Network News

X My Profile
View More Activity

Fanning the Flames of the Browser Security Wars

A report published this week by software vulnerability watcher Secunia promises to stoke the ever-smoldering embers of the debate over which major Web browser is more secure.

In trying to draw conclusions from the data, though, I hope readers will look past the sheer numbers of security holes that each browser maker fixed this past year, to the metric that in my opinion matters most: How long did it take each browser maker to address security flaws once those vendors knew about them?

Secunia's study (PDF) found that 115 security flaws were reported in 2008 for Mozilla's Firefox browser, almost four times as many flaws as other popular browsers. In contrast, Secunia said, 31 vulnerabilities were reported for versions of Microsoft's Internet Explorer, while Opera and Safari claimed at least 30 and 32 reported security holes in 2008, respectively.

But the Secunia study also measured how nimbly Microsoft and Mozilla responded to vulnerabilities that the companies were notified about at the same time as the rest of the world. These types of "full disclosure" or "zero-day" incidents are notable because they often include the publication of blueprints showing would-be attackers exactly how to use the flaws for criminal purposes. In either case, for each day that the vendor takes to ship an update to fix the flaw, users remain at a heightened risk of attack.

Secunia found that when it comes to fixing flaws that were first disclosed publicly or through online attacks, the tables were turned. Secunia found six instances last year in which Microsoft was publicly alerted to a vulnerability in its browser, including two that Secunia labeled "high" or "moderate" in severity. Mozilla apparently confronted just three such situations, all with vulnerabilities Secunia has classified as "less critical" or "not critical."

According to Secunia's tally, Mozilla took an average of 43 days to address these three flaw last year.


In contrast, Microsoft took exactly 110 days to ship updates that fixed the two more publicly revealed serious flaws. Additionally, the company still hasn't patched three of the four other less critical IE flaws disclosed last year (the window of exposure for those flaws currently stands between 231 days and 294 days).

The finding that IE users are exposed to more serious browser flaws for longer periods of time than their Firefox counterparts is not an aberration, but it actually represents something of an improvement for Microsoft: In 2007, Security Fix published an analysis which found that for a total of 284 days in 2006, exploit code for at least 10 "critical" flaws in IE was made publicly available online before Microsoft was able to ship updates to fix them.

By Brian Krebs  |  March 4, 2009; 4:30 PM ET
Categories:  From the Bunker , Safety Tips  | Tags: firefox, internet explorer, microsoft, mozilla, secunia  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: From (& To) Russia, With Love
Next: Twitter Security Hole Left Accounts Open to Hijack


Is it just me, or do others also notice that Firefox [current version] is taking longer, sometimes much longer, to load these days?

I also seem to be having 'issues' while Firefox is opened with the program 'freezing' while the hard drive appears to be doing maybe some kind of 'update' along with numerous typing delays on occasion?

Computer checks clean with Superantispyware, Malwarebites Antimalware, though Spybot caught 51 spyware items last time I ran it. I don't run these programs everyday, only once or twice a week, while relying on BitDefender Total Internet Security 2009 [which couldn't find spyware if it leaped out at it, but is fine, I think, for AV.
Anyone else get a call YET from Kingston, Jm. telling them they have won $5,000,000 ? LOL I told them to give my winnings to the White House ----------------ha, what winnings.

Posted by: | March 4, 2009 6:15 PM | Report abuse

FF 3? Yes. At times the computer all but freezes while FF "does its thing." That's at initial launch and ~ hourly thereafter. I think that is the "Live Bookmarks" (RSS feeds) being refreshed.


FF ships with a handful of these LB sites, if I recall, and I've added plenty more (such as Security Fix).

You can not change that they load on launch from their respective web sites nor change which get refreshed (except by deleting the site). You cannot change "how deep" it refreshes a site.

You can adjust how often they refresh during a session. 3600 seconds = 1 hour.

When they load or refresh it takes time. If an RSS feed is slow or has a lot of entries I suspect it adds time to the process. You can yell at the offending weg site(s) if you actually narrow it down, but don't assume a long list equals long delay.

Consider a separate RSS reader instead of LB if it's still an issue for you (and submit a request to Mozilla to change the behavior).

Aside from LB, there are thousands of Extensions and maybe one you've added is behaving badly. Launching FF in "safe mode" (not launching Windows in SM) will temporarily disable them (but I don't know if it disables the RSS action). READ before you change anything.

If you want to work on extensions individually they're on the add ons menu. While you are in there, did you recoginze the things in the new "Plug in" tab?

Maybe make a new profile and start fresh.

Don't overlook your antivirus. Many AV have a resident component and may have increased their agressivness, perhaps slowing your surfing in order to be more watchful (not a bad thing necessarily; Not "turn it off" permanently, but don't accidentally ascribe problems to FF that might be external).

Good luck.

ps. Some folks make a second profile, one "fully loaded" and one "slim and fast". I don't know if that approach is of use or not.

Posted by: goneva | March 4, 2009 10:15 PM | Report abuse


Thank you.

I'll check out your suggestions 'in the morning.'

Posted by: | March 5, 2009 4:25 AM | Report abuse

Brian []

The NEW version of Google Chrome is nicely enhanced since the original version that I originally downloaded.

A shame you have to hit 'help' to lear about the upgrade.

Posted by: | March 5, 2009 4:54 AM | Report abuse

Brian []

The NEW version of Google Chrome is nicely enhanced since the original version that I originally downloaded.

A shame you have to hit 'help' to lear about the upgrade.

Posted by: | March 5, 2009 4:54 AM

Thanks brucerealtor, I am upgrading my version of Chrome now... :)

I agree, they should have prompted me that there was a newer version....

Posted by: indep2 | March 5, 2009 12:04 PM | Report abuse

FireFox is a mess. I'm writing this on a Mac and have to use Safari because FireFox blocks me from posting on these Washington Post forums!

Posted by: mibrooks27 | March 5, 2009 12:34 PM | Report abuse

Not trying to start a browser war but I wanted to say that I haven't noticed the slow performance that brucerealtor or genova seem to be experiencing. I'm running Firefox 3.0.6 on Windows XP Pro at work and Windows Vista Home Premium at home and the performance is very nice. Both Firefox and IE seem to startup in roughly the same amount of time for me. Now I will say that both my work and home systems are dual core and have at least 3 GB of RAM, but this is becoming a fairly common configuration for users.

As for the number of vulnerabilities in any of the browsers, do we have a breakdown of the level of severity for the browsers? I realize any vulnerability is bad, but if Firefox had 115, how many were critical? If they were so bad, even the Firefox fanatics would probably have rethought their browser options.

Posted by: jim_maryland | March 5, 2009 1:59 PM | Report abuse

I use Firefox, but it's started crashing ALL the time for me. So I uninstalled most of the add-ons and plug-ins, and it was stable temporarily - now it's started crashing AGAIN.

And I agree with the first poster, it does seem to take a really long time to load.

Posted by: solsticebelle | March 5, 2009 2:34 PM | Report abuse

What about those 366 ActiveX vulnerabilities for 2008? Yikes!

Posted by: t_joe | March 6, 2009 1:05 AM | Report abuse

A further observation about the current version of Firefox, namely, its reluctance to promptly 'clear private data' when requested, which sometimes become an absolute refusal to do so, even after a restart of the browser.

Posted by: | March 6, 2009 4:53 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company