Typically vulnerability arises from two things --
design flaws/oversights and the level of use. For the latter
reason, users of Microsoft Internet Explorer 8, despite the company's
relatively meticulous in its patching, remain in danger due to its
study from Cenzic looks at the design side of the equation,
compiling vulnerability information from NIST, MITRE, SANS, US-CERT,
OSVDB, OWASP, as well as other third party databases for Web
application security issues reported during the first half of
The study offered some intriguing conclusions. It
found Mozilla's Firefox to be the most vulnerable browser, with
Apple's Safari closely behind. Safari would have done slightly
better, but was hurt by numerous
vulnerabilities found in the mobile version of Safari that ships
with Apple's popular iPhone smart phone (and iPod Touch).
Firefox accounted for 44 percent of the vulnerabilities, despite
having an estimated 30 percent or less marketshare, Microsoft did
better than expected, only accounting for 15 percent of the
vulnerabilities on close to 60 percent marketshare. Of the
browsers with known vulnerabilities, Opera proved to be the least
vulnerable, having only 6 percent of the disclosed vulnerabilities,
however its marketshare in the PC market is estimated to be only a
few percent at most. Google Chrome had no listed
The biggest source of vulnerabilities,
according to the study, are web applications. Web applications
comprised 78 percent of the reported vulnerabilities. Among the
top offenders were web applications from Sun, IBM, and Apache.
According to the study, the most prevalent vulnerabilities
for the year were SQL Injection (25 percent) and Cross-Site Scripting
(XSS) (17 percent). Classic methods like exploitation of buffer
errors continued to be popular as well.
When considering these
numbers, it is important to keep in mind that the study did not look
at the total number of attacks or actual number of affected users --
numbers that would be difficult to accurately estimate. Thus
some browsers like IE8 may actually be a bit more dangerous than the
study indicates due to their leading marketshare, while others like
Opera may be a bit more secure than indicated because of their tiny
For Mozilla, though, the study does raise
concern. After all, Firefox both appears to be highly
vulnerable and has the industry's second largest marketshare, second
only to Microsoft. The study echoes the conclusions of security
firm Bit9, which last year listed Firefox as the app to pose the
risk to business security.
quote: The methodology isn't published, the sources aren't completely enumerated, and, most importantly, the conclusions are invalid.
quote: Google Chrome had no listed vulnerabilities.
quote: Study raises interesting points, but does not account for the number of actual attacks
quote: According to the study, the most prevalent vulnerabilities for the year were SQL Injection (25 percent) and Cross-Site Scripting (XSS) (17 percent).
quote: Thus some browsers like IE8 may actually be a bit more dangerous than the study indicates due to their leading marketshare, while others like Opera may be a bit more secure than indicated because of their tiny marketshare.