Friday, March 6, 2009

Fanning the Flames of the Browser Security Wars

Secunia's study found that 114 security flaws were reported in 2008 for Mozilla's Firefox browser, almost four times as many flaws as other popular browsers. In contrast, Secunia said, 31 vulnerabilities were reported for versions of Microsoft's Internet Explorer browser support , while Opera and Safari claimed at least 30 and 32 reported security holes in 2008, respectively.

But the Secunia study also measured how nimbly Microsoft and Mozilla responded to vulnerabilities that the companies were notified about at the same time as the rest of the world. These types of "full disclosure" or "0 day" incidents are notable because they often include the publication of blueprints showing would-be attackers exactly how to use the flaws for criminal purposes. In either case, for each day that the vendor takes to ship an update to fix the flaw, users remain at a heightened risk of attack.

Secunia found that when it comes to fixing flaws that were first disclosed publicly or through online attacks, the tables were turned. Secunia found six instances last year in which Microsoft was publicly alerted to a vulnerability in its browser, including two that Secunia labeled "high" or "moderate" in severity. Mozilla apparently confronted just three such situations, all with vulnerabilities Secunia has classified as "less critical" or "not critical."

According to Secunia's tally, Mozilla took an average of 43 days to address these three flaw last year.

In contrast, Microsoft took exactly 111 days to ship updates that fixed the two more publicly revealed serious flaws. Additionally, the company still hasn't patched three of the four other less critical IE flaws disclosed last year (the window of exposure for those flaws currently stands between 230 days and 295 days).

The finding that IE users are exposed to more serious browser flaws for longer periods of time than their Firefox counterparts is not an aberration, but it actually represents something of an improvement for Microsoft: In 2007, Security Fix published an analysis which found that for a total of 285 days in 2006, exploit code for at least 11 "critical" flaws in IE was made publicly available online before Microsoft was able to ship updates to fix them.

Related Topic
Browser Market Share 2009
Internet Explorer Browser 7 Problems

No comments: