Firefox Most Vulnerable Browser, Safari Close

← Back to Stories (view on slashdot.org)

Firefox Most Vulnerable Browser, Safari Close

Posted by CmdrTaco on Wednesday November 11, 2009 @05:45AM from the say-what-now dept.

An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

93 of 369 comments (clear)

Min score:

Reason:

Sort:

I wonder by somersault · 2009-11-11 05:47 · Score: 4, Insightful

How many of these vulnerabilities were due to Firefox itself, and how many due to plugins?

--
which is totally what she said
1. Re:I wonder by Shatrat · 2009-11-11 05:49 · Score: 4, Insightful
  
  Haven't RTFA yet but I bet they are using patch notes as their source of vulnerabilities.
  If that's the case then obviously well-documented and frequently-patched browsers will be over-represented.
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
2. Re:I wonder by dkleinsc · 2009-11-11 05:55 · Score: 4, Interesting
  
  So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed.
  Something tells me their methodology is a bit flawed. Of course, that's by design, given Cenzic's financial ties to Microsoft.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
3. Re:I wonder by PNutts · 2009-11-11 05:59 · Score: 5, Insightful
  
  I haven't read your post yet but you're wrong.
4. Re:I wonder by rudy_wayne · 2009-11-11 06:00 · Score: 4, Insightful
  
  I get your point, but in the end, what is the difference? Many people are die hard users of the plugins (I use firefox and I'll never understand the hype) that they insist they could never go without them, and in many cases it's the primary force in their decision to use firefox.
  
  You're confusing plugins with extensions.
5. Re:I wonder by MozeeToby · 2009-11-11 06:00 · Score: 5, Insightful
  
  Even if their information is accurate, which I don't see how it could possibly be, it is meaningless. Number of flaws is a horrible way to measure system security since it doesn't take into account severity, ease of attack, unreported flaws, or un-acknowledged flaws. When you get down to it, there really isn't any good way to measure security, but I would bet hours spent in code reviews would correlate much better than number of reported flaws.
6. Re:I wonder by LBArrettAnderson · 2009-11-11 06:01 · Score: 3, Insightful
  
  "Haven't RTFA..." -Shatrat
  I guess that's enough for dkleinsc (and most anti-MS slashdotters (slightly redundant, yes)) to jump to conclusions.
7. Re:I wonder by Teflonatron · 2009-11-11 06:03 · Score: 5, Insightful
  
  I didn't see anything in the actual report that explained how their results were arrived at. For that reason alone, this report is worthless. It's just a marketing document for use in selling their own security products.
  However, it did make reference to the numbers being representative of "reported vulnerabilities", which we all know is going to make Firefox look worse that IE. This is verified by realizing Opera (also closed source) scored less than IE.
8. Re:I wonder by Sandbags · 2009-11-11 06:04 · Score: 5, Insightful
  
  Worse, patch SEVERITY was not accounted for in these results, nor was the fact that many patches were for unexploited vulnerabilitys, and others were to close ITW threats...
  FF and Safari rank bad in this article, but when looking at the raw data, patch severity, and explited patch footprint, IE is the worst, even though not patched very often.
  I'd also note that a single patch may include fixes for numerous bugs, and this is additionally not covered in the scope of this article. A single patch in IE recently fixed more than 10 vulnerabilties...
  
  --
  There is no contest in life for which the unprepared have the advantage.
9. Re:I wonder by Shatrat · 2009-11-11 06:05 · Score: 5, Interesting
  
  lol, touche.
  Still, do you really have to read it?
  It seems like one of these bootlicking/astro-turfing 'studies' from some consulting agency or 'solution' vendor comes along about every 6 months in the Slashdot headlines.
  Upon reading TFA, this one seems no more credible than any other.
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
10. Re:I wonder by bangthegong · 2009-11-11 06:13 · Score: 2, Interesting
  
  a much more credible report, IMO because they are at least honest about their methodology and the weaknesses or strengths of how to look at different data: http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf
11. Re:I wonder by ircmaxell · 2009-11-11 06:18 · Score: 4, Insightful
  
  What about IE vulnerabilities that are inherent from its close tie to the OS? I'll bet that they didn't count vulnerabilities like today's http://tech.slashdot.org/story/09/11/11/0053244/Microsoft-Plugs-Drive-By-and-14-Other-Holes since it wasn't a flaw in IE itself. It was just attackable through IE....
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
12. Re:I wonder by noidentity · 2009-11-11 06:23 · Score: 3, Interesting
  
  Wow, so if I merely released my own binary-only build of Firefox and never mentioned any fixed vulnerabilities in release notes, this study would have found it with far fewer vulnerabilities than Firefox? I think I found a vulnerability in this study...
13. Re:I wonder by calidoscope · 2009-11-11 06:25 · Score: 4, Informative
  
  The Register's article on the Cenzic report also speculated the the report was based on published vulnerabilities. They made some rude noises about Cenzic's focus on the number of the vulnerabilities as opposed to the severity of vulnerabilities.
  
  --
  A Shadeless room is a brighter room.
14. Re:I wonder by Anonymous Coward · 2009-11-11 06:30 · Score: 2, Interesting
  
  Hypocrisy? He didn't say anything about the article. All he said was that the previous two posters made conclusions based on absolutely nothing.
15. Re:I wonder by Actually,+I+do+RTFA · 2009-11-11 06:35 · Score: 4, Informative
  
  So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed. Something tells me their methodology is a bit flawed. Of course, that's by design, given Cenzic's financial ties to Microsoft.
  Actually, in other words, the GP was making shit up. But since it conformed to your worldview, you agreed with it and based an entire post on it even though he said he didn't RTFA. Somehow it then got modded to +5.
  In reality, the vulnerabilities were culled from a variety of 1st and 3rd party sources.
  
  --
  Your ad here. Ask me how!
16. Re:I wonder by natehoy · 2009-11-11 06:40 · Score: 5, Informative
  
  Have read the article, and the attached PDF, and they only state the conclusions. No mention is made of how they counted vulnerabilities, only that Firefox had 44% of them, and that they represented "Web Vulnerabilities by Major Type". Adding to the confusion was that they also talked about applications and servers and alternated back and forth between the three with little warning.
  Also interesting was that "ActiveX" was listed as a technology separate from Web Browsers, the one time it was mentioned. In other words, their vulnerability percentage, which is already vague, may not include ActiveX vulnerabilities within IE. Or they may. All we know is that they claim IE has 15%.
  Nowhere is there mention of what constitutes a reportable vulnerability, what versions of each browser were counted, how they were classified or even what the classifications were, what sorts of reports were included by browser (did plugins or addons get included in Firefox? ActiveX for IE? For multiplatform browsers like Opera, Firefox, and Safari, were vulnerabilities mitigated by only being exploitable on some platforms and not others, or reported multiple times - once for each vulnerable platform?)
  The PDF was severely [citation needed], but remarkably honest in that it expressed surprise that Firefox was the most vulnerable web browser when compared IE, Safari, and Opera, and comprised almost half the identified vulnerabilities among the four browsers.
  If this is like most reports of the same type, they are using vendor-reported bugs. Firefox would, by definition, have the largest bug list by any stretch in such a report. They are the only web browser development team that allows (and encourages) access to the same bug-tracking database that their developers use. Safari, IE, and Opera only report vulnerabilities when (a) they have been fixed, or (b) when so many reports have come out that they finally have to 'fess up.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
17. Re:I wonder by gregmac · 2009-11-11 06:43 · Score: 2, Funny
  
  IE is the worst, even though not patched very often.
  maybe... s/even though/because it is/ ?
  
  --
  Speak before you think
18. Re:I wonder by roc97007 · 2009-11-11 06:44 · Score: 2, Insightful
  
  What makes this particularly bad is that vendors can improve their scores by neglecting to patch their browsers. The less responsible they are, the better their marketing numbers.
  
  --
  Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
19. Re:I wonder by Galestar · 2009-11-11 06:47 · Score: 5, Insightful
  
  The PDF in the article is mostly marketing, and does not do much in the way of explaining how they arrived at those numbers other than; "Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB as well as other third party databases for Web application security issues reported during the first half of 2009." We can therefore conclude that those numbers are based upon reported vulnerabilities, regardless of whether or not they were fixed. From my experience Firefox has a good habit of quickly patching security vulnerabilities. For example, there is the SSL spoof vulnerability discovered late July that Firefox fixed in 5 days and IE/Safari/Chrome still haven't fixed in over 3 months AFAIK) So there is nothing to indicate that Firefox is necessarily a less secure browser.
  
  --
  AccountKiller
20. Re:I wonder by Nikker · 2009-11-11 06:57 · Score: 4, Interesting
  I actually RTFA and the vulnerabilities it accounts for are
  
  SQL Injection 25%
  XSS 17%
  Web Server 2%
  Buffer Errors 12%
  Web Browser 8%
  Authentication / Authorization 14%
  Plus a few under 10%. The funny thing is that the article seems to blame the browser for SQL Injection, Web Server, Information Leak / Disclosure? WTF?
  
  Information Leaks could be the result of any attack, SQL Injection has nothing at all to do with any browser and "Web Server"? There is no real information other than a nice shaded 3D pie chart so what this guy is trying to prove is beyond me. It also includes Path Traversal which is server side as well, code injection well injection into what? The browser, the server ... what?
  
  Popular vendors including Sun, IBM, and Apache continue to be among the top 10 most vulnerable Web applications named.
  Even if some agrees that these companies are actual web applications and not software companies, you would have to agree that there really are only about 10 commonly used web servers in total so Sun, IBM and Apache will be on this list regardless of the exploit.
  
  Looking at the real report all of the exploits blamed on the browsers are based on SQL Injections and propagating malicious code from the originator of the web site so how could one browser handle this more effectively then another? This doesn't really make a lot of sense so anyone gifted with more ability then myself please reply below.
  --
  A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
21. Re:I wonder by Mister+Whirly · 2009-11-11 07:06 · Score: 2, Insightful
  
  How is that hypocrisy? Unless you think he jumped to a conclusion about the previous poster jumping to a conclusion (which would be a stretch considering the previous poster admitted to have not read the article). He didn't claim they were wrong, only that they were making assumptions because they hadn't read TFA.
  
  --
  "But this one goes to 11!"
22. Re:I wonder by fredjh · 2009-11-11 07:07 · Score: 3, Interesting
  
  I was wondering that myself... how is SQL injection a fault of the browser? I mean... I suppose a plugin could try SQL injections when submitting forms, but I don't see how that could be any worse on any other browser, AND it doesn't compromise the browser or the client's system.
  
  --
  Stupid, sexy Flanders.
23. Re:I wonder by tuxgeek · 2009-11-11 07:09 · Score: 2, Insightful
  
  bootlicking/astro-turfing 'studies' from some consulting agency or 'solution' vendor comes along about every 6 months
  TFA gives NO details on the OS platform. I would assume FF on M$ would be more exploitable than FF on *nix, given the nature and track record of M$
  Even more ridiculous is the slam of Apache as the top 10% most vulnerable. That is pure bullshit!
  
  --
  "Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
24. Re:I wonder by Bloody+Peasant · 2009-11-11 07:14 · Score: 4, Informative
  
  So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed.
  I read the report. It is a marketing document, with one person (Mandeep Khera, Chief Marketing Officer) identified in it as both project lead and executive editor.
  Also, despite the fact that the report itself downplays browser vulnerabilities (8% vs. 90% web apps, 2% web servers), they still put in a single token page which just seems out of place. Nowhere does it say what their methodology is for determining what comprises a "vulnerability". Another poster already pointed out the google search results on the CERT site (~367 for IE, ~61 for Firefox; that's over 6 times more vulnerability reports on the CERT site for IE versus those for Firefox; oops, was I shouting?).
  I suspect the authors' methodology is simply to count something like the number of patches. Given Microsoft's monthly bundling of their security patches, and the Mozilla Firefox project's immediate release of more frequent version updates in response to vulnerability reports and discoveries, such methodology leads to a systematic undersampling of those for IE. A better approach would be to count verified CVE candidates.
  Pure speculation: were they paid by anyone to put that browser breakdown in (it really doesn't seem to belong in my opinion), or was it ignorance or lack of thinking? Without an honest clarification from the company we'll probably never know.
  
  --
  -- This .sig intentionally left meaningless.
25. Re:I wonder by Kratisto · 2009-11-11 07:19 · Score: 2, Funny
  
  No one said anything about RTFR; you're getting off-topic.
  
  --
  Conscience is the inner voice which warns us that someone may be looking.
26. Re:I wonder by http · 2009-11-11 07:26 · Score: 4, Interesting
  
  Pardon my ignorance, but how exactly is Cenzic tied financially to Microsoft again? Google's got nothing (and bing has less).
  
  --
  If opportunity came disguised as temptation, one knock would be enough.
  3^2 * 67^1 * 977^1
27. Re:I wonder by w0mprat · 2009-11-11 07:29 · Score: 5, Funny
  
  I don't even bother posting I use a form.
  
  -- Slashdot posting form --
  ...
  [ ] RTFA
  [ ] In soviet russia ____ YOU!
  [ ] Obligatory XKCD
  [ ] _____ you insensitive clod.
  [ ] Get off my lawn
  [x] I don't even bother posting I use a form.
  ...
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
28. Re:I wonder by wealthychef · 2009-11-11 07:34 · Score: 2, Interesting
  
  I wonder what difference it makes that there are more or less vulnerabilities reported. What actually matters is the total exposure, which I would define, for each browser, as
  the sum over all vulnerabilities of:
  (number of browsers with vulnerability) x (damage possible if vulnerability is exploited) x (chance of actually exploiting the vulnerability).
  
  --
  Currently hooked on AMP
29. Re:I wonder by fluffy99 · 2009-11-11 07:42 · Score: 2, Informative
  
  If a vulnerability isn't found, that what's the problem? By that notion, both browsers have undiscovered issues. I do wonder if they were double or triple counting Firefox vulnerabilities as it is supported on more platforms.
  Another, probably more reliable source would be secunia.com. Counting Firefox 3.0.x and 3.5.x, there were a total 18 issues in 2009 (13 and 5 respectively). Counting IE6, IE7, and IE8 there is a total of 18 vulnerabilities (6,6, and 4 respectively). Looks like pretty comparable numbers and severity to me.
30. Re:I wonder by SharpFang · 2009-11-11 07:48 · Score: 2, Insightful
  
  ActiveX is listed separately? Yay, that explains why MSIE fares so well.
  MSIE is a rather simple GUI built around the ActiveX HTML Browser control ("Trident" engine). So the exploits that affect all browsers that use it (IE, FF+IE Frame, Netscape, Maxthon, and a bunch of others) are simply listed as ActiveX exploits.Only exploits that are dependent on MSIE GUI layer are counted as MSIE ones.
  It's like they counted only XUL interface exploits for Firefox, treating Gecko rendering engine as a separate system with its own list, not affecting Firefox.
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
31. Re:I wonder by WinterSolstice · 2009-11-11 07:49 · Score: 4, Informative
  
  I was going to point this out as well - there was nothing really backing up the browser diagram at all. They didn't even really go into how they determined these vulnerabilities existed, even though they did go into how web apps break down (reasonably enough).
  Just another BS FUD report
  
  --
  An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
32. Re:I wonder by leonbloy · 2009-11-11 08:11 · Score: 3, Insightful
  
  The funny thing is that the article seems to blame the browser for SQL Injection...
  
  ...all of the exploits blamed on the browsers are based on SQL Injections and propagating malicious code from the originator of the web..
  No. "Vulnerabities in web aplications" is the total set, of which just 8% correspond to web browsers. (From that 8%, the 44% goes to Firefox) The remaining 92% are problems due to web servers and applications (phpMyAdmin, and so); SQL Injections among them. I agree with many other posters, though, in that the report is bullshit, just some graphs and no information about how the data was obtained.
33. Re:I wonder by commodore64_love · 2009-11-11 09:00 · Score: 4, Insightful
  
  The thing noticed is that the "most vulnerable" browsers were open-source (Firefox, Safari) and the least vulnerable were closed-source (Explorer, Opera) with a huge gap in between these two types.
  Could it be that closed-source aps simply don't publish their vulnerabilities, so that makes them look better?
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
34. Re:I wonder by GumphMaster · 2009-11-11 09:16 · Score: 4, Informative
  
  In what way is a Microsoft Certified Partner not financially tied to the maintenance of the Microsoft ecosystem in the face of encroaching offerings, particularly in the browser space?
  A more cynical person might assert that a company peddling security assessment tools for web servers would actively promote less secure server systems that kept them in business. Spreading FUD about a browser is only peripheral to that but it does feed the "non-Microsoft is bad" or "open-source is bad" ethic of senior management and bean counters... keeping major systems on Microsoft platforms and Cenzic in business. As I say though, you'd have to cynical ;)
  
  --
  Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
35. Re:I wonder by RenderSeven · 2009-11-11 09:23 · Score: 2, Funny
  
  If Bing has less info on Cenzic, it *proves* they are secretly allied with Microsoft!
36. Re:I wonder by Bigjeff5 · 2009-11-11 09:35 · Score: 4, Insightful
  
  Safari is not open-source, WebKit is. Prove me wrong by finding a copy of Safari 4's source code. Yeah, didn't think so. The vulnerabilities aren't necessarily related to the browser engine (though they certainly can be).
  From what I understand the report was based on the number of vulnerabilities patched, not announced. for IE these are released every tuesday of every month, for FireFox I believe they are released whenever they are finished.
  Vulnerabilities patched is a decent indicator, because for closed source you would not know about any unpatched vulnerabilities that were discovered internally (and there are a lot) before patching. Any serious vulnerability that MS knows about MUST be patched for IE, for if it is discovered they knew for any extended period about a serious vulnerability and did nothing, they risk losing the confidence of their business partners.
  So despite the fact that some people, particularly open-source advocates, don't trust MS to patch vulnerabilities, it is certainly in their best interest to do so. The evidence is the speed and number of vulnerabilities they patch.
  I don't think severity would help the metric in favor of Firefox or Safari because serious vulnerabilities get patched as quickly as possible on all sides (except maybe when Safari devs don't consider a severe vulnerability severe, heh), and a large portion of patches that MS releases for IE are less than critical.
  With the most recent versions of IE Microsoft has really cleaned up its act in regards to security, and they have the ability to be the best at it if they choose to be.
  Patched vulnerabilities may not be the best metric, but I think you'd be hard pressed to find a better one.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
37. Re:I wonder by Barny · 2009-11-11 09:39 · Score: 2, Interesting
  
  Possibility that if the majority of the document is on server level stuff, then did they maybe test IE with "enhanced protection" that comes with server? Effectively its like firefox with no-script but has none of the user-friendliness of no-script.
  
  --
  ...
  /me sighs
38. Re:I wonder by Anonymous Coward · 2009-11-11 09:44 · Score: 2, Insightful
  
  As are IBM, Oracle, Sun and the majority of the IT world. hell even a lot of open source companies are. being a Microsoft certified partner is hardly being financially tied to MS.
39. Re:I wonder by eulernet · 2009-11-11 09:47 · Score: 4, Funny
  
  If we continue Cenzic's approach, we can prove that IE6 is the most secure browser, since there are no more patches for it.
40. Re:I wonder by Runaway1956 · 2009-11-11 09:51 · Score: 3, Insightful
  
  Ditto what Mage Powers said. There's zero information in TFA, and little more in PDF. FUD, for certain.
  If the talking chimps care to publish meaningful information, I'll be happy to read it. At this point in time, there is nothing to agree or to disagree with.
  Sensationalist headlines, nothing more, and nothing less. Wonder how much Microsoft paid them for this "story"?
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
41. Re:I wonder by Bigjeff5 · 2009-11-11 09:55 · Score: 3, Insightful
  
  So I'm assuming you don't trust surveys sponsored by rivals of MS either, right?
  Right?
  No?
  I thought so. You just don't like the results. If the methodology truly is flawed, Firefox and Safari can hire another company to do another survey. If the results are the complete opposite, then we know one or both surveys are complete bullshit, and we can't really trust either without a truly independant survey.
  I don't know if you know this, but survey companies don't do this kind of work for free. They can't. If Mozilla and Apple aren't interested in a fair and balanced survey, but Microsoft is, MS has no choice but to foot the bill for it themselves. The opposite is also true, as is the inverse (if MS wants a manipulated survey, they have to pay for it). Regardless of who wants it done or how fairly and accurately it is done, Cenzic is not going to do it without money.
  If you really want to cast doubt on the survey, why not attempt to verify their results? You're commiting a classic logical fallacy (circumstantial ad hominem) I see here on Slashdot a lot - especially regarding MS. That this company has done business with MS in the past does not make their claim false. No matter how much you wish that were so, it is not the case.
  You've also fallen victim to the "poisoned well" fallacy - you believe the things you've heard about MS's motives, and therefore any information produced by MS must be false. This is foolishness. Be skeptical, but don't outright assume that because it came from MS it is wrong. You are doing yourself a great disservice by thinking this way.
  With all that said, I can confidently say that I have absolutely no idea how valid this survey is. It seems pretty legitimate to me but I haven't exactly scruitinized it either.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
42. Re:I wonder by tbannist · 2009-11-11 10:03 · Score: 4, Insightful
  
  Most of your analysis just seems completely wrong. Microsoft has left vulnerabilities unpatched for years after they were to disclosed before, I see no reason they wouldn't do it again. In theory their business partners might lose confidence, but let's be frank most of Microsoft's business partners are entirely reliant on Microsoft, it'd takes years for them to make any significant changes. Effectively Microsoft can do whatever it wants, and it has.
  Vulnerabilities listed in patch notes are not a good metric for determine which browser is "most vulnerable" because patch notes can be easily gamed by a closed source company. Simply roll up a bunch of nominally related bugs into one patch and suddenly your browser is more secure than the competition. It relies on the all of the groups involved acting in good faith which is naive at best.
  Yesterday Microsoft released a patch for IE that prevents a drive-by rooting of your computer on all versions of Windows (Except 7 and 2008 R2) and all versions of IE. Sure. And yet it's somehow supposedly to be more secure than Firefox?
  We've heard the same tired refrain from Microsoft sponsored people every time they target a new company. They pay people to make up statistics and lie about the competition. I, for one, am tired of it.
  
  --
  Fanatically anti-fanatical
43. Re:I wonder by Bigjeff5 · 2009-11-11 10:06 · Score: 2, Insightful
  
  Bingo, all I see are logical fallacies attacking Cenzic because people don't like the results. You don't dispute bad results by saying the source of the information is evil, because that has absolutely no bearing on whether or not the results are factual.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
44. Re:I wonder by h4rm0ny · 2009-11-11 10:20 · Score: 2, Insightful
  
  Sensationalist headlines, nothing more, and nothing less. Wonder how much Microsoft paid them for this "story"?
  If Microsoft paid them for this story then why is Opera light years ahead of IE ? Opera's success also undermines the statements of other posters elsewhere saying that IE earns its place due to its close-sourced nature.
  
  --
  
  Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
45. Re:I wonder by Anonymous Coward · 2009-11-11 10:24 · Score: 4, Informative
  
  Well it seems Opera are not too impressed with the report either, despite the fact they come first:
  http://my.opera.com/haavard/blog/2009/11/10/cenzic-security
  Which is interesting. Not often you see a company criticise a report that shows them in such a good light
46. Re:I wonder by lazybeam · 2009-11-11 10:31 · Score: 2, Insightful
  
  Opera is European, and you just know that makes them better by default! :)
  
  --
  -- no sig for you. come back one year.
47. Re:I wonder by DarkAxi0m · 2009-11-11 11:09 · Score: 3, Funny
  
  you forgot space alignment factor and the dice roll.... *sigh*
  (number of browsers with vulnerability) x (damage possible if vulnerability is exploited) x (chance of actually exploiting the vulnerability) / (the alignment of the moon and mars) + 2d6.
48. Re:I wonder by timmarhy · 2009-11-11 11:19 · Score: 2, Insightful
  
  your tirade should be pointed at apple as well then. they are closed source AND had a shitload of vulnerabilities, as well as having a record of not rolling out patches quickly. whats your excuse for them?
  maybe you should take a good hard look at OSS supposed security prowess, if you really were so confident firefox is more secure then IE, you wouldn't get so defensive.
  
  --
  If you mod me down, I will become more powerful than you can imagine....
49. Re:I wonder by kestasjk · 2009-11-11 12:00 · Score: 2, Interesting
  
  I'm a firefox user and I accept this study and that IE8 may well be more secure. They have made huge leaps in security since IE6, using sandboxing and whatnot to lessen the impacts of vulnerabilities found as well, and their security zone settings allow fine-grained choices regarding how secure you want to be vs what you need to run, and the integration with Active Directory allows security policy to be spread across enterprises easily.
  Firefox is much more tuned to individual users, and needs extra plugins like NoScript to give rudimentary access level controls.
  
  But Firefox supports the latest and greatest web standards, has a real community of users which make great plugins like NoScript and Adblock and Firebug, and is always trying new things like the awesome bar. If I wanted tin-foil-hat level security I'd use IE8 with a restrictive security policy, but realistically these days the difference between highly secure and pretty-damned-secure isn't that great; you're more likely to get a virus by being a dumbass and installing something you shouldn't than from an actual web-browser vulnerability.
  
  I do think trying to find flaws in the study and questioning the motives when it doesn't look favorably on your favorite browser, as most people here are doing, is just narrow minded and petty.
  
  --
  // MD_Update(&m,buf,j);
50. Re:I wonder by IgnoramusMaximus · 2009-11-11 15:06 · Score: 4, Insightful
  
  With all that said, I can confidently say that I have absolutely no idea how valid this survey is. It seems pretty legitimate to me but I haven't exactly scruitinized it either.
  
  The "study" was conducted by methodology unknown, includes no references to raw data and goes completely against publicly available data (which many posters on this thread provided references to, such as the lists of CERT advisories and the like). This, combined with the fact that the company seems financially motivated to produce pro-Microsoft propaganda, leads sane observers to dismiss the thing out of hand.
  
  So I'm assuming you don't trust surveys sponsored by rivals of MS either, right?
  
  Why, yes! The value of a survey is in its methodology and 3rd-party verifiability, not in who produced the thing. Science and all that, no?
51. Re:I wonder by cheeseboy001 · 2009-11-11 16:09 · Score: 2, Informative
  
  That's a dude's blog. As in, "The views stated herein are my own, and do not necessarily represent those of Opera Software."
52. Re:I wonder by Serious+Callers+Only · 2009-11-11 20:31 · Score: 3, Insightful
  
  So I'm assuming you don't trust surveys sponsored by rivals of MS either, right? No? I thought so. You just don't like the results.
  Do you often argue with yourself?
  What makes you jump to the conclusion that someone who mistrusts this bullshit report wouldn't also mistrust bullshit reports from companies with ties to other browser vendors?
  This study covers 2 quarters (a statistically meaningless sample), runs against all verifiable statistcs from the likes of CERT, gives no basis for its figures, and contains just one pie chart to back up its conclusions. It's patent nonsense.
  You clearly haven't looked very closely at the survey, and are subject to the same happy ignorance you accuse the poster above of.
  
  It seems pretty legitimate to me but I haven't exactly scruitinized it either.
  QED
53. Re:I wonder by Hatta · 2009-11-12 04:15 · Score: 2, Interesting
  
  From what I understand the report was based on the number of vulnerabilities patched, not announced
  The pdf of the report is linked from the article. Browser vulnerabilities are mentioned on only one page, on which no methodology is discussed. Most of the article has to do with web applications. For the web applications, they repeatedly use the term "reported vulnerabilities", not patched. They do discuss that the number of actual vulnerabilities may be lower than reported vulnerabilities for proprietary web applications. I'd bet they're using reported vulnerabilities for browsers too. Here is the entire text of the section on Web Browser Vulnerabilities:
  
  Vulnerabilities in Web browsers were concentrated among four popular technologies -
  Internet Explorer, Mozilla Firefox, Opera, and Safari. The number of browser
  vulnerabilities in first half of 2009 comprised about 8 percent of total Web vulnerabilities.
  Mozilla Firefox had the largest percentage at 44 percent. What was surprising was that
  the Safari browser had a lot more vulnerabilities at 35 percent this time around mainly
  due to vulnerabilities reported in iPhone Safari. Internet Explorer was third at 15 percent
  and Opera with six percent of total browser vulnerabilities.
  
  So this report is entirely useless. They don't discuss their methodology, which is likely to be suspect. Ignore it.
  
  --
  Give me Classic Slashdot or give me death!
Huh? by Anonymous Coward · 2009-11-11 05:47 · Score: 5, Interesting

So just down the page on slashdot, this very day, there are warnings about a "Windows kernel vulnerability" that is exploited through IE. I'll take three cross-site scripting bugs any day over a kernel level compromise, thank you.
I know the world doesn't have a good objective measure of "impact" to assign to these things so that one could assess the total "probable inconvenience" of the presented security vulnerabilities, and that makes unbiased data gathering difficult, but this feels pretty absurd.
1. Re:Huh? by Anonymous Coward · 2009-11-11 06:33 · Score: 2, Informative
  
  So just down the page on slashdot, this very day, there are warnings about a "Windows kernel vulnerability" that is exploited through IE. I'll take three cross-site scripting bugs any day over a kernel level compromise, thank you.
  I know the world doesn't have a good objective measure of "impact" to assign to these things so that one could assess the total "probable inconvenience" of the presented security vulnerabilities, and that makes unbiased data gathering difficult, but this feels pretty absurd.
  The link for those too lazy to go find it:
  http://tech.slashdot.org/story/09/11/11/0053244/Microsoft-Plugs-Drive-By-and-14-Other-Holes
Certified by rwv · 2009-11-11 05:48 · Score: 5, Funny

It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

There is an explanation for that.
Cenzic Recognized as a Microsoft Certified Partner, Experiences Substantial Momentum in Q2
1. Re:Certified by MiniMike · 2009-11-11 05:53 · Score: 4, Funny
  
  That makes sense, because if anyone had told me that Firefox had more vulnerabilities than all the other browsers I would think that they were certifiable...
2. Re:Certified by captaindomon · 2009-11-11 06:00 · Score: 2, Informative
  
  Eh, being a Microsoft Certified Partner means next to nothing. Almost all the development firms I have worked for (from five employees to tens of thousands) are certified partners, it just means you get a discount on MSDN purchases and a nice little glass trophy. It doesn't mean Microsoft is controlling you. (They may be controlling Cenzic, but you can't say that just because they are a certified partner).
  
  --
  Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
3. Re:Certified by cmeans · 2009-11-11 06:10 · Score: 5, Informative
  
  And then there's this:
  http://www.cenzic.com/pr_20061011/
  
  --
  Give a hand, not a hand-out.
4. Re:Certified by adamchou · 2009-11-11 07:20 · Score: 5, Informative
  
  You didn't mention how to become an MCP though. Its not just a matter of filling out a form and sending it to Microsoft. These companies go through a rigorous set of evaluations based specifically around Microsoft products in order to become MCP. So although Microsoft might not control them, their pocket books do and they sure as hell invested a lot of money to become MCP's.
who is cenzic? by bl8n8r · 2009-11-11 05:51 · Score: 4, Insightful

Just another consultant hired to slant reality if you ask me.
http://search.cert.org/search?q=advisory+internet+explorer
http://search.cert.org/search?q=advisory+firefox

--
boycott slashdot February 10th - 17th check out: altSlashdot.org
1. Re:who is cenzic? by Jaysyn · 2009-11-11 06:07 · Score: 3, Insightful
  
  Not hardly.
  Firefox = Results 1 - 5 of about 61
  IE = Results 1 - 10 of about 367
  
  --
  There is a war going on for your mind.
2. Re:who is cenzic? by xgr3gx · 2009-11-11 06:10 · Score: 3, Informative
  
  Missing this one, the lowest of all:
  http://search.cert.org/search?q=advisory+opera
  
  --
  Shameless plug alert: Game server control panel
3. Re:who is cenzic? by Silfax · 2009-11-11 08:21 · Score: 2, Interesting
  
  hits search
  
  367 http://search.cert.org/search?q=advisory+internet+explorer
  89 http://search.cert.org/search?q=advisory+netscape
  61 http://search.cert.org/search?q=advisory+firefox
  20 http://search.cert.org/search?q=advisory+safari
  18 http://search.cert.org/search?q=advisory+opera
  12 http://search.cert.org/search?q=advisory+lynx
  
  clearly, the fewer number of letters in the name of your browser makes it more secure.
Hard to tell from the article by xzvf · 2009-11-11 05:58 · Score: 2, Informative

The article has a pie chart and the link to the "detailed report" only has a pie chart. I guess we just have to trust Cenzic the internet security application provider. Doesn't even break it down by version number of browser or severity of exploit.
Nothing to see here by El_Muerte_TDS · 2009-11-11 06:03 · Score: 2, Interesting

From the report.

Popular vendors including Sun, IBM, and Apache continue to be among the top 10 most vulnerable Web applications named.

Wait... so vendors and now applications?
They continue to say that Java and PHP are very vulnerable, but it's actually applications written in Java and PHP, not the language+runtime itself. In that case you could say that C++ has the most vulnerabilities.
Re:Firefox IS getting infected in the wild by Anonymous Coward · 2009-11-11 06:09 · Score: 3, Interesting

Its plugins. Ive seen several machines recently infected, no files were showing as having been downloaded, but based on the temp files used to start the infection it appears that Adobe Reader is being used quite a lot as an avenue for infection
How the results were compiled by Anonymous Coward · 2009-11-11 06:13 · Score: 5, Insightful

According to the report, as best I can determine, this is how they found their results:
"Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB, as well as other third party databases"
It seems reasonable that any/all open source software would have a higher number of reports in these databases than proprietary software, simply because more people are able to publicly scan and report on vulnerabilities... by definition, open source software conducts it's business in public, while proprietary software does so behind it's private curtain.
Re:Firefox IS getting infected in the wild by 1001011010110101 · 2009-11-11 06:16 · Score: 2, Insightful

Define "Infected Firefox installations"
Maybe you mean "PC with Firefox installed thats infected by a {virus|trojan|keylogger|spyware}" ?
Still, installing Firefox doesn't prevent you from catching something for running infected software or prevents someone from installing some crap that puts toolbars or BonziBuddy into your PC....
Comment removed by account_deleted · 2009-11-11 06:18 · Score: 2, Informative

Comment removed based on user account deletion
"Reported" bugs? by Bluemumba · 2009-11-11 06:23 · Score: 5, Insightful

Isn't counting bugs released as part of press releases and change logs kind of like saying "All confirmed criminals are in jail?"
Comment removed by account_deleted · 2009-11-11 06:23 · Score: 3, Informative

Comment removed based on user account deletion
Yet another deliberately lying bullshit story! by Hurricane78 · 2009-11-11 06:25 · Score: 4, Insightful

Comparing openly known vulnerabilities, and calling it "all in all vulnerability".
As if they wouldn't know perfectly well, that Microsoft sends a cease and desist letter to anyone who is even talking about a vulnerability that is not official to MS.
I guess the old saying is true, that:
If you can't program, you teach.
If you can't teach, you administrate.
If you can't administrate, you report.
If you can't report, you criticize.

--
Any sufficiently advanced intelligence is indistinguishable from stupidity.
1. Re:Yet another deliberately lying bullshit story! by tool462 · 2009-11-11 06:56 · Score: 2, Insightful
  
  And to draw the chain to its conclusion:
  If you can't criticize, complain on Slashdot. :)
I have experience here by Effugas · 2009-11-11 06:33 · Score: 2, Interesting

So, I'm posting as somebody who has gotten critical fixes pushed into both IE and Firefox. (Technically, Chrome and Opera too, but those were the pure crypto vulns.)
It's genuinely hard to write a secure web browser. Forget plugins -- you have a complex internal object model, subject to all sorts of very fine grained rules ("the filename on an input type=file form must not be settable from Javascript"), which can be made into a pile of moving parts under the control of an attacker. What's happened somewhat recently is a lot more people have gotten into bashing Firefox. You know those "many eyes" theories of open source, and how they're usually kind of full of it?
Well, "many eyes" are visiting it now, and Mozilla to their credit is doing a lot of very hard work to deal with the influx. Good on them.
Re:Maybe he is at fault? by s1lverl0rd · 2009-11-11 06:36 · Score: 2, Funny

Am I the only one who thinks that a MitM is a little far-fetched?
Anyone notice that the so called "study" is a... by Em+Ellel · 2009-11-11 06:45 · Score: 2, Insightful

Anyone else notice that the so called "study" is actually a marketing material for some SaaS product? If you like that there are some great whitepapers out there... LOL.
its a joke - they just downloaded some bug reports, made some pretty graphs and called it a report. I will bet you the person putting it together could not explain what a "web browser vulnerability" is - other than something that should scare people to buy their product.

--
RelevantElephants: A Somatic WebComic...
Anyone else notice the Chrome-coloured charts? by Chris+Daniel · 2009-11-11 06:46 · Score: 2, Funny

Glossy, primary colours, circles ... reminds of the Chrome logo.

--
Don't blame me -- I voted for Roslin.
Brought to you by the fine folks in Marketing by darthyoshiboy · 2009-11-11 06:49 · Score: 2, Informative

The project was both lead and edited by one Mandeep Khera, Chief Marketing Officer, Cenzic, Inc.
Put together more or less entirely by marketing people at a company that is trying to sell you web security.
I don't know about you guys but I've never known people in marketing to be anything less than the most fine and upstanding sort of the disgusting vile unmitigated cock sucking pustules that ever formed on the unwashed asses of pond scum.
duration of vulnerability by bfree · 2009-11-11 06:53 · Score: 3, Insightful

Lots of comments mentioning the lack of taking into account of the severity of the bugs, but what about the duration of the vulnerabilities. Or to extend that train of thought, if IE has a current known exploit (or collection of them) there's not as much incentive to go finding another one if you know the one you have won't be closed for another few weeks/months anyway. I suspect with firefox any hole found will be fixed with a released patch far more quickly (and as others mentioned, possibly before any exploits are known of) so you have to keep finding new ones if you want to use firefox as a way in to a machine.
In summary, FUD off

--
Never underestimate the dark side of the Source
1. Re:duration of vulnerability by swillden · 2009-11-11 07:40 · Score: 2, Insightful
  
  Lots of comments mentioning the lack of taking into account of the severity of the bugs, but what about the duration of the vulnerabilities.
  Agreed. The most accurate way to assess vulnerability based on reported security defects is to categorize them by severity and then total up days of vulnerability by category. Additional weight should be given to vulnerabilities with a released exploit.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Details? by Alerius · 2009-11-11 06:59 · Score: 2, Interesting

So I *did* RTFA and found it was fluff. So I read the linked PDF report to try and find out some details on what these gaping security holes in my favourite browser actually were. I did not want to have to eat crow over my repeated recommendations to us Firefox over IE because it was more secure. Well, there's plenty of space dedicated to reporting server side vulnerabilities, plenty on web apps, lots of repetition of how surprised they were to find Firefox and Safari so vulnerable...but nothing on what vulnerabilities. No mention of types of vulnerability, frequency, core browser, plug-ins, add-ins, versions, ZIP!
The 29 page report has one page that is mostly taken up with a lovely colourlful exploded pie chart. There is more space dedicated to advertising the Cenzic products and services than there is referencing browser vulnerabilities.
This is isn't a report, it's a sales pitch.
Right from their own website.... by Dare978Devil · 2009-11-11 07:07 · Score: 2, Informative

"Cenzic's acceptance to the SecureIT Alliance alongside our recent designation as a Microsoft Certified Partner highlights our expertise and experience in working with Microsoft technologies as well as a proven ability to meet customer needs," said Mandeep Khera, vice president of marketing for Cenzic. http://www.cenzic.com/pr_20061011/ So, this report on browser vulnerabilities must be "Fair and Balanced" given that they are a Microsoft Certified Partner.
SQL injection? by rrohbeck · 2009-11-11 07:16 · Score: 2, Interesting

The top vulnerability is SQL injection.
Can anybody explain how the browser is responsible for SQL injection vulns?

--
thegodmovie.com - watch it
Not really surprising... by DdJ · 2009-11-11 07:20 · Score: 2, Insightful

It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.
Well. Remember that "the front door is unlocked, the guard has been dosed with chloral hydrate, and there's a loaded shotgun just laying there on the credenza" could collectively be called one single vulnerability. Quantity doesn't trump quality!
Obama and Swine Flu by gcatullus · 2009-11-11 07:47 · Score: 2, Funny

Well I actually looked at the pdf report. It starts off with "What do the swine flu and hackers have in common". That started to get a laugh, but then the executive summary says that web vulnerabilities are getting better because of Obama. How can anyone take this seriously??
Being open and honest about bugs is a good thing by syousef · 2009-11-11 07:56 · Score: 2, Interesting

Haven't RTFA yet but I bet they are using patch notes as their source of vulnerabilities.
So the headline should have been "Firefox most transparent browser when it comes to vulnerabilities".
I'm no FF fanboi. I think they've gone off the rails in a lot of ways - especially by forcing users to accept changes that many changes they don't like such as AWFULBAR. However one thing they do right is they're transparent about bugs and vulnerabilities (at least once they're able to reproduce them). The whole article is a fucking troll.

--
These posts express my own personal views, not those of my employer
Fundamental flaw: "PUBLIC vulnerabilities" by seifried · 2009-11-11 08:17 · Score: 2, Insightful

The fundamental flaw of all these studies is that they are NBOT measuring vulnerabilities, they are measuring PUBLIC vulnerabilities. Two very different things.
sloppy by mr.dreadful · 2009-11-11 08:35 · Score: 2, Insightful

"Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB, OWASP, as well as other third party databases for Web application security issues reported during the first half of 2009." Ah -- the old "count the number of bug reports" technique. I won't even bother ranting about that
Microsoft beats all in security tests! by David+Gerard · 2009-11-11 08:44 · Score: 4, Funny

Microsoft is reeling from the vicious and unwarranted slanders of security companies and the US government’s Computer Emergency Response Team that its Internet Explorer web browser has alleged “security holes” or is in any way less than the finest software known to mankind and excellent value for your money. "Cenzic proves it's Firefox! FIREFOX DID IT! Fuckers."
The festering paedophiles of CERT have gone so outrageously far as to make the ludicrous claim that just viewing a malicious webpage in IE could leave your computer open to being hacked and turned into a Russian Mafia spam server. “We don’t know what could have triggered such vindictiveness,” sobbed Microsoft marketing marketer’s marketer Steve Ballmer. “Do they hate free enterprise that much?”
There are things you can do to make your computing experience even more secure. Microsoft’s official suggestion — make sure your anti-virus software is up to date and using an entire CPU doing nothing much, click through five screens to run IE in “protected mode,” click through four screens to set zone security to “high,” click “JUST BLOODY DO IT WILL YOU” when the User Access Control asks if you really want to do this, enable automatic updates with the minor side-effect of installing Microsoft DRM on your system or Windows Genuine Advantage randomly turning your computer into a paperweight, and sacrifice a goat to Microsoft at midnight on a moonless night — is simple and straightforward. “It’s the quality you’re paying for.”
On no account should you consider that there might be other web browsers out there, as researchers have demonstrated that all of them automatically download the cover of Virgin Killer. “I saw a report,” said marketing marketer John Curran of Microsoft Completely Enderlependent Analysts, Inc., “that another browser had more vulnerabilities than ours! People would be very foolish indeed to move from the latest IE to Netscape 4.01.”
“These CERT wankers are Mactards and trolls,” said Guardian marketing marketer Jack Schofield. “They just want to take IE users out, brutally sodomise them, gas them in concentration camps and” [This comment has been removed by a Guardian moderator. Replies may also be deleted.]

--
http://rocknerd.co.uk
Re:unstable == vulnerable by andymadigan · 2009-11-11 09:35 · Score: 2, Insightful

Using more memory and being killed by the OS's equivalent of the OOM-killer does not make it more vulnerable. Crashes are an indicator of POSSIBLE vulnerabilities. The OOM example is one of many I'm sure.

--
The right to protest the State is more sacred than the State.
Re:unstable == vulnerable by Bigjeff5 · 2009-11-11 09:39 · Score: 2, Informative

Actually if the OS interceeds in a buffer-overrun situation (basically, out of memory and crash), you are not vulnerable to code injection into memory. Most operating systems today do exactly that for precisely that reason - to prevent code injection. In other words, your browser can crash all the time and you aren't necessarily vulnerable to code injection.
There are various other conditions that can leave you open to code injection though.

--
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller