Whose browser is more secure Microsoft's or Mozilla’s?

Secunia issued their annual report this week, covering the “sheer numbers of vulnerabilities” discovered in 2008. In one of the sections, dealing with vulnerabilities on browsers, there are some interesting metrics. One surefire way to pick a fight in some circles is to declare that “browser x” is more secure than “browser y”. The actual browser will vary, but no one will see eye-to-eye on this issue.

The data that Secunia offers up is only a small glimpse into the world of vulnerability research when it comes to browsers. According to the report, there were over 200 vulnerabilities reported in 2008 across each of the major browsers. Opera had the least amount of reported vulnerabilities with 30, followed by Internet Explorer with 31, Safari with 32, and the leader is Firefox with 115.

Statistics like this are what fuel the debate over which browser is the most secure. If you take the numbers out of context, clearly Mozilla’s Firefox has the most problems when it comes to security. Likewise, using just the figures alone and taking them with no context, Opera is clearly the most secure browser out there. However, these arguments and this use of logic are flawed, not just because the numbers are out of context, but because security is about more than just vulnerabilities.

Browsers, like any software, are vulnerable by default. There will always be a glitch, bug, or gaping wide hole, for which a criminal will find a way to exploit. This happens more often that many will admit, and if you look at the low numbers reported by Secunia, then you can see that something is off.

It’s not that Secunia’s data or collection methods are flawed; it’s that they can only work with known vulnerabilities. Those that were reported by disclosure from the person who discovered them (full or responsible disclosure methods are given equal listing in the report), or those reported by security advisories from the vendor.

Taking the vulnerability counts in the Secunia report and placing them in context adds depth to the numbers. For example, browser plug-ins, which are the root cause for most browser based vulnerabilities. ActiveX had 366 reported vulnerabilities in 2008, Java had 54, Flash, 19, QuickTime, 30, and Opera Widget had none. There is a listing for a single Firefox Extension, but to be fair, Flash, and Java issues also affect Mozilla’s browser in some cases.

Looking at the list of plug-in vulnerabilities and relating them to a browser, you can see how the numbers can be slanted out of context. In this case, considering that ActiveX is the plug-in with the most issues, you can now argue Firefox is the better alternative to Internet Explorer. You would be incorrect if you did, but again this is how the numbers are used. Most of the arguments forget that Flash, QuickTime, and Java can be used against each of the four major browsers.

Another aspect of the Secunia report, and another metric used in arguments online, is the time it takes to patch vulnerabilities within a browser. Considering the previous measurements of plug-ins and total number of reported vulnerabilities, the time it takes to patch these flaws is important, and often used as a base to prove that one browser is more secure over another.

In their report, Secunia only listed to metrics for the “Window of exposure,” meaning how long a user was exposed to risk due to an unpatched flaw. The reported metrics for this section are critical, but need to be understood when seen. They only list the total days a user was exposed to risk by vulnerabilities that were reported without notice to the vendor. This means that the vulnerabilities listed in the report were disclosed to the public and the vendor at the same time.

Based on the Secunia report, only Internet Explorer and Firefox are listed. Internet Explorer has six vulnerabilities listed, and Firefox has three. Of the listed vulnerabilities for Internet Explorer, three are still unpatched. However, of these three, two are less critical, and one of them is listed as not critical.

The three patched issues on Internet Explorer took an average of 99 days to patch. They are rated as high, moderate, and less critical respectively. In comparison, Firefox took 44 days to on average to patch the three listed issues. Of the three issues listed for Firefox, two of them are rated not critical; the last one is rated less critical.

Considering the imbalance of the metrics used in the Window of exposure section, there is little you can gain information-wise to prove or disprove browser security. Reports like this are great when doing research, but using them as supporting facts when arguing that one browser is more secure over another is ultimately pointless.

As mentioned, browsers will always be insecure. Somewhere, somehow, a bug or flaw in code will be exploited. Moreover, because most browser-based security issues actually originate with plug-ins, targeting the end user via the browser using those means, time to patch metrics and reported vulnerability stats are just numbers on a bit of paper.

To judge browser security based on vulnerability reporting or time to patch metrics isn’t fair. As browsers get more complex so does the code to develop them; the more code you add to something, the more risk you assume. Criminals are smart; they know they can’t attack Internet Explorer directly, but attacking it via ActiveX to target the user works in most cases. Firefox is solid and secure, but targeting Firefox users by exploiting Flash issues, that works.

So which browser is the most secure? None of them, not a single browser is the most secure when compared to another. They are all filled with bugs, some of these bugs will lead to security problems directly, and other minor bugs will be exploited to create a security problem. The trick to browser security is to keep on top of patches, update plug-ins when new versions are released, and use caution and common sense when surfing the Web.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Awesome Stuff Made Out Of Car Parts

An awesome picture has started doing the rounds showing a bathroom with sinks made out of car tires and faucets created from gas pumps. It’s the ideal bathroom for any discerning car nut. That got us thinking — what other stuff is there made out of car parts and car paraphernalia. Here are some of the coolest […]

Range Rover Evoque Convertible Confirmed

Land Rover has officially confirmed that the Range Rover Evoque Convertible will go on sale in 2016. The company released some publicity photos showing a prototype of the Evoque Convertible driving through train tunnels under construction in London. The company says use of the Crossrail tunnels let them test the convertible in privacy. A Land […]

Mercedes-AMG GT3 Racing Car to Debut at Geneva Motor Show

The company says the standard Mercedes-AMG GT already provides the ideal base for the race model, with low centre of gravity, good weight distribution and wide track width.The driver sits on a carbon-fibre seat pan and is protected by a roll-over cage made from high-tensile steel.The engine cover, doors, front wing, sidewalls, side skirts, diffuser, […]

Lamborghini Aventador Wallpaper

Lamborghini Aventador wallpaper for your desktop or mobile device. The Aventador LP 700–4  has a 6.5 liter V12 that will go 0–60 mph in  2.9 seconds and take you all the way to 220mph and maybe beyond.Each image links to a page with multiple sizes of wallpaper you can download.

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in the photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a university in the UK told the BBC that it was impossible to see what other people see but that it […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]