A Blog From Behind the Trenches

Attack of the Bugs

Cenzic says Firefox and Safari are the least secure browsers? Really?

Tuesday, November 10, 2009 1:57:38 PM

, , , , , ,

According to Computerworld, security firm Cenzic has released a report showing that Firefox and Safari were the least secure browsers in the first half of 2009. That's the impression you get by simply skimming the article anyway. The actual report from Cenzic only counts the number of security flaws, and concludes that Firefox had 44% of all vulnerabilities, Safari had 35%, IE had 15%, and Opera a mere 6%.

Does that really mean that IE is more secure than Firefox and Safari?

I'm not sure a conclusion like that can be drawn at all. There are other aspects to security vulnerabilities that were not covered, such as the severity, and how long the vendor takes to fix them. Furthermore, security reports sometimes elevate standard crash bugs into security bugs, for example referring to them as "Denial of Service Vulnerabilities".

It's great to see that Opera has a low number of vulnerabilities, and I am confident that we would look good if severity and "time to fix" were taken into account as well. But until the report actually includes those relevant details, it isn't really that useful.

Statistics are great, though. You can make them show just about anything.

Wap Review: The Truth About Opera Mobile 10 Memory UsageState of the Opera: Q3 2009

Comments

João EirasxErath Tuesday, November 10, 2009 2:29:09 PM

Most people don't know or understand those issues with the report, so they just buy into it, the same way that they buy that javascript benchmarks measure real world web page performance. At least the misinformation campaign this time is on our side.

Aux Tuesday, November 10, 2009 3:03:40 PM

Oh, maybe you know how to disable cross-domain security in Opera? I need it for development...

Robin_reala Tuesday, November 10, 2009 3:14:25 PM

The other thing of course is that Safari and Mozilla are open-source, and by definition more open about their security issues.

Charles SchlossChas4 Tuesday, November 10, 2009 4:41:41 PM

Safari is not open source

Some times by not talking about a security issue publicly prevents a hacker from using it

One more reason to go to a more modern browser
http://secunia.com/advisories/product/11/

endless lovepersianweblog Tuesday, November 10, 2009 5:24:28 PM

i like safari , it's a good browser , i use it ...

Charles SchlossChas4 Tuesday, November 10, 2009 5:38:11 PM

This article also states:

Other factors need to be taken into account for a proper comparison; this includes the type of vulnerabilities and thus the underlying type of coding errors, the impact of the vulnerabilities, the time it takes the vendor to fix the reported vulnerabilities, how easy it is to update the software thus how quickly the users (learn about and is able to) apply the patches.



http://www.theregister.co.uk/2009/11/10/web_security_survey/

Kamaleshkamalesh Tuesday, November 10, 2009 7:30:05 PM

Haavard: You're a big, big man for defending other minority browsers given the untrue & misplaced attacks on Opera (and omissions) I read from their blogs and tech stories...constantly. NOt sure they deserve it until I see some admission from them. Maybe the aria inside the Opera House drowns out that ugly outside noise, but still. wink

@xErath: Exactly my first thought. haha. I guess one-out-of-a-million isn't bad. I hope Opera works harder/smarter to change this faster. Ugh.

Teoumbra-tenebris Tuesday, November 10, 2009 8:44:53 PM

Yeah, Opera is the safest (graphical and script-enabled) browser on Earth smile This adds to being the fastest, with most integrated features and since 10.0 with the most pretty default interface. Not bad for a single product, does it. On my personal list for best-coded Windows programs, Guild Wars is #1, Opera and Ultra Edit share the 2nd place.

dapxin Wednesday, November 11, 2009 2:54:09 AM

interesting stuff.....stats == lies :-)

Robin_reala Wednesday, November 11, 2009 1:07:50 PM

@Chas4: you’re right of course that Safari itself isn’t open source, but nearly all security bugs that don’t rely on social engineering occur in the browser engine which is Safari’s case is the open source WebKit.

Also, security by obscurity? It only works if you’re only obscure as long as it takes to fix the bug.

Pallab DeIndyan Wednesday, November 11, 2009 2:58:02 PM

What I am really concerned about is the time taken to fix those vulnerabilities. Thats what matters, especially for a browser like Fx which has automatic incremental updates.

walterbugscout Thursday, November 12, 2009 11:19:23 PM

another test from chip germany

http://www.chip.de/artikel/Internet-Browser-Test-8_38742853.html

Charles SchlossChas4 Thursday, November 12, 2009 11:57:20 PM

bugscout that site says that ff is the only browser with XXS protection (with an add on), I know that Safari has something, I would guess so does Chrome, I belive Opera also has one (if the google traslator work correctly)

Speed test not only depend on the browser but the hardware in the system 512 mb of ram vs 2 to 3gb of ram will make a difference

Purdi Friday, November 13, 2009 3:21:25 PM

How is that test at chip.de relevant to counting security bugs?

JaredpieRr0Ur Saturday, April 10, 2010 5:38:29 AM

Where's chrome ??

Write a comment

New comments have been disabled for this post.