Firefox Most Vulnerable Browser, Safari Close

An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

Huh?

[Anonymous Coward]

So just down the page on slashdot, this very day, there are warnings about a "Windows kernel vulnerability" that is exploited through IE. I'll take three cross-site scripting bugs any day over a kernel level compromise, thank you.

I know the world doesn't have a good objective measure of "impact" to assign to these things so that one could assess the total "probable inconvenience" of the presented security vulnerabilities, and that makes unbiased data gathering difficult, but this feels pretty absurd.

Re:I wonder

[Anonymous Coward]

Doesn't matter. If the browser cannot protect itself from its own add-ons then it is still the browser at fault.

Glad I don't use Firefox, Safari or IE.

Re:I wonder

[dkleinsc]

So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed.

Something tells me their methodology is a bit flawed. Of course, that's by design, given Cenzic's financial ties to Microsoft.

Nothing to see here

[El_Muerte_TDS]

From the report.

Popular vendors including Sun, IBM, and Apache continue to be among the top 10 most vulnerable Web applications named.

Wait... so vendors and now applications?
They continue to say that Java and PHP are very vulnerable, but it's actually applications written in Java and PHP, not the language+runtime itself. In that case you could say that C++ has the most vulnerabilities.

Re:I wonder

[Shatrat]

lol, touche.
Still, do you really have to read it?
It seems like one of these bootlicking/astro-turfing 'studies' from some consulting agency or 'solution' vendor comes along about every 6 months in the Slashdot headlines.
Upon reading TFA, this one seems no more credible than any other.

Re:Firefox IS getting infected in the wild

[Anonymous Coward]

Its plugins. Ive seen several machines recently infected, no files were showing as having been downloaded, but based on the temp files used to start the infection it appears that Adobe Reader is being used quite a lot as an avenue for infection

Re:I wonder

[bangthegong]

a much more credible report, IMO because they are at least honest about their methodology and the weaknesses or strengths of how to look at different data: http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf [ibm.com]

Re:I wonder

[noidentity]

Wow, so if I merely released my own binary-only build of Firefox and never mentioned any fixed vulnerabilities in release notes, this study would have found it with far fewer vulnerabilities than Firefox? I think I found a vulnerability in this study...

Re:I wonder

[Anonymous Coward]

Hypocrisy? He didn't say anything about the article. All he said was that the previous two posters made conclusions based on absolutely nothing.

I have experience here

[Effugas]

So, I'm posting as somebody who has gotten critical fixes pushed into both IE and Firefox. (Technically, Chrome and Opera too, but those were the pure crypto vulns.)

It's genuinely hard to write a secure web browser. Forget plugins -- you have a complex internal object model, subject to all sorts of very fine grained rules ("the filename on an input type=file form must not be settable from Javascript"), which can be made into a pile of moving parts under the control of an attacker. What's happened somewhat recently is a lot more people have gotten into bashing Firefox. You know those "many eyes" theories of open source, and how they're usually kind of full of it?

Well, "many eyes" are visiting it now, and Mozilla to their credit is doing a lot of very hard work to deal with the influx. Good on them.

Re:I wonder

[Nikker]

I actually RTFA and the vulnerabilities it accounts for are

• SQL Injection 25%
• XSS 17%
• Web Server 2%
• Buffer Errors 12%
• Web Browser 8%
• Authentication / Authorization 14%

Plus a few under 10%. The funny thing is that the article seems to blame the browser for SQL Injection, Web Server, Information Leak / Disclosure? WTF?

Information Leaks could be the result of any attack, SQL Injection has nothing at all to do with any browser and "Web Server"? There is no real information other than a nice shaded 3D pie chart so what this guy is trying to prove is beyond me. It also includes Path Traversal which is server side as well, code injection well injection into what? The browser, the server ... what?

Popular vendors including Sun, IBM, and Apache continue to be among the top 10 most vulnerable Web applications named.

Even if some agrees that these companies are actual web applications and not software companies, you would have to agree that there really are only about 10 commonly used web servers [netcraft.com] in total so Sun, IBM and Apache will be on this list regardless of the exploit.

Looking at the real report [cenzic.com] all of the exploits blamed on the browsers are based on SQL Injections and propagating malicious code from the originator of the web site so how could one browser handle this more effectively then another? This doesn't really make a lot of sense so anyone gifted with more ability then myself please reply below.

Details?

[Alerius]

So I *did* RTFA and found it was fluff. So I read the linked PDF report to try and find out some details on what these gaping security holes in my favourite browser actually were. I did not want to have to eat crow over my repeated recommendations to us Firefox over IE because it was more secure. Well, there's plenty of space dedicated to reporting server side vulnerabilities, plenty on web apps, lots of repetition of how surprised they were to find Firefox and Safari so vulnerable...but nothing on what vulnerabilities. No mention of types of vulnerability, frequency, core browser, plug-ins, add-ins, versions, ZIP!

The 29 page report has one page that is mostly taken up with a lovely colourlful exploded pie chart. There is more space dedicated to advertising the Cenzic products and services than there is referencing browser vulnerabilities.

This is isn't a report, it's a sales pitch.

Re:I wonder

[fredjh]

I was wondering that myself... how is SQL injection a fault of the browser? I mean... I suppose a plugin could try SQL injections when submitting forms, but I don't see how that could be any worse on any other browser, AND it doesn't compromise the browser or the client's system.

SQL injection?

[rrohbeck]

The top vulnerability is SQL injection.
Can anybody explain how the browser is responsible for SQL injection vulns?

Re:I wonder

[http]

Pardon my ignorance, but how exactly is Cenzic tied financially to Microsoft again? Google's got nothing (and bing has less).

Re:I wonder

[wealthychef]

I wonder what difference it makes that there are more or less vulnerabilities reported. What actually matters is the total exposure, which I would define, for each browser, as
the sum over all vulnerabilities of:
(number of browsers with vulnerability) x (damage possible if vulnerability is exploited) x (chance of actually exploiting the vulnerability).

Being open and honest about bugs is a good thing

[syousef]

Haven't RTFA yet but I bet they are using patch notes as their source of vulnerabilities.

So the headline should have been "Firefox most transparent browser when it comes to vulnerabilities".

I'm no FF fanboi. I think they've gone off the rails in a lot of ways - especially by forcing users to accept changes that many changes they don't like such as AWFULBAR. However one thing they do right is they're transparent about bugs and vulnerabilities (at least once they're able to reproduce them). The whole article is a fucking troll.

Re:who is cenzic?

[Silfax]

hits search

367 http://search.cert.org/search?q=advisory+internet+explorer [cert.org]
89 http://search.cert.org/search?q=advisory+netscape [cert.org]
61 http://search.cert.org/search?q=advisory+firefox [cert.org]
20 http://search.cert.org/search?q=advisory+safari [cert.org]
18 http://search.cert.org/search?q=advisory+opera [cert.org]
12 http://search.cert.org/search?q=advisory+lynx [cert.org]

clearly, the fewer number of letters in the name of your browser makes it more secure.

Re:I wonder

[Barny]

Possibility that if the majority of the document is on server level stuff, then did they maybe test IE with "enhanced protection" that comes with server? Effectively its like firefox with no-script but has none of the user-friendliness of no-script.

Re:I wonder

[kestasjk]

I'm a firefox user and I accept this study and that IE8 may well be more secure. They have made huge leaps in security since IE6, using sandboxing and whatnot to lessen the impacts of vulnerabilities found as well, and their security zone settings allow fine-grained choices regarding how secure you want to be vs what you need to run, and the integration with Active Directory allows security policy to be spread across enterprises easily.
Firefox is much more tuned to individual users, and needs extra plugins like NoScript to give rudimentary access level controls.

But Firefox supports the latest and greatest web standards, has a real community of users which make great plugins like NoScript and Adblock and Firebug, and is always trying new things like the awesome bar. If I wanted tin-foil-hat level security I'd use IE8 with a restrictive security policy, but realistically these days the difference between highly secure and pretty-damned-secure isn't that great; you're more likely to get a virus by being a dumbass and installing something you shouldn't than from an actual web-browser vulnerability.

I do think trying to find flaws in the study and questioning the motives when it doesn't look favorably on your favorite browser, as most people here are doing, is just narrow minded and petty.

Re:I wonder

[Hatta]

From what I understand the report was based on the number of vulnerabilities patched, not announced

The pdf of the report is linked from the article. Browser vulnerabilities are mentioned on only one page, on which no methodology is discussed. Most of the article has to do with web applications. For the web applications, they repeatedly use the term "reported vulnerabilities", not patched. They do discuss that the number of actual vulnerabilities may be lower than reported vulnerabilities for proprietary web applications. I'd bet they're using reported vulnerabilities for browsers too. Here is the entire text of the section on Web Browser Vulnerabilities:

Vulnerabilities in Web browsers were concentrated among four popular technologies -
Internet Explorer, Mozilla Firefox, Opera, and Safari. The number of browser
vulnerabilities in first half of 2009 comprised about 8 percent of total Web vulnerabilities.
Mozilla Firefox had the largest percentage at 44 percent. What was surprising was that
the Safari browser had a lot more vulnerabilities at 35 percent this time around mainly
due to vulnerabilities reported in iPhone Safari. Internet Explorer was third at 15 percent
and Opera with six percent of total browser vulnerabilities.

So this report is entirely useless. They don't discuss their methodology, which is likely to be suspect. Ignore it.