Slashdot Mirror
Firefox Most Vulnerable Browser, Safari Close
An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.
So just down the page on slashdot, this very day, there are warnings about a "Windows kernel vulnerability" that is exploited through IE. I'll take three cross-site scripting bugs any day over a kernel level compromise, thank you.
I know the world doesn't have a good objective measure of "impact" to assign to these things so that one could assess the total "probable inconvenience" of the presented security vulnerabilities, and that makes unbiased data gathering difficult, but this feels pretty absurd.
So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed.
Something tells me their methodology is a bit flawed. Of course, that's by design, given Cenzic's financial ties to Microsoft.
I am officially gone from
lol, touche.
Still, do you really have to read it?
It seems like one of these bootlicking/astro-turfing 'studies' from some consulting agency or 'solution' vendor comes along about every 6 months in the Slashdot headlines.
Upon reading TFA, this one seems no more credible than any other.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Its plugins. Ive seen several machines recently infected, no files were showing as having been downloaded, but based on the temp files used to start the infection it appears that Adobe Reader is being used quite a lot as an avenue for infection
Wow, so if I merely released my own binary-only build of Firefox and never mentioned any fixed vulnerabilities in release notes, this study would have found it with far fewer vulnerabilities than Firefox? I think I found a vulnerability in this study...
Plus a few under 10%. The funny thing is that the article seems to blame the browser for SQL Injection, Web Server, Information Leak / Disclosure? WTF?
... what?
Information Leaks could be the result of any attack, SQL Injection has nothing at all to do with any browser and "Web Server"? There is no real information other than a nice shaded 3D pie chart so what this guy is trying to prove is beyond me. It also includes Path Traversal which is server side as well, code injection well injection into what? The browser, the server
Even if some agrees that these companies are actual web applications and not software companies, you would have to agree that there really are only about 10 commonly used web servers in total so Sun, IBM and Apache will be on this list regardless of the exploit.
Looking at the real report all of the exploits blamed on the browsers are based on SQL Injections and propagating malicious code from the originator of the web site so how could one browser handle this more effectively then another? This doesn't really make a lot of sense so anyone gifted with more ability then myself please reply below.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
I was wondering that myself... how is SQL injection a fault of the browser? I mean... I suppose a plugin could try SQL injections when submitting forms, but I don't see how that could be any worse on any other browser, AND it doesn't compromise the browser or the client's system.
Stupid, sexy Flanders.
Pardon my ignorance, but how exactly is Cenzic tied financially to Microsoft again? Google's got nothing (and bing has less).
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1