Printed from http://www.electronista.com

Firefox most vulnerable browser, Safari close

updated 03:50 pm EST, Wed November 11, 2009

Study says Firefox 44% of web exploits

Despite stereotypes, Mozilla's Firefox is significantly more vulnerable to web attacks than any of its rivals, a Cenzic study (PDF) claimed late yesterday. About 44 percent of the 3,100 exploits tracked by the researchers attacked the open-source browser where only 15 percent of them would work in Internet Explorer. Safari is notably much closer to Firefox in vulnerability as 35 percent of exploits could affect the platform, while Opera's small market share left just 6 percent of attacks putting it at risk.

The Safari share is partly affected by Cenzic's inclusion of the mobile Safari browser on the iPhone and iPod touch, which triggered a "vast increase" in the number of available exploits for Safari as a whole. Jailbreaks for Apple's devices have sometimes relied on web exploits in the past to run arbitrary code and break code signing requirements for iPhone apps. Apple has only recently been mending some of these exploits and in iPhone OS 3.1 forced jailbreak developers to switch away from a longstanding trick.

Of all attack types, SQL injections are the most common at 25 percent while cross-site scripting (17 percent), phishing (14 percent) and rogue web servers (12 percent) also have some of the greatest effect.

Open-source advocates have historically argued that Firefox should be more secure as the ability of authors to discover and fix bugs mid-cycle where others are often unaware of apps due to obscurity. Internet Explorer in the past has been criticized for tools like ActiveX, which have often given websites direct access to a user's PC, but has since had most of its vulnerabilities closed off both through the browser and through patching holes in Windows.



By Electronista Staff
toggle

Comments

  1. danviento

    Fresh-Faced Recruit

    Joined: Dec 2005

    +7

    On Mobile Browsing

    You really have to ask if they are using market share to help compute the relative vulnerability of a browser, did they bother to note that many of the plugin exploits just plain won't work using Safari on an iPhone/iPodTouch? Not to mention the fact that if the iPhone/iPodTouch isn't jailbroken, there's even less risk.

    Then there's the fact that beside crashing Safari on regular OS X, exploits can only work if a user gives them permission (username&password) to do so.

    Seriously, people. We know you want the shock value of headlines/"conclusions" like these, but before you go scaring uninformed IT managers, it'd be best to at least put an asterisk next to sentences like these.

  1. aristotles

    Grizzled Veteran

    Joined: Jul 2004

    +6

    Cenzic is a MSFT Certified Parnter

    http://www.cenzic.com/pr/20060718/

    This is just another hack job paid for by MSFT.

  1. Jittery Jimmy

    Fresh-Faced Recruit

    Joined: Jan 2006

    +6

    Vulnerability Counting

    As a professional security consultant, we don't simply look at the length of a vulnerability report to determine system risk. Such a weak analysis would be woefully inadequate and would undoubtably lead clients into focusing on the wrong things.

    A true vulnerability analysis requires a heavy duty amount of critical thinking, analyzing each point and weighing each risk. A security consultant that is focusing on "which browser is most secure" is almost certainly not in the business of helping any client anywhere.

    Sadly, these days, there are thousands of "security consultants" that exist merely to collect client funds. They have no training, no expertise, no experience, and certainly cannot help clients with anything other than give them a false sense of security. Buyer beware.

  1. eckenheimer

    Fresh-Faced Recruit

    Joined: Jul 2007

    +2

    Congrats, MacNN!

    What an excellent cut-and-paste regurgitation of a press release by a known Microsoft shill group, touting their latest "objective security study." Once again, for the umpteenth time, Cenzic, a Microsoft Partner, discovers that Microsoft's software is immeasurably more secure than all that other lame software that persists in attempting to compete with mighty Redmond's stellar offerings.

    You even copied their headline and subhead, which, had you taken the time to actually read the self serving press release, much less the actual PDF of the "study", you might have wanted to reword thusly: "MS Partner astonishingly finds highest number of security vulnerabilities in Firefox & Safari, fewest in IE / basis for conclusion and source of numbers not clearly specified"

    As a way to fill space using the least possible effort, it works. Did Cenzic or M$ at least pay you for publishing their dreck?

  1. jsrjenkins

    Fresh-Faced Recruit

    Joined: Nov 2009

    +1

    SQL injections are not a Browser vulnerability

    [quote]Of all attack types, SQL injections are the most common at 25 percent while cross-site scripting (17 percent), phishing (14 percent) and rogue web servers (12 percent) also have some of the greatest effect.[/quote]

    An SQL injection attack (the most common vulnerability listed) are not even browser attacks strictly speaking. An SQL attack is when the URL can be crafted so as to modify the database using the software (such as PHP) installed on the server. It is an exploit that attacks rather the structure of the website itself not the browser.

    The forum software phpBB for example was a common victim of these kinds of attacks, where one would add to the url &"droptable;'insert "a,b,c" '; or something similarly crafted in order that the forum software would erase or modify its SQL database. It has nothing to do with the browser other than the browser has to make the request for the attack to work - it is rather the designer of the server side software who must protect his database by de-quoting the input or somehow protecting the input url from being interpreted by the SQL client.

    This article is thus not only misleading it is also completely incompetent.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Cat B100

Cat is primarily known for its heavy-duty machinery used in the construction industry and farming, among other areas. What may not be ...

Linksys EA6900 AC Router

As 802.11ac networking begins to makes its way into more and more devices, you may find yourself considering an upgrade for your home ...

D-Link DIR-510L 802.11AC travel router

Having Internet access in hotels and other similar locations used to be a miasma of connectivity issues. If Wi-Fi was available, it wa ...

Sponsor

toggle

Most Commented

 
toggle

Popular News