backtop

Print E-mail del.icio.us 51 comment(s) - last by mindless1.. on Nov 15 at 12:21 PM

Percentage of vulnerabilities, by browser  (Source: Cenzic)

Vulnerabilities by type  (Source: Cenzic)
Study raises interesting points, but does not account for the number of actual attacks

Security is a serious concern now more than ever, with hackers and cybercriminals becoming more organized and looking to profit on a wealth of stolen information.  Typically problems fall into the PICNIC variety -- Problem In Chair, Not In Computer -- but that does not change the fact that some platforms due to design are more vulnerable to attack.

Typically vulnerability arises from two things -- design flaws/oversights and the level of use.  For the latter reason, users of Microsoft Internet Explorer 8, despite the company's relatively meticulous in its patching, remain in danger due to its leading marketshare.

A new study from Cenzic looks at the design side of the equation, compiling vulnerability information from NIST, MITRE, SANS, US-CERT, OSVDB, OWASP, as well as other third party databases for Web application security issues reported during the first half of 2009.

The study offered some intriguing conclusions.  It found Mozilla's Firefox to be the most vulnerable browser, with Apple's Safari closely behind.  Safari would have done slightly better, but was hurt by numerous vulnerabilities found in the mobile version of Safari that ships with Apple's popular iPhone smart phone (and iPod Touch).

Whereas Firefox accounted for 44 percent of the vulnerabilities, despite having an estimated 30 percent or less marketshare, Microsoft did better than expected, only accounting for 15 percent of the vulnerabilities on close to 60 percent marketshare.  Of the browsers with known vulnerabilities, Opera proved to be the least vulnerable, having only 6 percent of the disclosed vulnerabilities, however its marketshare in the PC market is estimated to be only a few percent at most.  Google Chrome had no listed vulnerabilities.

The biggest source of vulnerabilities, according to the study, are web applications.  Web applications comprised 78 percent of the reported vulnerabilities.  Among the top offenders were web applications from Sun, IBM, and Apache. 

According to the study, the most prevalent vulnerabilities for the year were SQL Injection (25 percent) and Cross-Site Scripting (XSS) (17 percent).  Classic methods like exploitation of buffer errors continued to be popular as well.

When considering these numbers, it is important to keep in mind that the study did not look at the total number of attacks or actual number of affected users -- numbers that would be difficult to accurately estimate.  Thus some browsers like IE8 may actually be a bit more dangerous than the study indicates due to their leading marketshare, while others like Opera may be a bit more secure than indicated because of their tiny marketshare.

For Mozilla, though, the study does raise concern.  After all, Firefox both appears to be highly vulnerable and has the industry's second largest marketshare, second only to Microsoft.  The study echoes the conclusions of security firm Bit9, which last year listed Firefox as the app to pose the greatest risk to business security.


Comments     Threshold


Cenzic is on Microsoft Payroll
By hiscross on 11/11/2009 4:14:04 PM , Rating: 3
100% of General Motors executives said they believe General Motors vehicles are better than Ford's, a studies show. Those studies are paid for by General Motors.




RE: Cenzic is on Microsoft Payroll
By Zurtex on 11/11/2009 4:45:42 PM , Rating: 4
Agreed,

Yet another misguided metric of trying to measure security, used just because it shows one browser as better than the other.

Number of vulnerabilities isn't very important when most companies aren't open about that sort of thing and there are far more important metrics like:

*) Exploitability
*) Patch release time on critical vulnerability
*) Average time a user actually applies that patch


RE: Cenzic is on Microsoft Payroll
By Zurtex on 11/11/2009 5:19:22 PM , Rating: 5
Go down to page 12: http://www.cenzic.com/downloads/Cenzic_AppSecTrend...

Notice the complete lack of any real investigation or evidence, just a pretty pie chart.


RE: Cenzic is on Microsoft Payroll
By invidious on 11/11/09, Rating: 0
RE: Cenzic is on Microsoft Payroll
By MozeeToby on 11/11/2009 6:21:32 PM , Rating: 5
The methodology isn't published, the sources aren't completely enumerated, and, most importantly, the conclusions are invalid. Number of flaws fixed is a horrible, misleading metric to measure security by. It doesn't take into account severity, ease of attack, unreported bugs, or unacknowledged bugs. It is not suprising that FireFox, the only browser that gives the users access to the same bug tracker that the developers use, has the most identified bug fixes.

There's no easy way to measure application security, but I can think of several ways that would be much more accurate than this kind of study. Flaws found per hour of code review is often the most accurate but even hours of code review per LOC would correlate more closely than this kind of analysis.


RE: Cenzic is on Microsoft Payroll
By Keeir on 11/11/2009 6:56:18 PM , Rating: 3
quote:
The methodology isn't published, the sources aren't completely enumerated, and, most importantly, the conclusions are invalid.


Maybe more like: The conclusions may be invalid because there is no published methodology and sources are not enumerated.


RE: Cenzic is on Microsoft Payroll
By Etsp on 11/11/2009 7:10:09 PM , Rating: 5
I would say that the conclusions should be considered invalid until the methodology is published and the sources are enumerated.


By justsomeone on 11/11/2009 7:17:48 PM , Rating: 2
exactly!


RE: Cenzic is on Microsoft Payroll
By boden on 11/13/2009 10:49:02 PM , Rating: 2
When the testing is duplicated, independently, repeatedly then the results will have been validated.

Have we abandoned the scientific method?


By xxsk8er101xx on 11/11/2009 7:59:22 PM , Rating: 2
The study was also paid for by Microsoft


By cashkennedy on 11/12/2009 4:11:09 PM , Rating: 2
If you read the daily tech article you realize the vulnerabilities are from a bunch of independent sites such as us-cert. They are not vulnerabilities from Firefox bug reports or other web browsers bug reports. So unless you think the US government is being paid by Microsoft to not list their vulnerabilities as much as Firefox's your argument makes little sense. The study was not based on flaws being fixed, but they most likely did not include vulnerabilities that are listed as no longer being valid on the independent sites they used to determine the vulnerabilities of each browser.


RE: Cenzic is on Microsoft Payroll
By damianrobertjones on 11/11/09, Rating: 0
RE: Cenzic is on Microsoft Payroll
By Lifted on 11/11/2009 7:28:28 PM , Rating: 2
It sounds pretty typical for a business/enterprise environment.

My main problem with the study, which has been pointed out already, is that nobody but Microsoft knows how many security vulnerabilities have been patched in IE. It could be in the thousands. Same can be said for all of the browsers listed except Firefox.


RE: Cenzic is on Microsoft Payroll
By Skelum on 11/12/2009 7:08:27 AM , Rating: 2
I kind of agree with you on the fact of biased studies...

So what you are saying here is that Opera paid this study???

Right...


RE: Cenzic is on Microsoft Payroll
By JimboK29 on 11/12/2009 9:25:07 PM , Rating: 2
Look at what Threatcore is reporting. They've linked to this blog. They are showing a direct link to the study's firm and Microsoft too. Agreed they are on the payroll. Nice try.


Google Chrome had no listed vulnerabilities.
By lightfoot on 11/11/2009 4:28:58 PM , Rating: 3
quote:
Google Chrome had no listed vulnerabilities.

Shouldn't that be the news worthy part? Isn't it at least as important to know who has the safest browser as it is to know who has the least safe.

Centering this article around Internet Explorer and Firefox is like saying that GMC has slightly better fuel economy than Hummer.




By damianrobertjones on 11/11/2009 6:32:51 PM , Rating: 4
Google Chroms 'IS' the infection.

I kid, I kid :)


By luseferous on 11/11/2009 7:18:03 PM , Rating: 2
I completly agree. The fact that the study shows Chrome to be the only 'secure' browser is much more noteworthy than the I.E is not as full of holes as commonly held to be the case angle.


RE: Google Chrome had no listed vulnerabilities.
By PhatoseAlpha on 11/11/2009 11:47:46 PM , Rating: 5
Hm. I suspect the statement actually tells us nothing about chrome's actual security, but gives us a very, very good reason to suspect this study heavily.

No listed vulnerabilities is not equivalent to no vulnerabilities. I could make a suit of armor out of paper mache, and as long as no one decides to catalog the problems with paper mache armor, I'd have no listed vulnerabilities. Yet, all the same, the first dragon that comes along is going to roast me. Or the first stray match, for that matter.

But really, if they'd actually report that there was no listed vulnerabilities to chrome, as if unlisted vulnerabilities don't matter - then we have good cause to wonder if there study was based solely on the browser developer's reporting habits.

Given the rest of the results, it certainly wouldn't surprise me. Firefox has less market share then IE, but it has enough of it for it to be a target, and it has a very open policy about security flaws. Microsoft....not so much. But you'd still see a pretty big listing simply because the market share meant it was the largest target.

It's like assuming the office chatterbox has more sex then a crack whore, simply because she talks about it more.


RE: Google Chrome had no listed vulnerabilities.
By wushuktl on 11/12/2009 8:10:14 AM , Rating: 3
just out of curiosity, are you big into larping?


By PhatoseAlpha on 11/12/2009 9:18:01 AM , Rating: 2
No. Nor am I into crackwhores.


Concerning Firefox
By togaman5000 on 11/11/2009 4:16:58 PM , Rating: 3
While it may not reflect the average user, I know I personally use addons such as AdBlock and NoScript. Has any test been done with those addons installed? I'd like to believe I'm far less vulnerable than a clean install of FF.




RE: Concerning Firefox
By thebrown13 on 11/11/2009 4:29:31 PM , Rating: 2
Yeah you're less vulnerable til you hit the button that says 'Allow' and then you're in the same boat. It's like Vista's UAC for the web.


RE: Concerning Firefox
By Jalek on 11/11/2009 7:44:55 PM , Rating: 2
At least it's site by site.

There's no plugin to fix user stupidity though.


RE: Concerning Firefox
By mindless1 on 11/11/09, Rating: -1
RE: Concerning Firefox
By mindless1 on 11/12/2009 1:02:43 AM , Rating: 2
Can I get a zero rating, because someone out there is extremely stupid to not recognize this basic aspect of computing, that you own your system and should not have a 2nd or 3rd party second guessing what you are doing.

If that means you are trying to do something harmful, so be it. It's called freedom, some people don't understand the concept applies to more than political propaganda.

If you don't like freedom then give up the right to voice your opinion to demonstrate that. Seriously, you can't have it both ways, if you want to be able to choose then it is only fair others have the same, and not just fair, it's the only sustainable way things could be.


RE: Concerning Firefox
By wetwareinterface on 11/12/2009 1:40:04 AM , Rating: 2
I didn't rate you down, as evidenced by my post here and your still having that negative, but I also would have if it weren't for my desire to post a reply.

You don't understand why UAC was implemented in the first place. It isn't to warn users that what they are doing is potentially a security risk, but to control the possibility that a rogue script is trying to do something not initiated by a user. I love UAC, when I install an app I want to know when it's trying to load something else spyware'esque on my system as part of it's default install script. UAC is all about user control of their system and not having said control pass to 2nd or 3rd parties unknown.


RE: Concerning Firefox
By mindless1 on 11/15/2009 12:21:49 PM , Rating: 2
You actually install software not knowing, nor researching, ahead of time whether it may install spyware?

THEN you want UAC to babysit. UAC is not about user control, it is as I wrote the backwards way to do things. There should always be a default passive deny strategy, or did you really want the choice to install the spyware???


RE: Concerning Firefox
By ShaolinSoccer on 11/11/2009 10:15:50 PM , Rating: 1
I also use AdBlock and NoScript in Firefox and love it. Works great with South Park's website lol. I especially love using Firefox on Dailytech just so I don't see those annoying Vibrant popup ads... But I also enjoy using IE for other websites. The convenience of Accelerators and the magnify button on the bottom right corner are great additions to IE.


RE: Concerning Firefox
By akse on 11/12/2009 5:40:16 AM , Rating: 1
lol watch out what you are saying! I once got a ban from a site when I wrote their forums that adblock is nice if you don't like the stupid popups.(someone had asked about them)

What a bunch of naziz. It's not like I watch ads on tv either.. I change channel.


RE: Concerning Firefox
By Sazar on 11/12/2009 1:57:06 PM , Rating: 2
Nazi's? The site runs because of ad-revenue.

You are essentially leeching off of the forums/website you are going to.

I agree that there are some ridiculously invasive ads that really need to be taken out into the wilderness and shot, but the fact is you are circumventing a revenue-stream for the site. Some sites have this information in their EULA/membership rules.

Since you change your channel when you don't want to see ads, you can also change websites if you wish not to see the ads that support that site :)


SQL?
By jimhsu on 11/11/2009 5:07:53 PM , Rating: 5
Wait .. how is SQL injection a BROWSER vulnerability? Unless your browser runs a SQL server and supports execution of SQL code, that makes absolutely no sense.




RE: SQL?
By jimhsu on 11/11/2009 5:09:58 PM , Rating: 2
Ok, Google Gears seems to use a database. But that has NOTHING to do with Mozilla, or Internet Explorer, or whatever. That's Google's problem. Same as with Adobe's Flash plugin, etc etc.


RE: SQL?
By Jalek on 11/11/2009 7:38:00 PM , Rating: 3
Flash is the standard attack vector for these attacks anyway.

Mozilla should include Noscript and Flashblock in the core browser.


Study?
By R6Raven on 11/11/2009 4:08:00 PM , Rating: 3
quote:
Study raises interesting points, but does not account for the number of actual attacks


Then, is it really a study?




RE: Study?
By Low Key on 11/11/2009 6:09:25 PM , Rating: 2
No it is just a pretty chart


RE: Study?
By bissimo on 11/11/2009 6:46:32 PM , Rating: 3
You have to admit that, as far as pie charts go, that one is very pretty.


By donjuancarlos on 11/11/2009 4:33:50 PM , Rating: 2
The study states clearly (this article does only vaguely), that a vast majority of Firefox's vulnerabilities come from installed 3rd-party add-ins. Therefore, anyone who has a clean install of Firefox and doesn't have some off-the-wall addons need not worry that their browser has the security of a screen door.

Now I wait for the inevitable TV commercials claiming IE8 is "almost 3 times as secure as its closest competitor." Sheesh.




By Sazar on 11/12/2009 1:59:37 PM , Rating: 2
Honestly FF is crap without add-ons. There is no reason to use it over IE8, Chrome or Opera without add-ons.

If the add-ons are causing vulnerabilities, FF needs to address how those add-ons are interacting with their browser.

The silver lining is that a lot more people are using FF apparently for home use, where ID 10 t errors are likely to lead to malware being installed. IE is used a lot in corporate environments where it would be relatively secure so this is a great sign of the user-base Mozilla has right now :D


Shocker
By Performance Fanboi on 11/11/2009 4:12:49 PM , Rating: 2
Another company selling security does another 'study' proving we should hire them.




ahh statistics, how refreshing
By tastyratz on 11/11/2009 4:14:33 PM , Rating: 2
Statistics can be manipulated to paint any kind of picture you want.
Ever hear of the saying "figures lie and liars figure"?

You do raise a point in marketshare's impact in vulnerability - although that's just a metric for global impact more than security.

Other statistics that have come up here skew these results even more in other directions, such as when you consider specific vulnerabilities and time to patch when they arise.

The largest focus (and I think most useful information) from this report is the ratio of attack types in web application exploits. I think this should direct the focus away from "what browser is the most insecure" and more towards "what can we change that's inherently insecure with the platform of development"




We've done this before
By Yawgm0th on 11/11/2009 4:30:10 PM , Rating: 2
I CBF to search for it, but DT did pretty much this exact same story (different study, same conclusion for IE7 v FF, IIRC) a while ago.

This study is based off theoretical vulnerabilities that the FF team is largely aware of and working on. Most FF vulnerabilities are found and patched long before there are actual attacks in the wild. IE is not open source, so it's up to Microsoft alone to find and track vulnerabilities before attackers do. Obviously the security community does this on its own, but IE being closed source makes it much harder. So, of course Firefox has many more known un-patched vulnerabilities; we don't know how many IE has.

Anyhow, what a worthless study. There are only two relevant questions we want answered by statistics, IMO: What percentage of successful attacks/exploits are against each browser, and what percentage or rate of being successfully attacked each browser has. The latter can be extrapolated from the former pretty accurately given browser market share statistics, so really they only need to look for one thing.

If you want a more in-depth study, look at how long a vulnerability exists before being patched, how long it is known about before being patched, and how long it exists before being discovered. Unless Microsoft has changed its ways recently, we'll see much quicker cycles from Mozilla.




Vulnerable "Browser"?
By achintya on 11/11/2009 5:59:21 PM , Rating: 2
Wait. All these are browser vulnerabilities? how the hell do you call things like SQL injection, directory traversal a fail of browsers? And where's the actual evidence in this case?




By BZDTemp on 11/11/2009 7:13:42 PM , Rating: 2
Hmm - does IE8 really have a 60% market share? If not I think the study should look at older versions also to say anything about IE since MS restricts IE8 from older OS while Firefox will run on just about anything.

Also I wonder who payed for this study? I mean Gartner Group is indirectly owned partly by Microsoft but still does "studies" which fx. claim TCO is lower for Windows than for Linux while hiding Microsoft is partly in control.




By lucyfek on 11/11/2009 7:15:22 PM , Rating: 2
because ie8's only use is to check weather on msn.com and - sometimes - compare/check sites that does not seem to work in ff
now, ff is a workhorse of internet browsing and never i've seen problem on my system (and few other that i installed it to avoid users' calls for help). ff is good on it's own, but i use noscript on my own systems (more to avoid active "crap" on pages than for additional safety). all these recent "studies" of ff insecurities seem bogus to me. i'll keep on browsing




Wolf !
By Cookoy on 11/12/2009 3:18:56 AM , Rating: 2
Remember the story of the boy who cried wolf? Just because the first study didn't jibe with you, and the second study also didn't jibe with you, do not mean you should discount every studies that do not jibe with your belief. The prudent thing for the developers to do is to verify each allegations and try to resolve any vulnerabilities if they exist. I use Firefox almost all the time so any little truth in the studies affect me too.




By mmcdonalataocdotgov on 11/12/2009 8:21:46 AM , Rating: 2
quote:
According to the study, the most prevalent vulnerabilities for the year were SQL Injection (25 percent) and Cross-Site Scripting (XSS) (17 percent).

Those are web application vulnerabilities. Why are they even listed? You can code to prevent those, and it has no effect which browser you use.

Jason, you old polemicist. Are we paying for your new boat with posts trying to clear up the garbage in your articles?




amazing
By Lord Nelson on 11/14/2009 4:11:01 PM , Rating: 2
quote:
Thus some browsers like IE8 may actually be a bit more dangerous than the study indicates due to their leading marketshare, while others like Opera may be a bit more secure than indicated because of their tiny marketshare.


So...using this amazing reasoning, if Microsoft managed to get back every single copy of IE8 from users, and stopped letting people install it, it would become the most amazingly secure browser in the world instantly!!

Duh.




It's Jason Mick... what do you expect?
By DLeRium on 11/11/09, Rating: -1
"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation

DailyTech Poll
Which web browser do you use on your primary personal machine? 






44 Comments









botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki