Speaking of web browser vulnerabilties

[enigma#]

Note: If and before you go raging, please read through the post carefully!

It was brought to my attention recently that Bit9 had recently put in a dirty dozen list.

For those who know don't know what Bit9 is,

a software company in Advanced Threat Protection (software security).

Essentially the dirty dozen list is a compilation of common software programs associated with the web and a numeric representation of their software vulnerabilities.

 

Their list was:

1. Google Chrome - 76

2. Apple Safari - 60

3. Microsoft Office - 57

4. Adobe Acrobat - 54

5. Mozilla Firefox - 51

6. Sun JDK - 36

7. Adobe Shockwave Player - 35

8. Microsoft Internet Explorer - 32

9.RealNetworks RealPlayer - 14

10. Apple Webkit - 9

11. Adobe Flash Player - 8

12. Apple Quicktime and Opera Web browser (tied) - 6

 

I was quite shocked to see that MS Internet Explorer (who has a notorious reputation for seeming very insecure) be near the bottom.

 

Please be aware that #vulnerabilties =/= (does not equal to) security

 

In the vein of understanding what that means to the user, it means Google Chrome at the moment has MORE vulnerabilties than Internet Explorer!

 

(http://www.bit9.com/company/news-release-details.php?id=175)

 

 

My own investigation about it

However, I decided to take a look further into this issue (with the limited information given by Bit9) and went to a different route.

 

First I went to Secunia (a firm similar to Bit9) and found the following results

 

[http://www.secunia.com]

 

. Google Chrome 7.x – 12 - All Patched

. Apple Safari 5.x for Mac OS X – 19 - 33% Unpatched

. Apple Safari 3.x for Windows - 42 - 20% Unpatched

. Mozilla Firefox 3.6.x – 72 - All Patched

. Microsoft Internet Explorer 8.x – 67 - 29% Unpatched

. Opera 10 - 10 - All Patched

 

------------------------------------------------

In this instance, if we look at vulnerabilities, Firefox and Internet Explorer top the list at 72 and 67 each. What I find interesting to note is that Apple Safari for Windows is more patched (according to Secunia) than the Mac OS version. Furthermore in this instance, Opera is the software with the LEAST amount of vulnerabilities. Take caution though as each vendor (e.g. Bit9 or Secunia) finds similar or differing vulnerabilites which impact the score. This is not an equation to security.

 

----------------------------------------------------

 

The question then becomes... how do we measure security for web browser? More importantly how do you measure (and pick your browser) security?

 

A few factors to consider

1. Vulnerabilties (as discussed above)

2. Plugins installed and their associated vulnerabilities

3. Unknown bugs/vulnerabilities

4. User knowledge

5. OS-dependent security features (e.g. ALSR)

6. External factors

 

Finally, aesthetic features play hand in hand as well

1. How it looks

2. How it works

3. Subjective work flow....

 

I mean these are all different factors in determining one's opinion about web browsers. Obviously, some will just use what is more convenient.

 

What do you think?

Edited November 17, 2010 by enigma#

[Provin]

i always thought that internet explorer was the least secure

 

but i prefer to use chrome and firefox, i tried safari but didnt like the look

[Tommo]

double mozilla all the way.

 

Nice post!

[Jake]

Nice find!

[VeN]

GOOGLE CHROME!

[Guest The_Monkey]

I use all of them all the time, not just because I'm a webdev. I constantly toy and tweak and play around in each of the browsers. I end up assigning a niche to each browser, i.e, chrome for testing programs I write in our framework, firefox for surfing our forums, IE for internet radio and netflix, opera for surfing for random crap that could contain viruses, and safari for the lols.

[Plaayer]

I use all of them too, in the order of: Chrome-Firefox-IE-Opera.

 

But, has anyone noticed that the Chrome symbol looks like a advanced Pokeball?

[bort]

The reason Chrome and Firefox show up at the top of that vulnerabilities list and MSIE shows up at the bottom is because they actually publish what bugs they are working on. MSIE keeps a lot internal to Microsoft and won't necessarily publish that a vulnerability exists until/unless it is already widely known or has the potential to be widely known.

 

And I'm pretty sure the Chromium and Mozilla projects have a much more active bug reporting/fixing team, since they are open source and able to take direct help from the community.

 

tl;dr ...

 

Think of all the MSIE vulnerabilities that aren't on that list simply because Microsoft hasn't made them publicly known.

[fox*]

i tried safari but didnt like the look

 

judging a book by it's cover!

[Sia_^]

judging a book by it's cover!

 

I was gonna date a fox but it was to hairy.