Go to Windows 7 Insider Guide
Report: Firefox buggier, but issued fixes quicker
Mozilla reported more vulnerabilities in its Firefox Web browser last year than Internet Explorer, Safari, and Opera combined, but Mozilla dealt with those flaws quicker than Microsoft, according to a new a report by vulnerability-testing company Secunia.
Firefox had 115 reported flaws in 2008, nearly four times as many as every other popular browser, and nearly twice as many as Microsoft and Apple combined, according to browser vulnerability research (PDF) released this week. In comparison, Microsoft reported 31 flaws in IE, Apple reported 32 in Safari, and Opera reported 30.
However, the report found that Mozilla was quicker to patch Firefox's flaws that were disclosed publicly without vendor notification compared with Microsoft. These "zero day" vulnerability disclosures contain information that can be used by attackers to write exploits for the flaw. The longer it takes vendors to release an update that repairs the vulnerability, the longer users of the browser are at risk.
Secunia reports that Microsoft took longer to fix two more serious flaws than Mozilla did with two less serious flaws.
(Credit: Secunia)Secunia reported six incidences in which Microsoft was publicly notified of browser vulnerabilities, two of which the security company labeled as "high" or "moderate" in severity. Meanwhile, Mozilla experienced three such occurrences, all of which Secunia labeled as "less critical" or "not critical."
Microsoft took 110 days to issue patches for the two most serious flaws, while it took Mozilla an average of 43 days to address its three flaws, Secunia reported. One of the IE vulnerabilities remained open for 294 days in 2008, according to the report.
The revelation comes as Mozilla released an update Wednesday to Firefox, its second in about a month. Mozilla developers said the update fixes six critical vulnerabilities found in Firefox 3.0.6, the most serious of which could allow attackers to run arbitrary code on a victim's computer.
Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 21.77 percent of the global browser market share, compared with IE's 67.44 percent, a drop of more than 7 percentage points in a year, according to figures from Web metrics company Net Applications.
Steven Musil is the night news editor at CNET News. Before joining CNET News in 2000, Steven spent 10 years at various Bay Area newspapers. E-mail Steven. 
Am I reading this correctly? Is Secunia biased toward Fire Fox?
You're not reading it correctly. The choice on whether a vulnerability is high, moderate, less or not critical is made on what that vulnerability allows to happen.
Highly critical vulnerabilities allow the most severe attacks such as DoS among other things. That Mozilla had three occurences of less to not critical only speaks volumes as to how closely the code is scrutinized for Mozilla based browsers.
Most IE flaws are critical because MS stupidly made it part of the OS.
FF are not normally as critical because it is just an application.
I thought "pentest" might have been short for penetration testing (security testing) but after reading your comment I know that can't be the case.
"Most IE flaws are critical because MS stupidly made it part of the OS."
>> IE runs in user mode.
"FF are not normally as critical because it is just an application."
>> As I said, IE runs in user mode. IE and FF are both "just applications".
You're simply out of your depth on this issue -- don't bother posting a rebuttal -- you risk making an ass of yourself.
Dude, you are so arrogant!
FYI: IE7 and up runs in protected mode in Windows Vista and up. So what if it may be tied to the OS. I would expect my OS to come preinstalled with a browser. I don't want to take the pain to install it ... remember the WinNT4 days?
If you don't have Windows Vista or have a lower version of MSIE, you can run the program as standard user. Internet browsing is an unprivileged task that should be run under least amount of privileges. This way, you cannot hurt your PC even if the program has security holes.
Proper testing is required for patching applications period and the test-patch sequence can be iterative until the tests pass. This can be a long period of time before making the patch available.
IE7+ Java(or flash or ActiveX) == Complete control of memory
FF + Java == Nothing happens
Insults don't help you, especially when you are woefully ignorant. It is possible in IE because it is part of the OS. Let me guess, you think that everything runs as a normal user if that is the account that is logged in.
I apologise for the insults/arrogance - but I maintain that you're not qualified to talk about security issues. Also - you should take a look at the tone of your posts before calling out others
For instance:
"It is possible in IE because it is part of the OS. "
1. Are you suggesting this is possible becuase IE is a part of a defualt windows install?
2. Are you suggesting this 'vulnerability' would extent to anything that 'is part of the OS'? (for example calc.exe, notepad.exe)?
3. Are you suggesting that third party apps cannot make calls into the kernel?
4. Please clarify -- because your original statement does not make sense.
"Let me guess, you think that everything runs as a normal user if that is the account that is logged in."
>> No, I don't make that assumption. But you seem to be making the assumption that anything that is not "part of the OS" runs as a "normal user if that is the account that is logged in." Shipping it in-box with the OS has absolutely no relevance to this.
"IE7+ Java(or flash or ActiveX) == Complete control of memory
FF + Java == Nothing happens"
Factually incorrect. Chances are, a vulnerablility in Flash would usually be exploitable no matter what browser it's plugged in to. Same case for Java.
Which leaves us with ActiveX. IE7 uses a whitelist to decide wheter to allow an ActiveX control to run automatically. Anything not on the whitelist is disabled by default. You can disable Active X opt-in on a per-zone basis. Developers can now make their Active X controls more secure by restricting a control to run only on a particular site (site locking) or only in a specific security zone (zone locking).
Whatever your opinion is of ActiveX, you simply need to realize that your initial statement (Most IE flaws are critical because MS stupidly made it part of the OS.) - was completely wrong.
milking google!
Firefox has poor developer's documentation. Now bugs!
Whats going on?
Looks like they knew Firefox will fade away like Netscape!!!
I would also like to see a cumulative count for each browser, broken down by version and OS.
but still you can do a lot better than IE or FF
try Opera ,Chrome or safari 3
when I meant speed I meant browser speed
sure loading a site a few seconds faster is beneficial to n e one
but the UI/Memory usage r more Important
better Ui = faster browsing IMO
FFs add-ons add bloat to a already bloated browser and slow me down
if I need customization I use opera
if I need speed/compatibility I use Safari
BTW Security wise opera has been the safest by far !
and Safari is currently one of the fastest browsers ever !
i have a lot of faith in Microsoft.
there are a lot of guys who want M$ gone!!
and if you're #1, you got no place to go other than DOWN!!
that's the position of Microsoft.
i know there are people who claimed FF or other browser better.
the bottom line is that the software is written by human.
human is not perfect.
therefore, none of the softwares are perfect.
they all vulnerable to something if you want to exploit it.
the more FF gain popularity, the more target it became.
and this applies to any software company.
and considering today economy, it doesn't matter if it's Microsoft or something else, it's all made in India or China anyway.
so, whatever the flaw in ABC company, most likely, it's the same flaw in XYZ company!!
It affected about 70% of the users.
Crackers must love IE.
Of course Firefox has more reported bugs. Because it has a legion of programmers searching for (and then fixing) those bugs.
This would be like reporting that Wikipedia had more edits last year than the Encyclopaedia Brittanica, Microsoft isn't going to announce their bug list, that's not their operating model. Nor would that endear them to the corporate IT crowd who they're trying desperately to prevent from adding Chrome or Firefox to the standard ghost images.
- by akayanni March 6, 2009 9:20 AM PST
- And haven't we heard this one before... How IE has less bugs than Firefox... only cause as you say we just don't damn know. What about all those buggy old versions of IE that never get patched and fools still use? They are a plague on the Internet.
- Like this Reply to this comment
-
-
- by monkeyfun14 March 9, 2009 6:08 AM PDT
- Secunia analyzes code of browsers and other programs if they find a bug they report it...
- Like this
-
(33 Comments)And if other people don't patch their browsers how does that effect the rest of the world?
If Joe Sixpack gets hacked thats something I could careless about