Slashdot Mirror
Firefox Most Vulnerable Browser, Safari Close
An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.
So just down the page on slashdot, this very day, there are warnings about a "Windows kernel vulnerability" that is exploited through IE. I'll take three cross-site scripting bugs any day over a kernel level compromise, thank you.
I know the world doesn't have a good objective measure of "impact" to assign to these things so that one could assess the total "probable inconvenience" of the presented security vulnerabilities, and that makes unbiased data gathering difficult, but this feels pretty absurd.
It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.
There is an explanation for that.
Cenzic Recognized as a Microsoft Certified Partner, Experiences Substantial Momentum in Q2
I haven't read your post yet but you're wrong.
Even if their information is accurate, which I don't see how it could possibly be, it is meaningless. Number of flaws is a horrible way to measure system security since it doesn't take into account severity, ease of attack, unreported flaws, or un-acknowledged flaws. When you get down to it, there really isn't any good way to measure security, but I would bet hours spent in code reviews would correlate much better than number of reported flaws.
I didn't see anything in the actual report that explained how their results were arrived at. For that reason alone, this report is worthless. It's just a marketing document for use in selling their own security products.
However, it did make reference to the numbers being representative of "reported vulnerabilities", which we all know is going to make Firefox look worse that IE. This is verified by realizing Opera (also closed source) scored less than IE.
Worse, patch SEVERITY was not accounted for in these results, nor was the fact that many patches were for unexploited vulnerabilitys, and others were to close ITW threats...
FF and Safari rank bad in this article, but when looking at the raw data, patch severity, and explited patch footprint, IE is the worst, even though not patched very often.
I'd also note that a single patch may include fixes for numerous bugs, and this is additionally not covered in the scope of this article. A single patch in IE recently fixed more than 10 vulnerabilties...
There is no contest in life for which the unprepared have the advantage.
lol, touche.
Still, do you really have to read it?
It seems like one of these bootlicking/astro-turfing 'studies' from some consulting agency or 'solution' vendor comes along about every 6 months in the Slashdot headlines.
Upon reading TFA, this one seems no more credible than any other.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
According to the report, as best I can determine, this is how they found their results:
"Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB, as well as other third party databases"
It seems reasonable that any/all open source software would have a higher number of reports in these databases than proprietary software, simply because more people are able to publicly scan and report on vulnerabilities... by definition, open source software conducts it's business in public, while proprietary software does so behind it's private curtain.
Isn't counting bugs released as part of press releases and change logs kind of like saying "All confirmed criminals are in jail?"
Have read the article, and the attached PDF, and they only state the conclusions. No mention is made of how they counted vulnerabilities, only that Firefox had 44% of them, and that they represented "Web Vulnerabilities by Major Type". Adding to the confusion was that they also talked about applications and servers and alternated back and forth between the three with little warning.
Also interesting was that "ActiveX" was listed as a technology separate from Web Browsers, the one time it was mentioned. In other words, their vulnerability percentage, which is already vague, may not include ActiveX vulnerabilities within IE. Or they may. All we know is that they claim IE has 15%.
Nowhere is there mention of what constitutes a reportable vulnerability, what versions of each browser were counted, how they were classified or even what the classifications were, what sorts of reports were included by browser (did plugins or addons get included in Firefox? ActiveX for IE? For multiplatform browsers like Opera, Firefox, and Safari, were vulnerabilities mitigated by only being exploitable on some platforms and not others, or reported multiple times - once for each vulnerable platform?)
The PDF was severely [citation needed], but remarkably honest in that it expressed surprise that Firefox was the most vulnerable web browser when compared IE, Safari, and Opera, and comprised almost half the identified vulnerabilities among the four browsers.
If this is like most reports of the same type, they are using vendor-reported bugs. Firefox would, by definition, have the largest bug list by any stretch in such a report. They are the only web browser development team that allows (and encourages) access to the same bug-tracking database that their developers use. Safari, IE, and Opera only report vulnerabilities when (a) they have been fixed, or (b) when so many reports have come out that they finally have to 'fess up.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
The PDF in the article is mostly marketing, and does not do much in the way of explaining how they arrived at those numbers other than; "Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB as well as other third party databases for Web application security issues reported during the first half of 2009." We can therefore conclude that those numbers are based upon reported vulnerabilities, regardless of whether or not they were fixed. From my experience Firefox has a good habit of quickly patching security vulnerabilities. For example, there is the SSL spoof vulnerability discovered late July that Firefox fixed in 5 days and IE/Safari/Chrome still haven't fixed in over 3 months AFAIK) So there is nothing to indicate that Firefox is necessarily a less secure browser.
AccountKiller
-- Slashdot posting form --
...
...
[ ] RTFA
[ ] In soviet russia ____ YOU!
[ ] Obligatory XKCD
[ ] _____ you insensitive clod.
[ ] Get off my lawn
[x] I don't even bother posting I use a form.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.