Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads

Speaking of web browser vulnerabilties


enigma#
 Share

Recommended Posts

Note: If and before you go raging, please read through the post carefully!

It was brought to my attention recently that Bit9 had recently put in a dirty dozen list.

For those who know don't know what Bit9 is,

a software company in Advanced Threat Protection (software security).
Essentially the dirty dozen list is a compilation of common software programs associated with the web and a numeric representation of their software vulnerabilities.

 

Their list was:

1. Google Chrome - 76

2. Apple Safari - 60

3. Microsoft Office - 57

4. Adobe Acrobat - 54

5. Mozilla Firefox - 51

6. Sun JDK - 36

7. Adobe Shockwave Player - 35

8. Microsoft Internet Explorer - 32

9.RealNetworks RealPlayer - 14

10. Apple Webkit - 9

11. Adobe Flash Player - 8

12. Apple Quicktime and Opera Web browser (tied) - 6

 

I was quite shocked to see that MS Internet Explorer (who has a notorious reputation for seeming very insecure) be near the bottom.

 

Please be aware that #vulnerabilties =/= (does not equal to) security

 

In the vein of understanding what that means to the user, it means Google Chrome at the moment has MORE vulnerabilties than Internet Explorer!

 

(http://www.bit9.com/company/news-release-details.php?id=175)

 

 

My own investigation about it

However, I decided to take a look further into this issue (with the limited information given by Bit9) and went to a different route.

 

First I went to Secunia (a firm similar to Bit9) and found the following results

 

[http://www.secunia.com]

 

. Google Chrome 7.x – 12 - All Patched

. Apple Safari 5.x for Mac OS X – 19 - 33% Unpatched

. Apple Safari 3.x for Windows - 42 - 20% Unpatched

. Mozilla Firefox 3.6.x – 72 - All Patched

. Microsoft Internet Explorer 8.x – 67 - 29% Unpatched

. Opera 10 - 10 - All Patched

 

------------------------------------------------

In this instance, if we look at vulnerabilities, Firefox and Internet Explorer top the list at 72 and 67 each. What I find interesting to note is that Apple Safari for Windows is more patched (according to Secunia) than the Mac OS version. Furthermore in this instance, Opera is the software with the LEAST amount of vulnerabilities. Take caution though as each vendor (e.g. Bit9 or Secunia) finds similar or differing vulnerabilites which impact the score. This is not an equation to security.

 

----------------------------------------------------

 

The question then becomes... how do we measure security for web browser? More importantly how do you measure (and pick your browser) security?

 

A few factors to consider

1. Vulnerabilties (as discussed above)

2. Plugins installed and their associated vulnerabilities

3. Unknown bugs/vulnerabilities

4. User knowledge

5. OS-dependent security features (e.g. ALSR)

6. External factors

 

Finally, aesthetic features play hand in hand as well

1. How it looks

2. How it works

3. Subjective work flow....

 

I mean these are all different factors in determining one's opinion about web browsers. Obviously, some will just use what is more convenient.

 

What do you think?

Edited by enigma#
Link to comment
Share on other sites

Guest The_Monkey

I use all of them all the time, not just because I'm a webdev. I constantly toy and tweak and play around in each of the browsers. I end up assigning a niche to each browser, i.e, chrome for testing programs I write in our framework, firefox for surfing our forums, IE for internet radio and netflix, opera for surfing for random crap that could contain viruses, and safari for the lols.

Link to comment
Share on other sites

The reason Chrome and Firefox show up at the top of that vulnerabilities list and MSIE shows up at the bottom is because they actually publish what bugs they are working on. MSIE keeps a lot internal to Microsoft and won't necessarily publish that a vulnerability exists until/unless it is already widely known or has the potential to be widely known.

 

And I'm pretty sure the Chromium and Mozilla projects have a much more active bug reporting/fixing team, since they are open source and able to take direct help from the community.

 

tl;dr ...

 

Think of all the MSIE vulnerabilities that aren't on that list simply because Microsoft hasn't made them publicly known.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share