The vulnerabilities aren't necessarily related to the browser engine (though they certainly can be).
  From what I understand the report was based on the number of vulnerabilities patched, not announced. for IE these are released every tuesday of every month, for FireFox I believe they are released whenever they are finished.
  Vulnerabilities patched is a decent indicator, because for closed source you would not know about any unpatched vulnerabilities that were discovered internally (and there are a lot) before patching. Any serious vulnerability that MS knows about MUST be patched for IE, for if it is discovered they knew for any extended period about a serious vulnerability and did nothing, they risk losing the confidence of their business partners.
  So despite the fact that some people, particularly open-source advocates, don't trust MS to patch vulnerabilities, it is certainly in their best interest to do so. The evidence is the speed and number of vulnerabilities they patch.
  I don't think severity would help the metric in favor of Firefox or Safari because serious vulnerabilities get patched as quickly as possible on all sides (except maybe when Safari devs don't consider a severe vulnerability severe, heh), and a large portion of patches that MS releases for IE are less than critical.
  With the most recent versions of IE Microsoft has really cleaned up its act in regards to security, and they have the ability to be the best at it if they choose to be.
  Patched vulnerabilities may not be the best metric, but I think you'd be hard pressed to find a better one.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
13. Re:I wonder by Runaway1956 · 2009-11-11 09:51 · Score: 3, Insightful
  
  Ditto what Mage Powers said. There's zero information in TFA, and little more in PDF. FUD, for certain.
  If the talking chimps care to publish meaningful information, I'll be happy to read it. At this point in time, there is nothing to agree or to disagree with.
  Sensationalist headlines, nothing more, and nothing less. Wonder how much Microsoft paid them for this "story"?
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
14. Re:I wonder by Bigjeff5 · 2009-11-11 09:55 · Score: 3, Insightful
  
  So I'm assuming you don't trust surveys sponsored by rivals of MS either, right?
  Right?
  No?
  I thought so. You just don't like the results. If the methodology truly is flawed, Firefox and Safari can hire another company to do another survey. If the results are the complete opposite, then we know one or both surveys are complete bullshit, and we can't really trust either without a truly independant survey.
  I don't know if you know this, but survey companies don't do this kind of work for free. They can't. If Mozilla and Apple aren't interested in a fair and balanced survey, but Microsoft is, MS has no choice but to foot the bill for it themselves. The opposite is also true, as is the inverse (if MS wants a manipulated survey, they have to pay for it). Regardless of who wants it done or how fairly and accurately it is done, Cenzic is not going to do it without money.
  If you really want to cast doubt on the survey, why not attempt to verify their results? You're commiting a classic logical fallacy (circumstantial ad hominem) I see here on Slashdot a lot - especially regarding MS. That this company has done business with MS in the past does not make their claim false. No matter how much you wish that were so, it is not the case.
  You've also fallen victim to the "poisoned well" fallacy - you believe the things you've heard about MS's motives, and therefore any information produced by MS must be false. This is foolishness. Be skeptical, but don't outright assume that because it came from MS it is wrong. You are doing yourself a great disservice by thinking this way.
  With all that said, I can confidently say that I have absolutely no idea how valid this survey is. It seems pretty legitimate to me but I haven't exactly scruitinized it either.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
15. Re:I wonder by tbannist · 2009-11-11 10:03 · Score: 4, Insightful
  
  Most of your analysis just seems completely wrong. Microsoft has left vulnerabilities unpatched for years after they were to disclosed before, I see no reason they wouldn't do it again. In theory their business partners might lose confidence, but let's be frank most of Microsoft's business partners are entirely reliant on Microsoft, it'd takes years for them to make any significant changes. Effectively Microsoft can do whatever it wants, and it has.
  Vulnerabilities listed in patch notes are not a good metric for determine which browser is "most vulnerable" because patch notes can be easily gamed by a closed source company. Simply roll up a bunch of nominally related bugs into one patch and suddenly your browser is more secure than the competition. It relies on the all of the groups involved acting in good faith which is naive at best.
  Yesterday Microsoft released a patch for IE that prevents a drive-by rooting of your computer on all versions of Windows (Except 7 and 2008 R2) and all versions of IE. Sure. And yet it's somehow supposedly to be more secure than Firefox?
  We've heard the same tired refrain from Microsoft sponsored people every time they target a new company. They pay people to make up statistics and lie about the competition. I, for one, am tired of it.
  
  --
  Fanatically anti-fanatical
16. Re:I wonder by IgnoramusMaximus · 2009-11-11 15:06 · Score: 4, Insightful
  
  With all that said, I can confidently say that I have absolutely no idea how valid this survey is. It seems pretty legitimate to me but I haven't exactly scruitinized it either.
  
  The "study" was conducted by methodology unknown, includes no references to raw data and goes completely against publicly available data (which many posters on this thread provided references to, such as the lists of CERT advisories and the like). This, combined with the fact that the company seems financially motivated to produce pro-Microsoft propaganda, leads sane observers to dismiss the thing out of hand.
  
  So I'm assuming you don't trust surveys sponsored by rivals of MS either, right?
  
  Why, yes! The value of a survey is in its methodology and 3rd-party verifiability, not in who produced the thing. Science and all that, no?
17. Re:I wonder by Serious+Callers+Only · 2009-11-11 20:31 · Score: 3, Insightful
  
  So I'm assuming you don't trust surveys sponsored by rivals of MS either, right? No? I thought so. You just don't like the results.
  Do you often argue with yourself?
  What makes you jump to the conclusion that someone who mistrusts this bullshit report wouldn't also mistrust bullshit reports from companies with ties to other browser vendors?
  This study covers 2 quarters (a statistically meaningless sample), runs against all verifiable statistcs from the likes of CERT, gives no basis for its figures, and contains just one pie chart to back up its conclusions. It's patent nonsense.
  You clearly haven't looked very closely at the survey, and are subject to the same happy ignorance you accuse the poster above of.
  
  It seems pretty legitimate to me but I haven't exactly scruitinized it either.
  QED
who is cenzic? by bl8n8r · 2009-11-11 05:51 · Score: 4, Insightful

Just another consultant hired to slant reality if you ask me.
http://search.cert.org/search?q=advisory+internet+explorer
http://search.cert.org/search?q=advisory+firefox

--
boycott slashdot February 10th - 17th check out: altSlashdot.org
1. Re:who is cenzic? by Jaysyn · 2009-11-11 06:07 · Score: 3, Insightful
  
  Not hardly.
  Firefox = Results 1 - 5 of about 61
  IE = Results 1 - 10 of about 367
  
  --
  There is a war going on for your mind.
How the results were compiled by Anonymous Coward · 2009-11-11 06:13 · Score: 5, Insightful

According to the report, as best I can determine, this is how they found their results:
"Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB, as well as other third party databases"
It seems reasonable that any/all open source software would have a higher number of reports in these databases than proprietary software, simply because more people are able to publicly scan and report on vulnerabilities... by definition, open source software conducts it's business in public, while proprietary software does so behind it's private curtain.
"Reported" bugs? by Bluemumba · 2009-11-11 06:23 · Score: 5, Insightful

Isn't counting bugs released as part of press releases and change logs kind of like saying "All confirmed criminals are in jail?"
Yet another deliberately lying bullshit story! by Hurricane78 · 2009-11-11 06:25 · Score: 4, Insightful

Comparing openly known vulnerabilities, and calling it "all in all vulnerability".
As if they wouldn't know perfectly well, that Microsoft sends a cease and desist letter to anyone who is even talking about a vulnerability that is not official to MS.
I guess the old saying is true, that:
If you can't program, you teach.
If you can't teach, you administrate.
If you can't administrate, you report.
If you can't report, you criticize.

--
Any sufficiently advanced intelligence is indistinguishable from stupidity.
duration of vulnerability by bfree · 2009-11-11 06:53 · Score: 3, Insightful

Lots of comments mentioning the lack of taking into account of the severity of the bugs, but what about the duration of the vulnerabilities. Or to extend that train of thought, if IE has a current known exploit (or collection of them) there's not as much incentive to go finding another one if you know the one you have won't be closed for another few weeks/months anyway. I suspect with firefox any hole found will be fixed with a released patch far more quickly (and as others mentioned, possibly before any exploits are known of) so you have to keep finding new ones if you want to use firefox as a way in to a machine.
In summary, FUD off

--
Never underestimate the dark side of the Source