Fans of the open-source web browser Firefox are likely to be up in arms over a report from security specialist Secunia claiming Mozilla's baby was the most vulnerable browser of 2008.
As reported over on Neowin
, the company has totted up the number of vulnerabilities it published advisories for in 2008 for each of the four major web browsers in use today: Firefox, Internet Explorer, Safari, and Opera. The result will be of interest to anyone who switched to Firefox for enhanced security, and might just surprise many.
According to Secunia, Firefox was by far the most vulnerable browser of 2008 – totting up a grand total of 115 vulnerability advisories over the year. By comparison, Opera had a mere 30, Safari 32, and Internet Explorer a surprising 31.
In Mozilla's defence, there could well be a reason why its browser appears to have had far more vulnerabilities than competing packages: Firefox, unlike the others analysed by Secunia, is open source. This allows researches unprecedented access to the internal workings, and makes it far easier to spot and exploit vulnerabilities in the code. It also makes such bugs and their respective fixes uniquely public – where it is easy for Microsoft to quietly fix several bugs in a single patch and tot up only one vulnerability report, Firefox patches outline each problem that is solved and generate multiple vulnerability reports each time.
For those who moved to Firefox for the supposed security improvements over Internet Explorer, fret not: Secunia also added up the number of vulnerabilities reported in browser plugins over 2008: only a single Firefox extension was found to be vulnerable to external attack in the entire year. This contrasts markedly with Microsoft's ActiveX scripting language built in to Internet Explorer, which saw a massive 366 vulnerability reports last year – far higher than Java at 54 or Flash at 19.
So, is Firefox truly the most vulnerable browser on the market today? Almost certainly not. Is it the most visible
browser with the greatest record for transparency in its dealings with the security research community? Definitely. Despite the somewhat alarming figures, it doesn't look like Firefox's days are numbered just yet.
Do you think that Secunia might be over-egging the pudding to claim that Firefox was the most vulnerable browser of 2008, or is security not at the forefront of Mozilla's mindset? Does open source make security holes more likely or less likely? Share your thoughts over in the forums