Which browser is the riskiest? The answer may surprise you.
Microsoft's efforts to solve server-side Web vulnerabilities and to patch its Internet Explorer client, may be paying off. While IE is still the most widely used browser for viewing content on the Internet--and thus, the most widely targeted for assaults--it had the second best ranking among the top four browsers in sidestepping vulnerabilities, according to a new study.
The report, from application security firm Cenzic, analyzed a number of Web security issues reported in the first half of this year. The browser comparison was only one part of the study, called, "Web Application Security Trends Report: Q1-Q2, 2009" (PDF download).
Firefox was the most vulnerable browser, logging 44 percent of the total vulnerabilities found, according to the report. Safari, at 35 percent, ranked next to Firefox at the bottom. IE had 15 percent of the vulnerabilities, and Opera only 6 percent.
Firefox, Microsoft's most robust rival in the browser market, reportedly has an estimated 330 million users and recently passed its fifth anniversary.
IE is still the most-used browser, followed by Firefox, Apple Safari, Google Chrome (which Cenzic didn't study) and Opera.
In addition to looking at browser security, Cenzic found that 78 percent of the total vulnerabilities were due to Web components. Web component vulnerabilities have increased since last year's report.
Microsoft at least seems somewhat attuned to the issue. A large theme in Microsoft's September patch cycle had to do with plugging such Web component vulnerabilities.
Cenzic also found bugs in Web servers, browser plug-ins and Microsoft's ActiveX control. ActiveX has been another priority for Microsoft's security team, which issued a security advisory on the matter in July.
The most striking thing about the report's findings is the broad apathy shown on the part of enterprise pros to addressing emerging threats on the Web, according to Mandeep Khera, chief marketing officer at Cenzic.
"In spite of the fact that vulnerabilities are so easily identifiable and widely exploited by hackers – and there are now low-cost, turnkey [software as a service] solutions available – businesses are not focused on securing their Web applications," he said in an e-mail statement. "[The vulnerabilities] are a serious and potentially lethal blind spot for businesses."