Firefox Most Vulnerable Browser, Safari Close

An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

Hard to tell from the article

[xzvf]

The article has a pie chart and the link to the "detailed report" only has a pie chart. I guess we just have to trust Cenzic the internet security application provider. Doesn't even break it down by version number of browser or severity of exploit.

Re:Certified

[captaindomon]

Eh, being a Microsoft Certified Partner means next to nothing. Almost all the development firms I have worked for (from five employees to tens of thousands) are certified partners, it just means you get a discount on MSDN purchases and a nice little glass trophy. It doesn't mean Microsoft is controlling you. (They may be controlling Cenzic, but you can't say that just because they are a certified partner).

Re:Certified

[cmeans]

And then there's this:

http://www.cenzic.com/pr_20061011/ [cenzic.com]

Re:who is cenzic?

[xgr3gx]

Missing this one, the lowest of all:
http://search.cert.org/search?q=advisory+opera [cert.org]

Uh... huh...

[Hacker_PingWu]

The article link is only one short page and does not describe in detail how they came to their conclusions.

However, from the words they're using, they're implying common vulnerabilities exploited in corporate server-side applications. Not client-side.

SQL Injection and XXS Scripting are much bigger issues with implementation of web applications in web pages on the server side, use databases and scripting flaws in the code of the web apps to circumvent browser security.

They're talking about something that has little to do with the integrity of security of individual browsers, and more with the decisions webmasters make and what web applications they use.

Also, when they refer to Safari, they say they're referring to the iPhone Safari version: ...followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser... Looks like they're pretty clearly full of shit, and they're trying to be ambiguous and obscure by explaining little and using jargon to discourage people from searching for what all the terms they're using means.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I wonder

[calidoscope]

The Register's article on the Cenzic report also speculated the the report was based on published vulnerabilities. They made some rude noises about Cenzic's focus on the number of the vulnerabilities as opposed to the severity of vulnerabilities.

Re:Huh?

[Anonymous Coward]

So just down the page on slashdot, this very day, there are warnings about a "Windows kernel vulnerability" that is exploited through IE. I'll take three cross-site scripting bugs any day over a kernel level compromise, thank you.

I know the world doesn't have a good objective measure of "impact" to assign to these things so that one could assess the total "probable inconvenience" of the presented security vulnerabilities, and that makes unbiased data gathering difficult, but this feels pretty absurd.

The link for those too lazy to go find it:
http://tech.slashdot.org/story/09/11/11/0053244/Microsoft-Plugs-Drive-By-and-14-Other-Holes

Re:I wonder

[Actually, I do RTFA]

So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed. Something tells me their methodology is a bit flawed. Of course, that's by design, given Cenzic's financial ties to Microsoft.

Actually, in other words, the GP was making shit up. But since it conformed to your worldview, you agreed with it and based an entire post on it even though he said he didn't RTFA. Somehow it then got modded to +5.

In reality, the vulnerabilities were culled from a variety of 1st and 3rd party sources.

From the report...

[Anonymous Coward]

Here's the gist of Cenzic's _marketing_ report as it applies to browsers:

"
78 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers. Plugins and ActiveX, which is a significant increase from earlier in the year.

Of the Web vulnerabilities, Web Browser vulnerabilities comprised (sic) eight percent of the total vulnerabilities found, and Web servers comprised two percent. Vulnerabilities in the code of commercial Web applications was 90 percent of the total Web related vulnerabilities. Looking at the various classes of vulnerabilities, we found that SQL Injection and Cross Site Scripting (XSS) vulnerabilities continued to dominate with 25 percent and 17 percent respectively. Authorization and Authentication vulnerabilities were higher at about 14 percent of total Web vulnerabilities followed by Directory Traversal at 12 percent.
"

Apparently they don't discriminate among versions of browsers, plugins, or web apps. Firefox 1 + 2 + 3 = Firefox.

Nor do they say how they identified browsers. (Presumably the ID came from each source that reported the results.)

They also don't report any specifics of browser vulnerabilities (kind, duration, patch, etc).

Re:I wonder

[natehoy]

Have read the article, and the attached PDF, and they only state the conclusions. No mention is made of how they counted vulnerabilities, only that Firefox had 44% of them, and that they represented "Web Vulnerabilities by Major Type". Adding to the confusion was that they also talked about applications and servers and alternated back and forth between the three with little warning.

Also interesting was that "ActiveX" was listed as a technology separate from Web Browsers, the one time it was mentioned. In other words, their vulnerability percentage, which is already vague, may not include ActiveX vulnerabilities within IE. Or they may. All we know is that they claim IE has 15%.

Nowhere is there mention of what constitutes a reportable vulnerability, what versions of each browser were counted, how they were classified or even what the classifications were, what sorts of reports were included by browser (did plugins or addons get included in Firefox? ActiveX for IE? For multiplatform browsers like Opera, Firefox, and Safari, were vulnerabilities mitigated by only being exploitable on some platforms and not others, or reported multiple times - once for each vulnerable platform?)

The PDF was severely [citation needed], but remarkably honest in that it expressed surprise that Firefox was the most vulnerable web browser when compared IE, Safari, and Opera, and comprised almost half the identified vulnerabilities among the four browsers.

If this is like most reports of the same type, they are using vendor-reported bugs. Firefox would, by definition, have the largest bug list by any stretch in such a report. They are the only web browser development team that allows (and encourages) access to the same bug-tracking database that their developers use. Safari, IE, and Opera only report vulnerabilities when (a) they have been fixed, or (b) when so many reports have come out that they finally have to 'fess up.

Brought to you by the fine folks in Marketing

[darthyoshiboy]

The project was both lead and edited by one Mandeep Khera, Chief Marketing Officer, Cenzic, Inc.
Put together more or less entirely by marketing people at a company that is trying to sell you web security.
I don't know about you guys but I've never known people in marketing to be anything less than the most fine and upstanding sort of the disgusting vile unmitigated cock sucking pustules that ever formed on the unwashed asses of pond scum.

Right from their own website....

[Dare978Devil]

"Cenzic's acceptance to the SecureIT Alliance alongside our recent designation as a Microsoft Certified Partner highlights our expertise and experience in working with Microsoft technologies as well as a proven ability to meet customer needs," said Mandeep Khera, vice president of marketing for Cenzic. http://www.cenzic.com/pr_20061011/ [cenzic.com] So, this report on browser vulnerabilities must be "Fair and Balanced" given that they are a Microsoft Certified Partner.

Re:I wonder

[Bloody Peasant]

So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed.

I read the report. It is a marketing document, with one person (Mandeep Khera, Chief Marketing Officer) identified in it as both project lead and executive editor.

Also, despite the fact that the report itself downplays browser vulnerabilities (8% vs. 90% web apps, 2% web servers), they still put in a single token page which just seems out of place. Nowhere does it say what their methodology is for determining what comprises a "vulnerability". Another poster already pointed out the google search results on the CERT site (~367 for IE, ~61 for Firefox; that's over 6 times more vulnerability reports on the CERT site for IE versus those for Firefox; oops, was I shouting?).

I suspect the authors' methodology is simply to count something like the number of patches. Given Microsoft's monthly bundling of their security patches, and the Mozilla Firefox project's immediate release of more frequent version updates in response to vulnerability reports and discoveries, such methodology leads to a systematic undersampling of those for IE. A better approach would be to count verified CVE candidates.

Pure speculation: were they paid by anyone to put that browser breakdown in (it really doesn't seem to belong in my opinion), or was it ignorance or lack of thinking? Without an honest clarification from the company we'll probably never know.

Re:Certified

[adamchou]

You didn't mention how to become an MCP though. Its not just a matter of filling out a form and sending it to Microsoft. These companies go through a rigorous set of evaluations [microsoft.com] based specifically around Microsoft products in order to become MCP. So although Microsoft might not control them, their pocket books do and they sure as hell invested a lot of money to become MCP's.

Re:I wonder

[fluffy99]

If a vulnerability isn't found, that what's the problem? By that notion, both browsers have undiscovered issues. I do wonder if they were double or triple counting Firefox vulnerabilities as it is supported on more platforms.

Another, probably more reliable source would be secunia.com. Counting Firefox 3.0.x and 3.5.x, there were a total 18 issues in 2009 (13 and 5 respectively). Counting IE6, IE7, and IE8 there is a total of 18 vulnerabilities (6,6, and 4 respectively). Looks like pretty comparable numbers and severity to me.

Re:I wonder

[WinterSolstice]

I was going to point this out as well - there was nothing really backing up the browser diagram at all. They didn't even really go into how they determined these vulnerabilities existed, even though they did go into how web apps break down (reasonably enough).

Just another BS FUD report

Re:I wonder

[GumphMaster]

In what way is a Microsoft Certified Partner [cenzic.com] not financially tied to the maintenance of the Microsoft ecosystem in the face of encroaching offerings, particularly in the browser space?

A more cynical person might assert that a company peddling security assessment tools for web servers would actively promote less secure server systems that kept them in business. Spreading FUD about a browser is only peripheral to that but it does feed the "non-Microsoft is bad" or "open-source is bad" ethic of senior management and bean counters... keeping major systems on Microsoft platforms and Cenzic in business. As I say though, you'd have to cynical ;)

Re:unstable == vulnerable

[Bigjeff5]

Actually if the OS interceeds in a buffer-overrun situation (basically, out of memory and crash), you are not vulnerable to code injection into memory. Most operating systems today do exactly that for precisely that reason - to prevent code injection. In other words, your browser can crash all the time and you aren't necessarily vulnerable to code injection.

There are various other conditions that can leave you open to code injection though.

Re:I wonder

[Anonymous Coward]

Well it seems Opera are not too impressed with the report either, despite the fact they come first:
http://my.opera.com/haavard/blog/2009/11/10/cenzic-security

Which is interesting. Not often you see a company criticise a report that shows them in such a good light

Re:I wonder

[cheeseboy001]

That's a dude's blog. As in, "The views stated herein are my own, and do not necessarily represent those of Opera Software."