bit-tech.net

Secunia: Firefox most vulnerable browser

Published on 16th April 2009 by Gareth Halfacree

Secunia: Firefox most vulnerable browser

Secunia's figures show Firefox having the most vulnerability reports by far in 2008 - but does this mean the browser is less secure?

Fans of the open-source web browser Firefox are likely to be up in arms over a report from security specialist Secunia claiming Mozilla's baby was the most vulnerable browser of 2008.

As reported over on Neowin, the company has totted up the number of vulnerabilities it published advisories for in 2008 for each of the four major web browsers in use today: Firefox, Internet Explorer, Safari, and Opera. The result will be of interest to anyone who switched to Firefox for enhanced security, and might just surprise many.

According to Secunia, Firefox was by far the most vulnerable browser of 2008 – totting up a grand total of 115 vulnerability advisories over the year. By comparison, Opera had a mere 30, Safari 32, and Internet Explorer a surprising 31.

In Mozilla's defence, there could well be a reason why its browser appears to have had far more vulnerabilities than competing packages: Firefox, unlike the others analysed by Secunia, is open source. This allows researches unprecedented access to the internal workings, and makes it far easier to spot and exploit vulnerabilities in the code. It also makes such bugs and their respective fixes uniquely public – where it is easy for Microsoft to quietly fix several bugs in a single patch and tot up only one vulnerability report, Firefox patches outline each problem that is solved and generate multiple vulnerability reports each time.

For those who moved to Firefox for the supposed security improvements over Internet Explorer, fret not: Secunia also added up the number of vulnerabilities reported in browser plugins over 2008: only a single Firefox extension was found to be vulnerable to external attack in the entire year. This contrasts markedly with Microsoft's ActiveX scripting language built in to Internet Explorer, which saw a massive 366 vulnerability reports last year – far higher than Java at 54 or Flash at 19.

So, is Firefox truly the most vulnerable browser on the market today? Almost certainly not. Is it the most visible browser with the greatest record for transparency in its dealings with the security research community? Definitely. Despite the somewhat alarming figures, it doesn't look like Firefox's days are numbered just yet.

Do you think that Secunia might be over-egging the pudding to claim that Firefox was the most vulnerable browser of 2008, or is security not at the forefront of Mozilla's mindset? Does open source make security holes more likely or less likely? Share your thoughts over in the forums.

22 Comments

Discuss in the forums Reply
Mentai 16th April 2009, 13:00 Quote
The fact that having the most security holes doesn't actually equal being the most vulnerable makes this whole thing very misleading. It's bad statistics when the variables give such subjective results. I'd be a bit pissed off with Secunia if I were Mozilla.
Bauul 16th April 2009, 13:12 Quote
So just because Firefox announced more vulnerabilities than anyone else, surely makes them more secure, as they're patching them, where as IE are ignoring them.

Stupid research. God I hate bad statistics.
V3ctor 16th April 2009, 13:17 Quote
Blasphemy!!
azrael- 16th April 2009, 13:20 Quote
You must NEVER question Danish research quality. It's the world's best!

By the way, that was sarcasm... :)
V3ctor 16th April 2009, 13:40 Quote
Quote:
Originally Posted by azrael-
You must NEVER question Danish research quality. It's the world's best!

By the way, that was sarcasm... :)

Yes it was... :) I love FF, if it wasn't for it, we would still be in the internet with IE6,2 or something. They really rocked the place. I just think that they should come back to a "light" FF... It's becoming heavier at every update... :(
hitman012 16th April 2009, 13:41 Quote
Quote:
Originally Posted by CardJoe
Security firm Secunia has named Firefox as the most vulnerable browser out there after totting up the number of vulnerability reports it published throughout 2008.
They did nothing of the sort. If you actually read the report, they simply give the number of vulnerabilities, along with some other statistics, for each browser. No conclusions are drawn - in fact, they note that the statistics necessarily include only those vulnerabilities publicly disclosed.
yakyb 16th April 2009, 14:22 Quote
yay for opera
cjoyce1980 16th April 2009, 14:25 Quote
Quote:
Originally Posted by hitman012
Quote:
Originally Posted by CardJoe
Security firm Secunia has named Firefox as the most vulnerable browser out there after totting up the number of vulnerability reports it published throughout 2008.
They did nothing of the sort. If you actually read the report, they simply give the number of vulnerabilities, along with some other statistics, for each browser. No conclusions are drawn - in fact, they note that the statistics necessarily include only those vulnerabilities publicly disclosed.

which is what research and reporting is..... try doing a degree or a PhD, thats all you will spend 3+ years doing as well as drink till your kidneys hurt
alpaca 16th April 2009, 14:43 Quote
at least firefox is a honest browser. i like that.
bowman 16th April 2009, 15:00 Quote
Open source, and higher disclosures.

Comparing the disclosed security vulnerabilities from open source projects to proprietary projects is completely ridiculous.
azrael- 16th April 2009, 15:03 Quote
Quote:
Originally Posted by alpaca
at least firefox is a honest browser. i like that.

Is it bearded too? :D
airchie 16th April 2009, 15:09 Quote
I think the number of machines compromised through FF compared to IE would give a much more accurate account of which browser is safest.

I agree though that FF is getting more and more bloated which allows more and more avenues for attack and exploits to be found. :(
fargo 16th April 2009, 16:45 Quote
I think the number of machines compromised through FF compared to IE would give a much more accurate account of which browser is safest.

I think this sentence gets to the meat of the issue.....right on airchie
Cobalt 16th April 2009, 17:32 Quote
Didn't a similar report come out a while ago? Conclusion is basically that proprietary products are made by companies which have a vested interest in not revealing how many vulnerabilities they have.
naokaji 16th April 2009, 17:43 Quote
ActiveX gets a :(:( from me.


Anyway, I think the better way to measure browser safety would be measuring something like how many % of the vulnerabilities are patched within a set period of time.
dicobalt 16th April 2009, 18:01 Quote
I would have to agree with these findings. If you ever actually bother to look at the fixes though you will notice almost all security problems are due to javascript in one way or another. That's why I use noscript + adblockplus. That combo makes almost all javascript vulnerabilities just bounce off you like a raindrop on glass. I wont stop using firefox. BTW I have seen plenty of firefox browsers with spyware toolbars. Myway is one of them, the search results skew to things that will give you more malware also. Too bad large OEM's package that **** on new computers, I can smell a lawsuit.
airchie 16th April 2009, 18:28 Quote
NoScript+FF=Win tbh :)

Its unfortunate that so much of the nice features we rely on in turn rely on scripting.
Still, its better than activeX... :D
azrael- 16th April 2009, 18:55 Quote
Well, almost all "Web 2.0" content relies on AJAX. Take a wild guess what AJAX actually is... :)
dicobalt 16th April 2009, 20:47 Quote
Quote:
Originally Posted by azrael-
Well, almost all "Web 2.0" content relies on AJAX. Take a wild guess what AJAX actually is... :)

Indeed it does, but the thing is that scripting really doesn't need to be accessing the domain xycb9865.zxcvb.1vnfv.cn in order to work. That is where noscript comes in. Blocking all sites that are not specifically allowed hence making the virus code unable to do anything useful. While the allowed code on the allowed domain runs just fine. I use all the popular javascripty sites and have zero problems.
dom_ 17th April 2009, 00:42 Quote
Quote:
Originally Posted by yakyb
yay for opera
cebla 17th April 2009, 03:37 Quote
I wouldn't necessarily agree that being open source means they are more likely to find exploits. Often it is easier to find an exploit when you can't see the code the original author wrote, because normally when you see the code you know what they were thinking and trying to do. This can limit your thinking of how you can possibly exploit it. If you're just looking at the disassembled version you have far less of an idea what the code "should do"and much more of an idea what it does do. Of course having the source code can be useful also.
TRG 18th April 2009, 21:30 Quote
If you add in the active X ones to IE's score, IE has nigh-on 400. That puts the munber of vulnerabilities roughly in line with usage. IE would be a bit high, as would Opera.

I'm certian IE has more unpatched flaws than Firefox, they are just harder to find.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums

More About...

Custom PC Issue 101

Custom PC Issue 101

3 Issues for just £1
PC Hardware Buyer's Guide September 2011

PC Hardware Buyer's Guide September 2011

Hardware 29 – We are not Server Admins

Hardware 29 – We are not Server Admins