Which browser is the riskiest? The answer may surprise you.

Microsoft's efforts to solve server-side Web vulnerabilities and to patch its Internet Explorer client, may be paying off.  While IE is still the most widely used browser for viewing content on the Internet--and thus, the most widely targeted for assaults--it had the second best ranking among the top four browsers in sidestepping vulnerabilities, according to a  new study.

The report, from application security firm Cenzic, analyzed a number of Web security issues reported in the first half of this year. The browser comparison was only one part of the study, called, "Web Application Security Trends Report: Q1-Q2, 2009" (PDF download).

Firefox was the most vulnerable browser, logging 44 percent of the total vulnerabilities found, according to the report. Safari, at 35 percent, ranked next to Firefox at the bottom. IE had 15 percent of the vulnerabilities, and Opera only 6 percent.

Firefox, Microsoft's most robust rival in the browser market, reportedly has an estimated 330 million users and recently passed its fifth anniversary.

IE is still the most-used browser, followed by Firefox, Apple Safari, Google Chrome (which Cenzic didn't study) and Opera.

In addition to looking at browser security, Cenzic found that 78 percent of the total vulnerabilities were due to Web components. Web component vulnerabilities have increased since last year's report.

Microsoft at least seems somewhat attuned to the issue. A large theme in Microsoft's September patch cycle had to do with plugging such Web component vulnerabilities.

Cenzic also found bugs in Web servers, browser plug-ins and Microsoft's ActiveX control. ActiveX has been another priority for Microsoft's security team, which issued a security advisory on the matter in July.

The most striking thing about the report's findings is the broad apathy shown on the part of enterprise pros to addressing emerging threats on the Web, according to Mandeep Khera, chief marketing officer at Cenzic.

"In spite of the fact that vulnerabilities are so easily identifiable and widely exploited by hackers – and there are now low-cost, turnkey [software as a service] solutions available – businesses are not focused on securing their Web applications," he said in an e-mail statement. "[The vulnerabilities] are a serious and potentially lethal blind spot for businesses."

About the Author

Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Reader Comments

Mon, Nov 23, 2009 nicholassimon South Africa

If you are interested in learning more about some of the better alternatives browsers out there (NOT Opera or Safari etc.) then you might want to check out this post detailing 7 of the better browsers available for free on the internet: http://ninjarabbits.blogspot.com/2009/11/alternative-web-browsers.html

Sun, Nov 22, 2009

For one of your examples, you may have been thinking of: Microsoft Security Bulletin MS08-067 – Critical Vulnerability in Server Service Could Allow Remote Code Execution (958644). That was a Critical Microsoft Vulnerability because it was exploited by the first variant of Conficker, but Cenzic did not include it in either of their last 2 reports. You should go back again and review: Microsoft Security Advisory (971492) Vulnerability in Internet Information Services Could Allow Elevation of Privilege. It will point you to: Microsoft Security Bulletin MS09-020 - Important Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483). Microsoft rates the Aggregate Severity Rating as 'Important' as opposed to 'Critical'. However, you are correct to point out that the Microsoft IIS Vulnerabilities should rank higher than ALL the others they chose to rank in the Cenzic Top 10 list. I agree that the Cenzic report is meaningless. The Cenzic Top 10 list does not include vulnerabilities that were exploited and resulted in anything close to the damages that were caused by Microsoft vulnerabilities. It's too bad that the way Cenzic is reporting browser vulnerabilities is also meaningless, but I think the other reader comments have already covered that in good detail. I recommend replacing IE with a browser that runs on a less vulnerable operating system, but I agree it's very hard given all of the Microsoft proprietary software dependencies that continues to infest the government IT systems.

Sat, Nov 21, 2009

Yes -- we are surprised by this report because it doesn't tell us anything that we need to know. How did Cenzic come up with their list of the "Top 10 Vulnerabilities of Q1-Q2 2009" and not include any of the data they attempt to describe in their "Probe and Attack" data? How is it possible that critical Microsoft Web Application vulnerabilities are not included in the Cenzic list of the "Top 10 Vulnerabilities of Q1-Q2 2009? For example, we wonder why Cenzic chose to not include critical vulnerabilities such as: Microsoft Security Advisory (971492) - Vulnerability in Internet Information Services Could Allow Elevation of Privilege and Microsoft Security Bulletin MS09-019 - Critical Cumulative Security Update for Internet Explorer (969897), and yet they apparently claim the other vulnerabilities listed, such as the F5 Networks FirePass SSL VPN 'password' Field Cross-Site Scripting Vulnerability and ALL the others they chose to rank in the Cenzic Top 10 list, are somehow ranked higher than the Microsoft critical vulnerabilities over the same period. What possible rational could Cenzic justify for excluding the critical Microsoft vulnerabilities from the Top 10 list? We're not saying that Microsoft critical vulnerabilities should always be ranked highest than any other critical vulnerabilities, but it would be interesting to see the total monetary damages and risks to the enterprise and our missions are due to the critical vulnerabilities on Microsoft Web Application software components. In addition, we would like to see the total amount of money being spent trying to perform remediation on the critical Microsoft vulnerabilities -- those costs are recurring and we wonder if they are increasing due to the criticality of Microsoft vulnerabilities. For the example of the F5 Networks FirePass SSL VPN 'password' Field Cross-Site Scripting Vulnerability, if we were unfortunate enough to be using anything from F5, we would probably have an easy way to replace the F5 components with something from a different vendor. However, we unfortunately don't have an easy way to replace anything from Microsoft so we need good analysis of the critical vulnerabilities in components such as IE to help us determine if we should begin the process to replace IE throughout the government with a browser that is clearly better. The other benefit we would like to better understand relates to the security advantages of not only replacing IE, but also replacing our current Microsoft Windows desktops with a clearly less vulnerable operating system. We do believe that Microsoft is truly doing a better job with Web Application Security and it's likely that they may somehow convince us to continue paying for what they produce. We certainly will not pay for third party "security" solutions that make no sense to us.

Fri, Nov 20, 2009

The entire Cenzic Web Application Security Trends Report – Q1-Q2, 2009, Cenzic Inc. is marketing garbage. Nothing they have "analyzed" leads us to believe that they understand critical vulnerabilities. We wonder if their "dynamic, black box testing of Web applications" can be used to find more “real” vulnerabilities -- as they claim they do. How did they "identify" about 3100 total vulnerabilities for the Q1-Q2, 2009 time period? Are they just using the raw data that is reported by their "Key Sources" and pretending that they can actually do analysis on critical vulnerabilities in software like Web Browsers? How did they come up with their list of the "Top 10 Vulnerabilities of Q1-Q2 2009" and not include any of the data they attempt to describe in their "Probe and Attack" data? They show that Microsoft released updates that address vulnerabilities in Microsoft Windows and Windows Server, but they say nothing about Conficker again! Their Cenzic Web Application Security Trends Report – Q3-Q4, 2008, Cenzic Inc. said nothing about Conficker either. It's not worth reading that report either, but it's funny that it does mention the following: "Of the browser vulnerabilities, Internet Explorer, which had improved in the first half of 2008 got worse with roughly 42 percent of the browser vulnerabilities followed by Firefox at 39 percent." -- Whatever Cenzic is trying to say is not helpful at all. -- We in the government computing community would very much like to understand useful, timely and accurate analysis of the actual critical web browser vulnerabilities and meaningful ranking of top vulnerabilities. We certainly do not need misleading marketing junk -- it's just as bad as if they sent us SPAM! Fortunately, we have the ability to do our own data searches on browser vulnerabilities like the Microsoft Search Tool for critical Severity Rating IE vulnerabilities that one of the previous readers comments suggested. Likewise, there are search tools for Firefox: http://www.mozilla.org/security/known-vulnerabilities/ -- that show us better data than what Cenzic "pretends" they understand. Obviously, we can also use Google to find more timely information such as the following: http://www.securitybyte.org/index.php/conference/sessions/14-exploiting-firefox-extensions.html -- It's also fortunate that we can post comments such as this to help folks, including Cenzic, realize that we need quality analysis of critical vulnerabilities. -- Come on GCN, you should consult with any of the qualified Web Application Security researchers that do not produce marketing garbage. -- We also found other articles and posts that are also questioning the content that Cenzic is "reporting" in their marketing garbage. For example, please see: http://my.opera.com/haavard/blog/2009/11/10/cenzic-security

Thu, Nov 19, 2009 Michael Vancouver, BC

This "report" is primarily a marketing fluff piece designed to help promote Cenzic's efforts in selling its security software solution. The reported vulnerability counts Cenzic cites regarding browsers are what they are - counts - and nothing more. Counts alone are not an indication of security or product quality. Indeed Cenzic offers no further or more detailed analysis of the browser marketplace in its "report" because that isn't the company's business focus. The report does provide one useful hint - one we already know intuitively - that 90% of security issues are *web application issues* - not browsers. Indeed not one of the cited "top ten threats" is a browser issue; all are serious web application security flaws. Citing browsers guarantees that people will look at the article; it's a misleading marketing tactic, nothing more.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above