A Blog From Behind the Trenches

According to Computerworld, security firm Cenzic has released a report showing that Firefox and Safari were the least secure browsers in the first half of 2009. That's the impression you get by simply skimming the article anyway. The actual report from Cenzic only counts the number of security flaws, and concludes that Firefox had 44% of all vulnerabilities, Safari had 35%, IE had 15%, and Opera a mere 6%.

Does that really mean that IE is more secure than Firefox and Safari?

I'm not sure a conclusion like that can be drawn at all. There are other aspects to security vulnerabilities that were not covered, such as the severity, and how long the vendor takes to fix them. Furthermore, security reports sometimes elevate standard crash bugs into security bugs, for example referring to them as "Denial of Service Vulnerabilities".

It's great to see that Opera has a low number of vulnerabilities, and I am confident that we would look good if severity and "time to fix" were taken into account as well. But until the report actually includes those relevant details, it isn't really that useful.

Statistics are great, though. You can make them show just about anything.

One of the comments on the antitrust complaint against Microsoft I see a lot is: "So what if most people are using IE and aren't aware that there are choices? I'm using Opera/Firefox/Chrome just fine."

Sometimes we may feel that something doesn't really affect us. But does IE's dominance on the Web affect us even though it might not feel that way?

The answer is: Yes, definitely. But the problems with a monoculture on the Web extends beyond browsers! A single point of failure is a bad thing no matter what.

Browser monoculture

The recent ActiveX security flaws in IE once again show us that a browser monoculture is a bad thing because those looking to infect people's computers will have a single target with a very nice return of investment. And those millions of compromised computers can be used for things like sending spam to the rest of us.

But it goes much further than just IE. One could argue that just about any kind of dominance of the Web is a bad thing.

Read more...

Comments have been popping up in forums and blogs about the claim that Opera never responded to the reporter of the Cross Domain Charset Inheritance Vulnerability:

Unfortunately neither Microsoft nor Opera were interested in the
vulnerability. Opera did not react at all on our bug report and
Microsoft just sent a nonsense mail to us, claiming that we had
disclosed this already to the public and that they like getting
advance notice.

The person who reported this to us was in fact contacted after he had reported the issue to us and before the vulnerability was disclosed (this is logged in our internal systems so that we can verify that we have followed up on important things). Security vulnerabilities are taken very seriously by Opera Software, and people who find flaws and report them to us will be contacted to coordinate fixes and disclosure of the vulnerabilities in question.

It is not clear why he did not receive our response, but I am sure it will be worked out somehow. It is all probably just a misunderstanding, and not malice on his part or ours.

But the important thing to know is that it wasn't being ignored.