Weekly Browsers Recap, November 9th

Comments

1. Thoe says:

   November 10, 2009 at 8:49 am

   Firefox Now The Most Vulnerable Browser?

   If this had been about Opera, you would have made it a separate story, wouldn’t you? And all the trolls would be overjoyed.

   Reply
   • Daniel Hendrycks says:

     November 10, 2009 at 6:19 pm

     Earlier Firefox was the most insecure according to yet another test. That had it’s own story. I do think he would have given Opera it’s own story though. He hasn’t updated us on Opera being the most secure for another test. I do not think he is aware of it yet though because the results came out today. (check Haavards blog)

     Reply
     • Foo says:

       November 10, 2009 at 11:44 pm

       Least vulnerabilities found != Most secure. Having a vulnerability that causes a browser to crash is far ‘better’ than having a vulnerability that allows someone to take complete control over your system.

       Have you checked the ‘report’ referenced? The browsers section is just an ugly pie chart along with a paragraph summarizing the content of the pie, not what I would call even close to reliable stats.

       A relevant quote from a Reddit post on the same ‘report’ (Firefox tops vulnerability list for most browser vulns in the first half of 2009 – so says a research group that uses Firefox to do their own web app security research.).

       I’ve never been a fan of comparing security simply on sheer number of published vulns. There are some inherent flaws to this, namely:

       Market share and other factors are strongly correlated to the number of people hunting for vulns. The number of attackers is correlated with the number of vulns found.
       Some vulns are more critical than others. How are these weighted?
       The patching process is completely ignored in this model. I’d rather use a product that has 10 critical vulns a year but releases patches within hours than a product that has 5 critical vulns but has a 3 month patch release cycle.
       How many were in the wild?
       Are these default installs? Is there an additional comparison for “well managed” or “locked down” configurations?

       And so on….

       The article linked on Reddit also have an interesting interview.

       As to why Firefox’s numbers were so high, Cenzic has a few ideas.

       “It’s a combination of different things,” Lars Ewe, CTO of Cenzic, told InternetNews.com. “They’ve gotten more traction as a browser, which is good for them and the more you get used the more exposure you have. As well a fair amount of the vulnerabilities have come by way of plug-ins.”

       One key area that Ewe said was responsible for a number of reported Firefox vulnerabilities is with how the browser handles plug-ins.

       “The plug-in architecture that they have is a selling fact for the browser and one of the reasons why I love using it,” Ewe said. “They can’t control security aspects of all the plug-ins and the vulnerabilities are a side effect of that.”

       Mozilla has made numerous efforts this year to bolster its plug-in security. Recently they launched a plug-in checker service to ensure that users are running up-to-date versions. The Firefox 3.0.9 update, which came out in April, specifically addressed several key plug-in vulnerabilities.

       Extensions are often, wrongly, called “plug-ins” by people and it sounds like, from the interview, that they actually included vulnerabilities caused by extensions in their stats, which makes the whole thing a bit… bogus. At least I’ve never heard someone call OS Y* insecure due to the user being able to customize it.

       * Some jerk copyrighted X :P

       Reply