Firefox Most Vulnerable Browser, Safari Close

An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

Re:I wonder

[PNutts]

I haven't read your post yet but you're wrong.

Re:I wonder

[MozeeToby]

Even if their information is accurate, which I don't see how it could possibly be, it is meaningless. Number of flaws is a horrible way to measure system security since it doesn't take into account severity, ease of attack, unreported flaws, or un-acknowledged flaws. When you get down to it, there really isn't any good way to measure security, but I would bet hours spent in code reviews would correlate much better than number of reported flaws.

Re:I wonder

[Teflonatron]

I didn't see anything in the actual report that explained how their results were arrived at. For that reason alone, this report is worthless. It's just a marketing document for use in selling their own security products.

However, it did make reference to the numbers being representative of "reported vulnerabilities", which we all know is going to make Firefox look worse that IE. This is verified by realizing Opera (also closed source) scored less than IE.

Re:I wonder

[Sandbags]

Worse, patch SEVERITY was not accounted for in these results, nor was the fact that many patches were for unexploited vulnerabilitys, and others were to close ITW threats...

FF and Safari rank bad in this article, but when looking at the raw data, patch severity, and explited patch footprint, IE is the worst, even though not patched very often.

I'd also note that a single patch may include fixes for numerous bugs, and this is additionally not covered in the scope of this article. A single patch in IE recently fixed more than 10 vulnerabilties...

How the results were compiled

According to the report, as best I can determine, this is how they found their results:

"Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB, as well as other third party databases"

It seems reasonable that any/all open source software would have a higher number of reports in these databases than proprietary software, simply because more people are able to publicly scan and report on vulnerabilities... by definition, open source software conducts it's business in public, while proprietary software does so behind it's private curtain.

"Reported" bugs?

[Bluemumba]

Isn't counting bugs released as part of press releases and change logs kind of like saying "All confirmed criminals are in jail?"

Re:I wonder

[Galestar]

The PDF in the article is mostly marketing, and does not do much in the way of explaining how they arrived at those numbers other than; "Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB as well as other third party databases for Web application security issues reported during the first half of 2009." We can therefore conclude that those numbers are based upon reported vulnerabilities, regardless of whether or not they were fixed. From my experience Firefox has a good habit of quickly patching security vulnerabilities. For example, there is the SSL spoof vulnerability discovered late July that Firefox fixed in 5 days and IE/Safari/Chrome still haven't fixed in over 3 months AFAIK) So there is nothing to indicate that Firefox is necessarily a less secure browser.