Fanning the Flames of the Browser Security Wars
A report published this week by software vulnerability watcher Secunia promises to stoke the ever-smoldering embers of the debate over which major Web browser is more secure.
In trying to draw conclusions from the data, though, I hope readers will look past the sheer numbers of security holes that each browser maker fixed this past year, to the metric that in my opinion matters most: How long did it take each browser maker to address security flaws once those vendors knew about them?
Secunia's study (PDF) found that 115 security flaws were reported in 2008 for Mozilla's Firefox browser, almost four times as many flaws as other popular browsers. In contrast, Secunia said, 31 vulnerabilities were reported for versions of Microsoft's Internet Explorer, while Opera and Safari claimed at least 30 and 32 reported security holes in 2008, respectively.
But the Secunia study also measured how nimbly Microsoft and Mozilla responded to vulnerabilities that the companies were notified about at the same time as the rest of the world. These types of "full disclosure" or "zero-day" incidents are notable because they often include the publication of blueprints showing would-be attackers exactly how to use the flaws for criminal purposes. In either case, for each day that the vendor takes to ship an update to fix the flaw, users remain at a heightened risk of attack.
Secunia found that when it comes to fixing flaws that were first disclosed publicly or through online attacks, the tables were turned. Secunia found six instances last year in which Microsoft was publicly alerted to a vulnerability in its browser, including two that Secunia labeled "high" or "moderate" in severity. Mozilla apparently confronted just three such situations, all with vulnerabilities Secunia has classified as "less critical" or "not critical."
According to Secunia's tally, Mozilla took an average of 43 days to address these three flaw last year.
In contrast, Microsoft took exactly 110 days to ship updates that fixed the two more publicly revealed serious flaws. Additionally, the company still hasn't patched three of the four other less critical IE flaws disclosed last year (the window of exposure for those flaws currently stands between 231 days and 294 days).
The finding that IE users are exposed to more serious browser flaws for longer periods of time than their Firefox counterparts is not an aberration, but it actually represents something of an improvement for Microsoft: In 2007, Security Fix published an analysis which found that for a total of 284 days in 2006, exploit code for at least 10 "critical" flaws in IE was made publicly available online before Microsoft was able to ship updates to fix them.
March 4, 2009; 4:30 PM ET
Categories: From the Bunker , Safety Tips | Tags: firefox, internet explorer, microsoft, mozilla, secunia
Save & Share: Previous: From (& To) Russia, With Love
Next: Twitter Security Hole Left Accounts Open to Hijack
Posted by: firstname.lastname@example.org | March 4, 2009 6:15 PM | Report abuse
Posted by: goneva | March 4, 2009 10:15 PM | Report abuse
Posted by: email@example.com | March 5, 2009 4:25 AM | Report abuse
Posted by: firstname.lastname@example.org | March 5, 2009 4:54 AM | Report abuse
Posted by: indep2 | March 5, 2009 12:04 PM | Report abuse
Posted by: mibrooks27 | March 5, 2009 12:34 PM | Report abuse
Posted by: jim_maryland | March 5, 2009 1:59 PM | Report abuse
Posted by: solsticebelle | March 5, 2009 2:34 PM | Report abuse
Posted by: t_joe | March 6, 2009 1:05 AM | Report abuse
Posted by: email@example.com | March 6, 2009 4:53 AM | Report abuse
The comments to this entry are closed.