Browser Vulnerability Study Unkind to Firefox

Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."

Not so bleak

[Noksagt]

From the article (emphasis mine):

That said, Internet Explorer remains the most popular target for attacks, with 69 percent of all browser attacks targeted specifically at that browser alone. 20 percent of the attacks monitored during the period in question were targeted at Firefox.

When it comes to patching, all of the browsers are improving. Firefox is the fastest to get its patches out, with a one-day window of exposure. Opera had a two-day window of exposure, down from 18 days during the last half of 2005. The window of exposure for Safari is up to five days (from zero), while Internet Explorer typically has a nine-day window, down from 25 days in the previous study.

So Firefox is still less targeted than IE & also gets fixed much sooner.

If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. [secunia.com] Firefox has 3 of 36 unpatched [secunia.com]. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical."

So what?

[ricky-road-flats]

Comparing the "number of vulnerabilities" is irrelevant to me. How many of them have actually been exploited in the wild? How many of them have caused users to lose data or unintentionally host malware? How many have resulted in people's identities being stolen?

This study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking at the source for Firefox than for IE, so it's inevitable more issues will be found. The more that are found the more that can be fixed before they're a problem.

IE has improved over the years, and will improve further with v7. Doubtless Firefox's progress is at least partially driving that. But the noddy users (hi Dad!) that I've given Firefox or Opera to have had far fewer malware problems than those who insist on sticking with IE.

Belt and suspenders

[Anonymous Coward]

I've taken to surfing from a copy of Opera running inside a VMWare virtual machine. If anything gets through (so far so good) I just go back to a clean snapshot. Nice to see my browser doing so good.

Re:Consider this...

[RonnyJ]

FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.

Opera keeps having new features added too, though. Despite this, according to the article, Opera managed to have a decrease in vulnerabilities - so why not Firefox?

Re:And consider this, too...

[SirTalon42]

WebKit (based on KHTML, possibly going to be merged back with mainline KHTML soon) is Open Source (LGPL), which is what Safari uses for rendering.

Webkit is to Safari what Gecko is to Firefox and what KHTML is to Konqueror.

Re:Wow, how surprising

[bunratty]

From The Ars Technica article:

When it comes to patching, all of the browsers are improving. Firefox is the fastest to get its patches out, with a one-day window of exposure. Opera had a two-day window of exposure, down from 18 days during the last half of 2005. The window of exposure for Safari is up to five days (from zero), while Internet Explorer typically has a nine-day window, down from 25 days in the previous study.

It seems like Mozilla developers are quite interested and skilled in fixing bugs to me.

Re:Article hurts my brain

[Athenais]

Routine patches come out once a month; critical updates are released as soon as a patch has been developed and tested. Often, this is less than a month. ;)

Re:Truth to the market segment argument?

[Daniel_Staal]

For that matter, they all could basically be because someone ran a code-audit on Firefox recently. Something like that would raise the 'found vulnerablities' level through the roof for the moment, but it really doesn't mean there are bigger problems with it; just that there was a concerted effort to find them recently. (I don't know of any such audit off the top of my head, but I don't follow that closely. It wouldn't nececarrally make the news.)

I predict an even greater number next time.

[Dr. Manhattan]

Of course, I don't think any of the other browsers have something like this [slashdot.org] going on. Automatic code analysis will turn up bugs for anyone, but nobody else makes the code so public.

Re:Not so bleak

[Anonymous Coward]

I would assume Noscript [noscript.net], which allows you to block JavaScript except for sites you allow it for. Opera [opera.com] has the same functionality built in.

Re:Not so bleak

[molarmass192]

Though possible, it's hard to infect a Mac, Linux, HP, Solaris, AIX, or BSD box with a virus or trojan designed to infect Windows XP.

This is only theoretically possible and then really only in circumstances where the virus or trojan is not an OS specific binary but a script of some sort. It is virtually impossible to have a cross platform OS binary work on more than one OS. For this to work, the exploit would need to leverage similar flaws in both OS binary loaders such as the Windows PXE loader and the Linux ELF loader. The odds of the planets lining up this way are very slim and even then, the window of opportunity would likely be very short lived. Cross platform exploits based on scripts (eg. Perl) or portable binary formats (eg. Java) are possible but they all involve writing a OS specific payload to an executable, so it's not a true cross platform virus in the sense that it propagates itself between platforms. Rather, a they're cross platform scripts that deliver a platform specific payload ... boring and highly unlikely to succeed in even a primary infection, let alone propagate.

Re:Comparing Dogs and Foxes.

[tjwhaynes]

Doesn't bugzilla conceal security-related vulnerabilities?

Yes, but only until a fix is delivered to most users (automatic downloads, linux distros update their repositories). After that, the bugzilla entry is publicly accessible for all to see, including the original reporting date, the discussion of the problem and who reviewed the fix. This is similar to the handling for most security vulnerabilities which are dealt with privately with the original developers until either the reporter gets fed up with waiting or the problem is fixed.

Cheers,
Toby Haynes

Re:Opera wins :-)

[Anonymous Coward]

Opera is a decent browser, unfortunately it has been known to break on some pretty common javascript. Like xaramenu which is used by quite a few sites.

http://www.xara.com/products/menumaker/

Supported browsers Menus created using Menu Maker will be displayed in the following web browsers:

Windows
* IE5 or later
* NS6.1 or later
* Mozilla
* Opera 7 or later

Mac
* NS6.1 or later
* Mozilla
* Apple Safari

Feel free to check their provided example menus. They all work properly in Opera (which does not break with any "common JavaScript", since it has superb DOM compliance).

Unless, of course, the last time you used Opera was in 2000, and you're just trolling now and inventing a straw man.

it's better to have a virus than symantec on a pc

[mxprml]

come on dudes, have you seen what happens after installing some symantec so called protections? they make a super pc perform like an old wreck. They are incompetents and just fear people installing anything decently secure because they know their craps are removed immediately after.

Re:How about measuring days of vulnerability

[aztracker1]

Set the security level for the "internet" zone to "high"... no active-x, you can also do custom for dissabling active-x, while leaving javascript. I wouldn't mind seeing a "permitted controls" list, so you could allow say javascript, xmlhttprequest, flash and java, while leaving the rest disabled... I usually put those sites that *NEED* it into the "trusted" zone (set to medium security).

I use Firefox for my general browsing, and am now using linux as my main OS. My wife/kid's pc's are setup as above.. Firefox is the main browser, with IETab for the 2-3 sites they use that require IE, with security tightened a bit.

Re:Opera wins :-)

[RobbieGee]

And you completely ignored Hallvors' post where he said he would patch it [opera.com] for all Opera users if you'd given him the name of the site.

Re:How about measuring days of vulnerability

[cp.tar]

I don't know whether it's a feature of Firefox itself, or an extension called MR Tech's Local Install, but if you place downloaded extensions in the Extensions folder, Firefox will prompt you to install them next time it's run.

FWIW, it would be nice to be able to slipstream extension installs into Firefox installs; you could make a tightened security... heh... distribution of Firefox with AdBlock, NoScript and so on included; a neat, quick install for people who have to do it a lot.

Then again, it doesn't sound like a very good security model in itself...

Read the report yourself

[DaoudaW]

The report is available at http://www.symantec.com/enterprise/threatreport/in dex.jsp [symantec.com]

It never fails to amaze me that slashdotters tend to post news stories rather than the source.

Re:Truth to the market segment argument?

[bunratty]

Earlier this year Coverity analyzed the Firefox source code also [internetnews.com].