Browser Vulnerability Study Unkind to Firefox

Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."

Consider this...

[KermodeBear]

FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.

IE 5/6 have been stagnant for years. Of course the number of bugs isn't going to be as large.

That said, I know which one will issue a bug fix more quickly when something IS found...

Increase in user base?

[celardore]

The pretty graph does show an increase in the number of vunerabilities found between July 05 to December 05, and January 06 to June 06, but could this be because the number of users has also increased in that time? More users finding and reporting the bugs, or even a greater number of developers writing the code making it less manageable and secure?

Best part, no rebooting for patching...

[mobiux]

Yes I use Windows.
For most of the IE vulnerabilities, I have to reboot my computer to install it.

Firefox is nice enough to download it and install it the next time I start the browser.
And it does it more than the 2nd Tuesday of each month.

Re:Truth to the market segment argument?

[Nos.]

This article is pretty light. Sure, more vulnerabilities is bad, but it doesn't necessarily that more vulnerabilites is worse. Firefox is patched quicker, which is very important. Also, I don't see anything about the nature of these vulnerabilities. Are they all critical, you box is getting trojaned? Just comparing the pure numbers doesn't tell us much.

Opera wins :-)

[RobbieGee]

Have a look at Opera 9.x's advisory list [secunia.com] :-)

Affected By 1 Secunia advisories

Unpatched 0% (0 of 1 Secunia advisories)

Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.

How Vulnerable Vs. How Dangerous

[ThinkFr33ly]

There is a big difference between how vulnerable a program is and how dangerous it is to use.

The more ubiquitous an application, the more it will be examined as a possible attack vector, and the more it will be exploited as an attack vector.

IE is still far more dangerous to use than Firefox thanks to the fact it is still used by far more people.

How about measuring days of vulnerability

[cryptoguy]

A much better measure of security is how many days the users spend being vulnerable after a vulnerability is made public. The browser with the fewest days of vulnerability is the safer browser. And that's no contest.

And consider this, too...

[KingSkippus]

Consider this, too:

This report is put out by a company that makes its living by protecting users from software like Internet Explorer. If people stopped using Internet Explorer, how would it make its money? (Okay, that's a little tinfoil-hatish.)

But also consider this:

Those are vulnerabilities that we know of. They're pretty easy to find (oh, and fix) when people can pore over your source code. How many vulnerabilities are in Internet Explorer/Opera/Safari that we don't know of, that aren't getting fixed, and just waiting for someone to figure out to blow up?

That's when you're really thankful of this:

Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability.

Re:So what?

[portmapper]

> Comparing the "number of vulnerabilities" is irrelevant to me. How many of them have actually been exploited in
> the wild? How many of them have caused users to lose data or unintentionally host malware? How many have resulted
> in people's identities being stolen?

The issue is that Firefox (and Thunderbird) has had many security issues, and still has many. For instance,
KDE Konquerer WWW browser has not has nearly as many security issues.

> his study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking
> at the source for Firefox than for IE, so it's inevitable more issues will be found.

Some applications are quite buggy, and Firefox falls in this category.

vulnerabilities threat level is key

[darkchubs]

Its not the number of vulnerabilities its more about the severity of them. A cookie injection , or cross site scripting is NOT the same as a buffer overflow/shell execution vulnerability. FF is by far less suseptable to the serious system risk level attack than IE; with no "known" arbitrary execution exploits at this time , IE has one outstanding right now and "drive by downloads" of scum ware is booming in the last few weeks.

Wrong Numbers

[99BottlesOfBeerInMyF]

It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.

This is very misleading. These are the numbers of vulnerabilities reported to Symantec and which the vendor has acknowledged to Symantec. The total number of vulnerabilities reported to Symantec are 50 for Firefox and 57 for IE.

If you add to this the quote from Symantec, "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred..." you start to see that this is mostly spin with little substance. Firefox is not really being attacked, and while they have bugs they fix them an order of magnitude faster and have an open process that responds to the community. This bug count includes all the bugs the Firefox team found, but who knows what percentage of bugs Microsoft and partners found that they deemed not worth fixing and which do not show up in this study? It is debatable that in theory, Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get attention. I declare the summary here to be FUD.

Re:Wow, how surprising

[portmapper]

> Newsflash: Browsers that are actually used by large numbers of people have larger numbers of bugs found and exploited than browsers that are mostly ignored.

Newsflash: Bloated applications with developers more interested in adding features than fixing bugs are more easily exploitable.

Re:Wrong Numbers

[kfg]

Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get . . .

. . .your money.

KFG

FUD

[Chanc_Gorkon]

Let's think about this.....a report from a ANTI VIRUS VENDOR!! Anyone want to make a bet when Symantec will make a Firefox Extension for scanning for malicious websites......AND make you pay for it??

Comparing Dogs and Foxes.

[140Mandak262Jamuna]

Let MSFT open its bug database open to public, the way bugzilla is open. Then we can count the vulnerability.

And dont just count the "vulnerabilities". Give some weightages. One "not critical" vulnerability in Firefox IS NOT EQUAL to one critical vulnerability in IE. Like "Not Critical" has a weight of 1, and scale it by a factor of 10 for each higher level. Then do a weighted sum.

The difference is...

[finity]

Firefox is free. Not that no cost is an excuse for it to have vulnerabilities, but rather, why pay for something that's broken? Not that MS should get every bug out of IE before it ships, but it should catch more than it does now.

Don't care

[Odin_Tiger]

I could give a shit less about sheer number of vulnerabilities. The things that matter to me are severity of black-hat response and duration of exposure.
Firefox: Rarely targetted, even for severy evulnerabilities. Nearly always fixed in a couple days, tops. Patched as soon as fix becomes available.
IE: Always targetted, with rapid response from a variety of nefarious 'net villains. Patch released the second Tuesday of the month, unless that happens to be less than 2wks away, in which case it stands a fair chance of being the second Tuesday of next month. If no exploits gain significant media coverage, it may be over a half year. Patch is optionally downloaded / installed as soon as it becomes available, but to enable this you must also enable automatic patching of the OS, office suite, and possibly even some 3rd party software, which needless to say is a dangerous thing to do institution-wide.

User base and source control

[everphilski]

Vulnurabilities are directly proporitonal to user base and increase with access to source control.

Opera has a low user base and is closed source. Therefore, few vulnurabilities. In short, no one cares.

Firefox, on the other hand, has a moderate user base but the source code is right there, the vulnurabilities are ripe for the picking. Hence why the vulnurabilities are high but the turnaround time to fix them, also quick.

IE on the other hand, high user base closed source. High vulnurabilities because of the high user base but potential hackers have to work harder.

Really, this study is a no-brainer. The results make perfect sense.

Re:How about measuring days of vulnerability

[Mistshadow2k4]

The fewer the safer? I wouldn't say that -- Active X is a huge vulnerability all by itself. You may be able to disable Active X in IE7 beta but you can't in 6 without 3rd-party software, to my knowledge.

Symantec Motive

[blunte]

Whether the measurements are accurate or practical, one must note that Symantec has an interest in seeing people continue to use IE because, historically, IE users are more likely to get viruses.

More risk and more problems means Symantec has an easier time selling its services.

JC, mobs and mods

[RingDev]

I made no derogatory comment about either browser. I was merely commenting on the correlation between usage and detected vulnerabilities. Many people have discounted the notion that FF has less vulnerabilities because of its lower market penetration, but this article would suggest that as FF's popularity has increase, so has the rate of vulnerability discovery.

That said, I use FF. I think it is a superior product when compared to IE. And FF developers' ability to address and rectify those vulnerabilities has been proven time after time to be better than MS's ability.

So, the whole point I was hoping to provoke in conversation:

Vulnerabilities Discovered != Vulnerabilities

Increased Usage = Increased Vulnerabilities Discovered

-Rick

Re:Best part, no rebooting for patching...

[projektsilence]

Yeah! OH NO!! Tools->Options->Advanced->Update tab

It's very very hard to turn off too! /sarcasm Granted, you can look at this either way, is it good to have that off by default and not auto-update or would you leave it on by default so it saturates your pipe.

Your choice is between having a secure, patched browser and a slow internet connection for the however many minutes it takes to download the patch; or to have an unpatched, unsecure browser and all access to all the bandwidth. The one thing I can say for it, it might not have been a bad idea for it to at least prompt the user before the download of the update, but you can turn that on pretty easily.

Re:Truth to the market segment argument?

[advocate_one]

For that matter, they all could basically be because someone ran a code-audit on Firefox recently. Something like that would raise the 'found vulnerablities' level through the roof for the moment, but it really doesn't mean there are bigger problems with it; just that there was a concerted effort to find them recently.

somebody did... [g2zero.com] recently... like just a very short while ago...

Re:What do the numbers even mean?

[this great guy]

(Here what I was about to post, but you pretty much summed up my viewpoint. Before all, here is a direct link to this Symantec Internet Security Threat Report -- Volume X: September 2006 [veritas.com] that is talked about.)

It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.

Totally. Pointless. Comparison.

First, as the Slashdot posting correctly points out, the window of vulnerability is much larger with IE. Microsoft is known for taking months to fix some vulns, and is taking longer and longer [washingtonpost.com] over the years.

Second, what about the importance of these vulns ? Was it 47 minor DoS for Firefox and 38 critical arbitrary code execution vulns for IE ?

Third, what about the methodology used to gather the vuln counts ? The report always says "Source: Symantec Corporation", with no more information. Did they count Firefox security related bugs or security advisories ? Did they count 1 Microsoft patch fixing N vulns as 1 or N vulns (too many studies make this mistake) ?

Fourth, what about silently fixed vulns in IE ? Microsoft is known for secretly fixing vulns that are discovered internally [eweek.com], and of course they never talk about them in public. Symantec certainly did not count these.

There are just too many reasons making virtually all studies comparing the number of security patches between 2 products useless. This one is no exception.

Re:not surprised

[bronzey214]

I told them, "it doesn't matter, one is as secure as the other".

You're kidding, right? IE = Firefox?

Not-Microsoft doesn't make software secure.

No, non-one patch day a month makes it secure.

Only competent programmers and a ruthless ability to say 'no' to new features will even begin to make Firefox secure.

I've never had Firefox crap out on me like IE.

There's nothing that indicates the pool of programmers who contribute to firefox is any better than any other group of programmers.

No, but there are more average ones, meaning that there are more ways at looking at a problem and more ways of fixing it.

In fact I'd imagine it's *below* average. Firefox is a bloated, insecure browser.

Do you even USE Firefox?

Sure, you have "faster patch turnaround", which is basically worthless. It's like your doctor telling you that you have cancer, "but hey, only one round of chemo!".This argument is valid if the chemo will automagically fix it. Microsoft has released patches that create MORE holes! Faster patch turnaround is a VERY big deal.

As long as we have the mentality that "no software is secure",

Paranoid much?

and you don't know what else is lurking in that source code.

Uh... yeah, we do... that's why it's called Open source

both good and bad

[CAIMLAS]

What this tells us, if anything, is that software will always have vulnerabilities, and that the number of vulnerabilities found seems to be proportional to the popularity of the software amongst non-technical users (and thus, the majority of software users).

Now, it can be implied that it indicates poor software development and overall poor software quality coming out of the Mozilla Foundation. But I think this would simply be conjecture. While it is certainly statistically true, there's a larger picture to look at.

Internet Explorer has been mostly static now for years; it hasn't seen any major development until recently (and that software isn't even what's being looked at here). Firefox, on the other hand, has been improving - adding new features, fixing complaints, and generally trying to come up with a better product. This is going to result in a higher number of security-problematic pieces of code - face it, people aren't perfect, and the only way to mitigate (not eliminate!) this realistically is to slow development to a standstill. Even then there would not be a guaranteed reduction in vulnerabilities, partially due to chance and oversight, and partially due to the large repository of existing code which it would have to interact with.

Furthermore, Firefox and Mozilla are just edging into the public consciousness, whereas Internet Explorer has had a technological hedgemony on the desktop as the browser now for almost a decade (in various versions). This means it's going to start receiving more scrutiny, both from malicious, malevolent folks, as well as from the benevolent security professionals. A higher detection rate is a natural result of this.

It's a double-edged sword. More detections are being made, resulting in more vulnerable systems. This is a natural state in computing, as computing innately involves security these days. There will always be risk involved. The significant thing to look at is how quickly these problems are being resolved, and how many how resurgent problems (ie, they weren't properly resolved). I would argue that the presented statistical information is irrelevant without further, more indepth analysis in this regard.

Re:Opera wins :-)

[nightgeometry]

From reading the discussion it sounds like the Opera devs are actually right here and, to be honest, those disagreeing come across as a bunch of whiners.

What they are saying, in my interpretation, is that allowing a subdomain to redirect from a domain is actually an insecure thing to do, as it is not simple for the browser to determine whether a domain is actually a subdomain (i.e. example.co.uk example2.co.uk aren't both subdomains of co.uk for this purpose).

They then give a piece of javascript that appears to fix the problem, and offer to add relevant domains to an exception list. Okay, maybe they could add a user definable list of trusted subdomains, but if the javascript works then this seems a good enough fix.

I don't really see what the issue is.

I am really interested in seeing this problem happening, and checking if my browser of choice allows it. If it does then I would consider changing to Opera to tighten up security.

Re:Truth to the market segment argument?

[catwh0re]

I've said this ad nauseam on here, and generally most people will agree: The number of patches released for a piece of software is not an indication of the software's security.

There seems to be a journalistic approach that equates more patches with less security.. More patches means a -more- secure product, not a less secure product. We're not talking about Windows XP here, where the tide of patches has never stemmed, to the point where their patches have been guilty of creating new security vulnerabilities. A person can argue that the many-eyes model of open source makes finding vulnerabilities more probable (the more found & corrected vulnerabilities.. the more secure the software is not vice-versa.)

Just because less vulnerabilities are -found- doesn't mean that more don't exist. In closed software only the vendor knows truly how many faults are found in their software.. and they are also able to be more secretive with their security processes.

By comparing raw numbers of patches unfairly attributes that all software is scanned for vulnerabilities in the same way: If for example I have a dodgey piece of software and I am too busy working on my next-gen operating system, then it's not very likely I'll have enough resources to find flaws in my dodgey piece of software. Historically we've seen Microsoft as a reactive patch vendor, which is a good indication that they aren't actively looking for flaws and are only responding to issues found in the wild or by non-MS security groups.

Additionally I rank a flaw that lets malicious websites install malware higher than a flaw that will only crash the browser. (Yet in pure numbers they both count as a sole vulnerability.)

Re:Truth to the market segment argument?

[shaitand]

"Sure, more vulnerabilities is bad,"

More vulnerabilities is bad, but more reported vulnerabilities is not. More reported vulnerabilities is good as long as the vulnerabilities are being patched. I would be happy to hear that they ironed out a thousand vulnerabilities in FireFox this month.

No software is without vulnerabilities, but the more vigorously they are hunted out and patched the more obscure the ones left will be. If a thousand vulnerabilities are found and fixed in FireFox this month they will probably be the thousand that are easiest to find, effectively raising the bar for those looking to exploit FireFox.

The idea that more reported vulnerabilities is a bad thing hurts everyone. This idea causes commercial vendors to shy away from admitting vulnerabilities, or to try to hide vulnerabilities while they put them on a list and ignore them.