Skip navigation.

A Blog From Behind the Trenches

Attack of the Bugs

Cenzic says Firefox and Safari are the least secure browsers? Really?

Tuesday, 10. November 2009, 13:57:38

, , , , , ,

According to Computerworld, security firm Cenzic has released a report showing that Firefox and Safari were the least secure browsers in the first half of 2009. That's the impression you get by simply skimming the article anyway. The actual report from Cenzic only counts the number of security flaws, and concludes that Firefox had 44% of all vulnerabilities, Safari had 35%, IE had 15%, and Opera a mere 6%.

Does that really mean that IE is more secure than Firefox and Safari?

I'm not sure a conclusion like that can be drawn at all. There are other aspects to security vulnerabilities that were not covered, such as the severity, and how long the vendor takes to fix them. Furthermore, security reports sometimes elevate standard crash bugs into security bugs, for example referring to them as "Denial of Service Vulnerabilities".

It's great to see that Opera has a low number of vulnerabilities, and I am confident that we would look good if severity and "time to fix" were taken into account as well. But until the report actually includes those relevant details, it isn't really that useful.

Statistics are great, though. You can make them show just about anything.

Wap Review: The Truth About Opera Mobile 10 Memory UsageState of the Opera: Q3 2009

Comments

xErath 10. November 2009, 14:29

Most people don't know or understand those issues with the report, so they just buy into it, the same way that they buy that javascript benchmarks measure real world web page performance. At least the misinformation campaign this time is on our side.

Aux 10. November 2009, 15:03

Oh, maybe you know how to disable cross-domain security in Opera? I need it for development...

Robin_reala 10. November 2009, 15:14

The other thing of course is that Safari and Mozilla are open-source, and by definition more open about their security issues.

Chas4 10. November 2009, 16:41

Safari is not open source

Some times by not talking about a security issue publicly prevents a hacker from using it

One more reason to go to a more modern browser
http://secunia.com/advisories/product/11/

persianweblog 10. November 2009, 17:24

i like safari , it's a good browser , i use it ...

Chas4 10. November 2009, 17:38

This article also states:

Other factors need to be taken into account for a proper comparison; this includes the type of vulnerabilities and thus the underlying type of coding errors, the impact of the vulnerabilities, the time it takes the vendor to fix the reported vulnerabilities, how easy it is to update the software thus how quickly the users (learn about and is able to) apply the patches.



http://www.theregister.co.uk/2009/11/10/web_security_survey/

kamalesh 10. November 2009, 19:30

Haavard: You're a big, big man for defending other minority browsers given the untrue & misplaced attacks on Opera (and omissions) I read from their blogs and tech stories...constantly. NOt sure they deserve it until I see some admission from them. Maybe the aria inside the Opera House drowns out that ugly outside noise, but still. :wink:

@xErath: Exactly my first thought. haha. I guess one-out-of-a-million isn't bad. I hope Opera works harder/smarter to change this faster. Ugh.

umbra-tenebris 10. November 2009, 20:44

Yeah, Opera is the safest (graphical and script-enabled) browser on Earth :smile: This adds to being the fastest, with most integrated features and since 10.0 with the most pretty default interface. Not bad for a single product, does it. On my personal list for best-coded Windows programs, Guild Wars is #1, Opera and Ultra Edit share the 2nd place.

dapxin 11. November 2009, 02:54

interesting stuff.....stats == lies :-)

Robin_reala 11. November 2009, 13:07

@Chas4: you’re right of course that Safari itself isn’t open source, but nearly all security bugs that don’t rely on social engineering occur in the browser engine which is Safari’s case is the open source WebKit.

Also, security by obscurity? It only works if you’re only obscure as long as it takes to fix the bug.

Indyan 11. November 2009, 14:58

What I am really concerned about is the time taken to fix those vulnerabilities. Thats what matters, especially for a browser like Fx which has automatic incremental updates.

bugscout 12. November 2009, 23:19

another test from chip germany

http://www.chip.de/artikel/Internet-Browser-Test-8_38742853.html

Chas4 12. November 2009, 23:57

bugscout that site says that ff is the only browser with XXS protection (with an add on), I know that Safari has something, I would guess so does Chrome, I belive Opera also has one (if the google traslator work correctly)

Speed test not only depend on the browser but the hardware in the system 512 mb of ram vs 2 to 3gb of ram will make a difference

Purdi 13. November 2009, 15:21

How is that test at chip.de relevant to counting security bugs?

Write a comment

You must be logged in to write a comment. If you're not a registered member, please sign up.