Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox Most Vulnerable Browser, Safari Close

CmdrTaco posted more than 4 years ago | from the say-what-now dept.

Mozilla 369

An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

Sorry! There are no comments related to the filter you selected.

I wonder (4, Insightful)

somersault (912633) | more than 4 years ago | (#30062652)

How many of these vulnerabilities were due to Firefox itself, and how many due to plugins?

Re:I wonder (4, Insightful)

Shatrat (855151) | more than 4 years ago | (#30062680)

Haven't RTFA yet but I bet they are using patch notes as their source of vulnerabilities.
If that's the case then obviously well-documented and frequently-patched browsers will be over-represented.

Re:I wonder (4, Interesting)

dkleinsc (563838) | more than 4 years ago | (#30062772)

So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed.

Something tells me their methodology is a bit flawed. Of course, that's by design, given Cenzic's financial ties to Microsoft.

Re:I wonder (3, Insightful)

LBArrettAnderson (655246) | more than 4 years ago | (#30062852)

"Haven't RTFA..." -Shatrat
I guess that's enough for dkleinsc (and most anti-MS slashdotters (slightly redundant, yes)) to jump to conclusions.

Re:I wonder (1)

Mage Powers (607708) | more than 4 years ago | (#30063016)

I Read TFA and all i saw was one stinkin pie chart. The rest of the pdf is focused on servers.

Re:I wonder (2, Informative)

cream wobbly (1102689) | more than 4 years ago | (#30063124)

I like your hypocrisy.

The report (if you'd care to read it) is nothing but FUD leading nicely into a sales pitch.

Re:I wonder (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30063294)

Hypocrisy? He didn't say anything about the article. All he said was that the previous two posters made conclusions based on absolutely nothing.

Re:I wonder (0)

Anonymous Coward | more than 4 years ago | (#30063498)

Except he assumed their conclusions were wrong, which had he read the report, he would see that they mainly weren't.

Re:I wonder (4, Informative)

calidoscope (312571) | more than 4 years ago | (#30063240)

The Register's article on the Cenzic report also speculated the the report was based on published vulnerabilities. They made some rude noises about Cenzic's focus on the number of the vulnerabilities as opposed to the severity of vulnerabilities.

Re:I wonder (4, Informative)

Actually, I do RTFA (1058596) | more than 4 years ago | (#30063374)

So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed. Something tells me their methodology is a bit flawed. Of course, that's by design, given Cenzic's financial ties to Microsoft.

Actually, in other words, the GP was making shit up. But since it conformed to your worldview, you agreed with it and based an entire post on it even though he said he didn't RTFA. Somehow it then got modded to +5.

In reality, the vulnerabilities were culled from a variety of 1st and 3rd party sources.

unstable == vulnerable (1)

pikine (771084) | more than 4 years ago | (#30063476)

Every time your browser crashes, there is an opportunity to exploit that as a security vulnerability. There is no such thing as "my browser is the least vulnerable, but it crashes all the times."

Hard to tell from the article (2, Informative)

xzvf (924443) | more than 4 years ago | (#30062814)

The article has a pie chart and the link to the "detailed report" only has a pie chart. I guess we just have to trust Cenzic the internet security application provider. Doesn't even break it down by version number of browser or severity of exploit.

Re:I wonder (5, Insightful)

PNutts (199112) | more than 4 years ago | (#30062828)

I haven't read your post yet but you're wrong.

Re:I wonder (5, Interesting)

Shatrat (855151) | more than 4 years ago | (#30062898)

lol, touche.
Still, do you really have to read it?
It seems like one of these bootlicking/astro-turfing 'studies' from some consulting agency or 'solution' vendor comes along about every 6 months in the Slashdot headlines.
Upon reading TFA, this one seems no more credible than any other.

Re:I wonder (0)

Anonymous Coward | more than 4 years ago | (#30063318)

It seems like one of these bootlicking/astro-turfing 'studies' from some consulting agency or 'solution' vendor comes along about every day in the Slashdot headlines.

There, fixed that for ya

Re:I wonder (1)

TheGreatOrangePeel (618581) | more than 4 years ago | (#30063116)

Still. You gotta' wonder how *exactly* they're counting. There's, "Ha! I made Firefox crash" vulnerabilities and then there's "Ha. I just executed arbitrary code on your computer."

Re:I wonder (1)

SQLGuru (980662) | more than 4 years ago | (#30063220)

And there's the "I had an issue, but updated to the latest version which closed that hole" vs "What's an update?". It doesn't matter how many vulnerabilities there are -- it only takes one to exploit a system.

Re:I wonder (5, Insightful)

MozeeToby (1163751) | more than 4 years ago | (#30062844)

Even if their information is accurate, which I don't see how it could possibly be, it is meaningless. Number of flaws is a horrible way to measure system security since it doesn't take into account severity, ease of attack, unreported flaws, or un-acknowledged flaws. When you get down to it, there really isn't any good way to measure security, but I would bet hours spent in code reviews would correlate much better than number of reported flaws.

Re:I wonder (5, Insightful)

Teflonatron (202441) | more than 4 years ago | (#30062882)

I didn't see anything in the actual report that explained how their results were arrived at. For that reason alone, this report is worthless. It's just a marketing document for use in selling their own security products.

However, it did make reference to the numbers being representative of "reported vulnerabilities", which we all know is going to make Firefox look worse that IE. This is verified by realizing Opera (also closed source) scored less than IE.

Re:I wonder (5, Insightful)

Sandbags (964742) | more than 4 years ago | (#30062888)

Worse, patch SEVERITY was not accounted for in these results, nor was the fact that many patches were for unexploited vulnerabilitys, and others were to close ITW threats...

FF and Safari rank bad in this article, but when looking at the raw data, patch severity, and explited patch footprint, IE is the worst, even though not patched very often.

I'd also note that a single patch may include fixes for numerous bugs, and this is additionally not covered in the scope of this article. A single patch in IE recently fixed more than 10 vulnerabilties...

Re:I wonder (4, Insightful)

ircmaxell (1117387) | more than 4 years ago | (#30063120)

What about IE vulnerabilities that are inherent from its close tie to the OS? I'll bet that they didn't count vulnerabilities like today's http://tech.slashdot.org/story/09/11/11/0053244/Microsoft-Plugs-Drive-By-and-14-Other-Holes [slashdot.org] since it wasn't a flaw in IE itself. It was just attackable through IE....

Re:I wonder (1)

cream wobbly (1102689) | more than 4 years ago | (#30063062)

You won't find it in TFA. While they gloss over vulnerabilities in Web applications, they're suspiciously tight-lipped about that particular metric, not even mentioning data sources. What's interesting about the facts they do wax lyrical about are typically from the public domain. In other words, it is highly likely that your assumption is bang on the money.

Re:I wonder (3, Interesting)

noidentity (188756) | more than 4 years ago | (#30063214)

Wow, so if I merely released my own binary-only build of Firefox and never mentioned any fixed vulnerabilities in release notes, this study would have found it with far fewer vulnerabilities than Firefox? I think I found a vulnerability in this study...

Re:I wonder (1)

Actually, I do RTFA (1058596) | more than 4 years ago | (#30063334)

Haven't RTFA yet but I bet they are using patch notes as their source of vulnerabilities.

I did RTFA, and I bet you're wrong.

Re:I wonder (5, Informative)

natehoy (1608657) | more than 4 years ago | (#30063478)

Have read the article, and the attached PDF, and they only state the conclusions. No mention is made of how they counted vulnerabilities, only that Firefox had 44% of them, and that they represented "Web Vulnerabilities by Major Type". Adding to the confusion was that they also talked about applications and servers and alternated back and forth between the three with little warning.

Also interesting was that "ActiveX" was listed as a technology separate from Web Browsers, the one time it was mentioned. In other words, their vulnerability percentage, which is already vague, may not include ActiveX vulnerabilities within IE. Or they may. All we know is that they claim IE has 15%.

Nowhere is there mention of what constitutes a reportable vulnerability, what versions of each browser were counted, how they were classified or even what the classifications were, what sorts of reports were included by browser (did plugins or addons get included in Firefox? ActiveX for IE? For multiplatform browsers like Opera, Firefox, and Safari, were vulnerabilities mitigated by only being exploitable on some platforms and not others, or reported multiple times - once for each vulnerable platform?)

The PDF was severely [citation needed], but remarkably honest in that it expressed surprise that Firefox was the most vulnerable web browser when compared IE, Safari, and Opera, and comprised almost half the identified vulnerabilities among the four browsers.

If this is like most reports of the same type, they are using vendor-reported bugs. Firefox would, by definition, have the largest bug list by any stretch in such a report. They are the only web browser development team that allows (and encourages) access to the same bug-tracking database that their developers use. Safari, IE, and Opera only report vulnerabilities when (a) they have been fixed, or (b) when so many reports have come out that they finally have to 'fess up.

Re:I wonder (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30062692)

Doesn't matter. If the browser cannot protect itself from its own add-ons then it is still the browser at fault.

Glad I don't use Firefox, Safari or IE.

Re:I wonder (1, Insightful)

qoncept (599709) | more than 4 years ago | (#30062708)

I get your point, but in the end, what is the difference? Many people are die hard users of the plugins (I use firefox and I'll never understand the hype) that they insist they could never go without them, and in many cases it's the primary force in their decision to use firefox.

Anyway, allowing plugins to run that may have vulnerabilities is a vulnerability in itself.

Re:I wonder (4, Insightful)

rudy_wayne (414635) | more than 4 years ago | (#30062832)

I get your point, but in the end, what is the difference? Many people are die hard users of the plugins (I use firefox and I'll never understand the hype) that they insist they could never go without them, and in many cases it's the primary force in their decision to use firefox.

You're confusing plugins with extensions.

Re:I wonder (3, Informative)

cream wobbly (1102689) | more than 4 years ago | (#30063216)

Before you go off on one (Well okay, you already went off on one), the report doesn't even mention plugins (or, for that matter, extensions). it just says (I quote) "Of the browser vulnerabilities, Firefox had 44 percent of the total, but perhaps the biggest surprise was Safari, which formed 35 percent of the browser vulnerabilities. Internet Explorer was third, with 15 percent, and Opera was at 6 percent."

That's as much detail as you're going to get from these guys. They're too busy trying to sell you their "software and SaaS products to protect Websites against hacker attacks." They go on to explain that "Unlike network security and SSL solutions, Cenzic tests for security defects at the Web application level where over 75% of attacks occur. Our dynamic, black box testing of Web applications is built on a non-signature-based technology that enables us to find more “real” vulnerabilities."

It's FUD, followed by a sales pitch.

Re:I wonder (0)

Anonymous Coward | more than 4 years ago | (#30062862)

I wonder...How many bugs in Windows were due to Windows itself, and how many due to poorly programmed applications running on it?

How the results were compiled (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30063026)

According to the report, as best I can determine, this is how they found their results:

"Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB, as well as other third party databases"

It seems reasonable that any/all open source software would have a higher number of reports in these databases than proprietary software, simply because more people are able to publicly scan and report on vulnerabilities... by definition, open source software conducts it's business in public, while proprietary software does so behind it's private curtain.

Re:I wonder (0)

Anonymous Coward | more than 4 years ago | (#30063162)

How many of these vulnerabilities were due to Firefox itself, and how many due to plugins?

Something has to be skewed. I dont have that much faith in IE. Also interesting to see how Opera compared...already using it but does lack plugins. Also you have to consider the source of the report...a web security vendor.

Re:I wonder (1)

Jay Clay (971209) | more than 4 years ago | (#30063316)

There's plenty of questions that the article raises without answering (well, at least with the article and report itself, I didn't go hunting their web site for them):
  • is the amount of vulnerabilities just a count or did they give some more weight than others? I hope they don't equate an SSL download injection of malware to the ability for some bad javascript to bypass popup blockers.
  • are they reported issues in documented bug fixes are are they independent issues? I can think of at least one occasion MS has squelched a bug report.
  • do they make them unique to the browser itself or are they universal attacks that the browser doesn't stop?

Did anyone with more patience than me go perusing their site to find how they came up with their numbers?

Huh? (5, Interesting)

Anonymous Coward | more than 4 years ago | (#30062660)

So just down the page on slashdot, this very day, there are warnings about a "Windows kernel vulnerability" that is exploited through IE. I'll take three cross-site scripting bugs any day over a kernel level compromise, thank you.

I know the world doesn't have a good objective measure of "impact" to assign to these things so that one could assess the total "probable inconvenience" of the presented security vulnerabilities, and that makes unbiased data gathering difficult, but this feels pretty absurd.

Re:Huh? (2, Informative)

Anonymous Coward | more than 4 years ago | (#30063344)

So just down the page on slashdot, this very day, there are warnings about a "Windows kernel vulnerability" that is exploited through IE. I'll take three cross-site scripting bugs any day over a kernel level compromise, thank you.

I know the world doesn't have a good objective measure of "impact" to assign to these things so that one could assess the total "probable inconvenience" of the presented security vulnerabilities, and that makes unbiased data gathering difficult, but this feels pretty absurd.

The link for those too lazy to go find it:
http://tech.slashdot.org/story/09/11/11/0053244/Microsoft-Plugs-Drive-By-and-14-Other-Holes

Certified (5, Funny)

rwv (1636355) | more than 4 years ago | (#30062664)

It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

There is an explanation for that.

Cenzic Recognized as a Microsoft Certified Partner, Experiences Substantial Momentum in Q2 [cenzic.com]

Re:Certified (4, Funny)

MiniMike (234881) | more than 4 years ago | (#30062748)

That makes sense, because if anyone had told me that Firefox had more vulnerabilities than all the other browsers I would think that they were certifiable...

Re:Certified (2, Informative)

captaindomon (870655) | more than 4 years ago | (#30062830)

Eh, being a Microsoft Certified Partner means next to nothing. Almost all the development firms I have worked for (from five employees to tens of thousands) are certified partners, it just means you get a discount on MSDN purchases and a nice little glass trophy. It doesn't mean Microsoft is controlling you. (They may be controlling Cenzic, but you can't say that just because they are a certified partner).

Re:Certified (1)

Anonymous Coward | more than 4 years ago | (#30063020)

Eh, being a Microsoft Certified Partner means next to nothing. Almost all the development firms I have worked for (from five employees to tens of thousands) are certified partners, it just means you get a discount on MSDN purchases and a nice little glass trophy. It doesn't mean Microsoft is controlling you. (They may be controlling Cenzic, but you can't say that just because they are a certified partner).

Yea... not buying it.

Re:Certified (1)

PNutts (199112) | more than 4 years ago | (#30063022)

Thank you. Looking at the website they actually have some credibility which is refreshing in the sensational knee-jerk world of IT security.

Re:Certified (1)

DJRumpy (1345787) | more than 4 years ago | (#30063070)

Yes, but it would have been much more believable had it been from an organization with no appearance of bias, or possibly a board of members made up of representatives from all the browsers being tested to ensure that there was no funny business.

Re:Certified (1)

xgr3gx (1068984) | more than 4 years ago | (#30062932)

Ha - I had a feeling there was some kind of connection.

Re:Certified (5, Informative)

cmeans (81143) | more than 4 years ago | (#30062976)

And then there's this:

http://www.cenzic.com/pr_20061011/ [cenzic.com]

Re:Certified (0)

Anonymous Coward | more than 4 years ago | (#30063256)

And then there's this:

http://www.cenzic.com/pr_20061011/ [cenzic.com]

I could be mistaken, but I think someone was just "told".

Re:Certified (1)

random string of num (1676550) | more than 4 years ago | (#30063018)

anyone think the pie chart looks a bit like the windows symbol?

Re:Certified (1)

Arthur Grumbine (1086397) | more than 4 years ago | (#30063244)

Of course not! The Windows logo colors go Blue, Red, Green, Yellow (moving clockwise). That chart is totally different!

lol (0)

Anonymous Coward | more than 4 years ago | (#30062670)

Sounds like exactly the kind of result Microsoft would love: FLOSS and OSX going down. Too fake.

how about when you turn off... (0)

Anonymous Coward | more than 4 years ago | (#30062694)

Does the vulnerability stay the same when you turn off Java? How about Javascript?
For the most part, I'm happy surfing most of the time with both turned off... I've turned them off on my grandparent's browsers too in order to lessen their exposure

Anyone Got the List? (1)

eldavojohn (898314) | more than 4 years ago | (#30062716)

In Cenzic's report [cenzic.com] that chart is entitled "Web Browser Vulnerabilities by Major Type" and web browsers are only given one page.

I looked through older reports and cannot find a list of "vulnerabilities by major type." Anyone know where to find that? Until you can point that to me, I'm not going to take much stock in a company which has an ad on the bottom of the article that reads:

Let us hack you before hackers do! The Cenzic website HealthCheck. FREE. Request yours now!

I'm sure one major category is "Win32 kernel exploits" while every piece of Gecko and Webkit qualifies as one major type.

Re:Anyone Got the List? (1)

polle404 (727386) | more than 4 years ago | (#30063078)

scanned the report quickly, it reads like a sales brochure, imho.

I did note a few things, though...

Key Findings: Sun Java, PHP, and Apache continue to be among the Top 10 vendors having the most severe vulnerabilities for the first half of 2009.

Top 10 Vulnerabilities of Q1-Q2 2009

1. phpMyAdmin Configuration File PHP Code Injection Vulnerability

Color me surprised... no mention of MS products and/or services?
on a list of "most severe vulnerabilities"?

who is cenzic? (4, Insightful)

bl8n8r (649187) | more than 4 years ago | (#30062728)

Just another consultant hired to slant reality if you ask me.

http://search.cert.org/search?q=advisory+internet+explorer [cert.org]
http://search.cert.org/search?q=advisory+firefox [cert.org]

Re:who is cenzic? (0)

Anonymous Coward | more than 4 years ago | (#30062794)

Your search will come up will all advisories not just first half of 2009 or didn't you read the post or the article

Re:who is cenzic? (-1, Troll)

TrancePhreak (576593) | more than 4 years ago | (#30062812)

There were 5 pages of results for Firefox and 2 pages for IE.

Re:who is cenzic? (3, Insightful)

Jaysyn (203771) | more than 4 years ago | (#30062944)

Not hardly.

Firefox = Results 1 - 5 of about 61

IE = Results 1 - 10 of about 367

Firefox IS getting infected in the wild (1)

improfane (855034) | more than 4 years ago | (#30062736)

I have heard the case against Safari often.

I have definitely found infected Firefox installations on relative machines. It's not immune because it is open source.

What is the prevailing flaw that Firefox has? Are they like ActiveX scale flaws where they own the PC or are they more minor but still serious?

Re:Firefox IS getting infected in the wild (1)

TrancePhreak (576593) | more than 4 years ago | (#30062870)

Well.... Firefox does not run its plugins in a sandbox, so they can run at whatever level FF was started at. Any plugin with a vulnerability would then give you as much access as you allow FF.

Re:Firefox IS getting infected in the wild (1)

Jaysyn (203771) | more than 4 years ago | (#30062958)

What is the prevailing flaw that Firefox has? Are they like ActiveX scale flaws where they own the PC or are they more minor but still serious?

Javascript.

Does NoScript fix this? (1)

improfane (855034) | more than 4 years ago | (#30063238)

I installed NoScript [noscript.net] recently along with Request Policy [requestpolicy.com] . One protects from any request to a foreign domain and one blocks scripts until I allow them.

Have I reduced my exposure enough?

What I want to see is a community mediated system whereby the whitelists and blacklists are distributed amongst the community. A bit like ThreatNet, SpyNet, PrevX and all the other proprietary security systems. How the decision of whether or not to allow or disallow a request will be made but it needs to be made by a massive community. I generally experiment whitelisting a website until it works. If this information was made subscribable, people could browse with a bare minimum of exposure?

Sam

Re:Firefox IS getting infected in the wild (3, Interesting)

Anonymous Coward | more than 4 years ago | (#30062964)

Its plugins. Ive seen several machines recently infected, no files were showing as having been downloaded, but based on the temp files used to start the infection it appears that Adobe Reader is being used quite a lot as an avenue for infection

Re:Firefox IS getting infected in the wild (2, Insightful)

1001011010110101 (305349) | more than 4 years ago | (#30063090)

Define "Infected Firefox installations"

Maybe you mean "PC with Firefox installed thats infected by a {virus|trojan|keylogger|spyware}" ?

Still, installing Firefox doesn't prevent you from catching something for running infected software or prevents someone from installing some crap that puts toolbars or BonziBuddy into your PC....

It seems a bit surprising (1)

tokul (682258) | more than 4 years ago | (#30062758)

It seems a bit surprising but TFA is not about browser vulnerabilities. Most of it is focused in detailing web site vulnerabilities and has only two baseless pages with Firefox on top of web browser vulnerability list.

I read the report (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30062760)

And it has about as much information as the linked summary does. As in, a few charts with ABSOLUTELY no supporting evidence, citations, or anything at all whatsoever. The web browser section consists of this paragraph:

Vulnerabilities in Web browsers were concentrated among four popular technologies - Internet Explorer, Mozilla Firefox, Opera, and Safari. The number of browser vulnerabilities in first half of 2009 comprised about 8 percent of total Web vulnerabilities. Mozilla Firefox had the largest percentage at 44 percent. What was surprising was that the Safari browser had a lot more vulnerabilities at 35 percent this time around mainly due to vulnerabilities reported in iPhone Safari. Internet Explorer was third at 15 percent and Opera with six percent of total browser vulnerabilities.

About as substantial as the arguments republitards are using right now.

Re:I read the report (1)

earlymon (1116185) | more than 4 years ago | (#30062856)

Yes - interesting how we have web vulnerabilities irrespective of the web browser.

Of the Web vulnerabilities, 90 percent pertained to code in commercial Web applications, while Web browsers comprised about 8 percent and Web servers about 2 percent. Of the browser vulnerabilities, Firefox had 44 percent of the total, but perhaps the biggest surprise was Safari, which formed 35 percent of the browser vulnerabilities. Internet Explorer was third, with 15 percent, and Opera was at 6 percent.

I'm repeating the link here -

http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf [cenzic.com]

Hmmm (0, Insightful)

Anonymous Coward | more than 4 years ago | (#30062762)

Just would like to note that this article is not saying that Firefox is the most vulnerable browser overall. It focuses on web applications and that Firefox is the most vulnerable when it comes to web applications.

That makes sense. Firefox and Safari support is something that's usually hastily tacked on after the product is developed for IE. It also explains Opera's small percentage, because there aren't many web applications out there that even work for Opera.

Scientific Method Done Wrong (0)

Anonymous Coward | more than 4 years ago | (#30062770)

Not quite trustworthy. There is enough discussion, but where's the math and the design of the 'study', and method? Bogus... Drawing some diagrams and calling in a few numbers from an unspecified source doesn't make sense.

Cenzic is Loyalist (0)

Anonymous Coward | more than 4 years ago | (#30062782)

They're a certified Microsoft partner. Can't trust anybody to make that kind of statement about competition against MS unless they're an independent entity.

Re:Cenzic is Loyalist (1)

east coast (590680) | more than 4 years ago | (#30062948)

What does that say for a certain site owned by Geeknet, Inc?

Who cares? (0)

Anonymous Coward | more than 4 years ago | (#30062810)

Most of "studies" are sponsored by one of the sides. So I don't see why this is news here.

Maybe he is at fault? (0, Troll)

hesaigo999ca (786966) | more than 4 years ago | (#30062824)

Maybe the version of firefox he downloaded to do the testing with, was probably a fake to begin with (maybe he was
part of a man in the middle attack by M$ who wanted to prove that FF was worst, and fed him an owned version of FF)
That would be too obvious, since being a security analyst, he would know to check all checksums of every app, right?

Re:Maybe he is at fault? (2, Funny)

s1lverl0rd (1382241) | more than 4 years ago | (#30063404)

Am I the only one who thinks that a MitM is a little far-fetched?

Re:Maybe he is at fault? (1)

digitalsolo (1175321) | more than 4 years ago | (#30063442)

Right, because that's a logical path...

Firefox? Really? (0)

Anonymous Coward | more than 4 years ago | (#30062860)

Follow the money. Who funded this study. I find the results disturbing and not believable.

Nothing to see here (2, Interesting)

El_Muerte_TDS (592157) | more than 4 years ago | (#30062876)

From the report.

Popular vendors including Sun, IBM, and Apache continue to be among the top 10 most vulnerable Web applications named.

Wait... so vendors and now applications?
They continue to say that Java and PHP are very vulnerable, but it's actually applications written in Java and PHP, not the language+runtime itself. In that case you could say that C++ has the most vulnerabilities.

News? (0)

Anonymous Coward | more than 4 years ago | (#30062878)

It is a bit surprising to you because you and your (ahem!) "news" site are overtly bias.

pay for by M$ (0)

Anonymous Coward | more than 4 years ago | (#30062892)

pay for by M$

ActiveX (0, Flamebait)

sam0737 (648914) | more than 4 years ago | (#30062924)

...I didn't RTFA (oh yeah who does today?) but I guess they forgot to count the vulnerability of all the ActiveX published.

Uh... huh... (2, Informative)

Hacker_PingWu (1561135) | more than 4 years ago | (#30063028)

The article link is only one short page and does not describe in detail how they came to their conclusions.

However, from the words they're using, they're implying common vulnerabilities exploited in corporate server-side applications. Not client-side.

SQL Injection and XXS Scripting are much bigger issues with implementation of web applications in web pages on the server side, use databases and scripting flaws in the code of the web apps to circumvent browser security.

They're talking about something that has little to do with the integrity of security of individual browsers, and more with the decisions webmasters make and what web applications they use.

Also, when they refer to Safari, they say they're referring to the iPhone Safari version: ...followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser... Looks like they're pretty clearly full of shit, and they're trying to be ambiguous and obscure by explaining little and using jargon to discourage people from searching for what all the terms they're using means.

Marketing report.. move along (0)

Anonymous Coward | more than 4 years ago | (#30063056)

I read TFA and the project lead and editors all had XXXXX of Marketing in their title.

When your stats are nothing more than a report of other stats that you do not list, its hard to take it seriously.

But I think generating a few leads is more important than backing your facts ^M^M^M^M^M stats.

About the pie chart... (0)

Anonymous Coward | more than 4 years ago | (#30063066)

Is it just me or does the pie chart from the article look like a Windows logo? Same exact colors.

Firefox + NoScript? (1)

davidwr (791652) | more than 4 years ago | (#30063118)

Firefox + NoScript + intelligent user who doesn't whitelist every page he visits

Just a guess, but I think this combo has very few vulnerabilities.

Too little info and more that a little misleading. (1)

sarkeizen (106737) | more than 4 years ago | (#30063132)

So I'm reading this and these guys come across like goofs somewhat...

Pg. 4 - says: "The top 10 vulnerabilities for the first half of 2009, included familiar names such as Sun, IBM, SAP, PHP, and Apache." which is according to page 7 the ones they classified as "as the most severe." whatever that means.

But in page 6 they say: "Sun Java, PHP, and Apache continue to be among the Top 10 vendors having the most severe vulnerabilities for the first half of 2009."

However in the whole top 10 list there are only two mentions of PHP that I can see...and these are problems with phpMyAdmin - which is way outside what I would consider a reasonable interpretation as a problem with PHP being a "vendor" of a vulnerable product.

So either there's a bunch of missing information or these guys can't tell the difference between PHP and an application written in PHP, or ... something

The browser stuff seems too difficult to tell - if the actual question one is looking for is which is a safer experience. Were all vulnerabilities equally bad? Were they indexed with some information about usage? In other words do we look at the number of people using the vulnerable version and take that into account.

Like a lot of whitepapers the information isn't very helpful and the math is downright insulting.

Re:Too little info and more that a little misleadi (1)

kehren77 (814078) | more than 4 years ago | (#30063286)

I agree. They seem to throw out a lot of numbers without saying where any of their data is coming from and they don't seem to be ranking vulnerabilities at all.

Plus let's face it, this is a company whose job is to get people to hire them to check the security of their web apps. Sounds like they are trying to reel in some executives who don't know any better.

Chief Marketing Officer (0)

Anonymous Coward | more than 4 years ago | (#30063182)

Interesting that the underlying report was led and edited by the Chief Marketing Officer for Cenzic, I'm just saying ....

Are they severe? Are they fixed? (1)

H0p313ss (811249) | more than 4 years ago | (#30063192)

I did not read the whole report but there is absolutely no mention of severity in that press release... nor does it mention how they counted them. Are these defects that have been acknowledged and fixed? From what I can see it's entirely possible that they've counted the THOUSANDS of trivial defects that Firefox discloses and fixes as a matter of course while Microsoft will only disclose the severe ones.

"Reported" bugs? (5, Insightful)

Bluemumba (1320257) | more than 4 years ago | (#30063198)

Isn't counting bugs released as part of press releases and change logs kind of like saying "All confirmed criminals are in jail?"

opera ftw (1)

JackSpratts (660957) | more than 4 years ago | (#30063200)

been using it since the 90s and from long experience can say it's the safest by far. don't know why or care particularly. whether clever code or minuscule market penetration is academic from this user's pov. truth is the fat lady's song still keeps the bad guys away.

Re:opera ftw (1)

elcid73 (599126) | more than 4 years ago | (#30063418)

Me too. "Security" is an earned label that, for whatever the reason (coding, smaller market share, etc) Opera has earned. I don't particularly care that Firefox is more open with disclosing bugs than Opera may be, the bottom line is that since 2000 I've used Opera with nothing but confidence.

Yet another deliberately lying bullshit story! (4, Insightful)

Hurricane78 (562437) | more than 4 years ago | (#30063246)

Comparing openly known vulnerabilities, and calling it "all in all vulnerability".
As if they wouldn't know perfectly well, that Microsoft sends a cease and desist letter to anyone who is even talking about a vulnerability that is not official to MS.

I guess the old saying is true, that:

If you can't program, you teach.
If you can't teach, you administrate.
If you can't administrate, you report.
If you can't report, you criticize.

What was their metric? (0)

Anonymous Coward | more than 4 years ago | (#30063262)

I looked through the report linked to the TFA and I can't figure out what exactly they were measuring. I think they relied on the fact that there were a lot of pretty graphs and the fact that they sound like they know what they're talking about to get past that.

They also call things like PHP insecure because things which use PHP are insecure.

They're apparently a vulnerability discovery company who's trying to scare web admins and managers into buying their service.

Firefox isn't the most secure browser ever created, but this report is just disingenuous.

Re:What was their metric? (1)

Effugas (2378) | more than 4 years ago | (#30063362)

A web site built on flat HTML pages is more likely to be secure than a web site built on PHP. The message is the medium.

25% Statistic Misquoted (1)

Engimonkey (1381917) | more than 4 years ago | (#30063266)

Just noticed they confused the "most common attack" types. SQL was listed as most common at 25%, but this is actually the Transverse Directories %. Clarification.

Pie charts (1)

Datamonstar (845886) | more than 4 years ago | (#30063278)

Yeah, I've pretty much stopped trusting anything that has to include pie charts in order to describe what needs to be demonstrated. How about puttin' some numbers in there, chief? And not made up numbers or percentages.

uhhh (1)

hemna (205532) | more than 4 years ago | (#30063306)

"Findings from the report point to the continued growth of attacks through Web applications. Web application vulnerabilities continue to make up the largest percentage of the reported vulnerability volume, with roughly 78 percent of all vulnerabilities resulting from them."
That is just stupid. It's like saying the code that the folks at CNN put into their pages is responsible for vulnerabilities in the browser itself. dumb. I think this man is confused between what a web browser is and what a web application is.

Ex MS employee on the "number of patches" metric (1)

AlgorithMan (937244) | more than 4 years ago | (#30063308)

as Window Snyder (former MS employee who later worked for mozilla for some time) pointed out: Microsoft puts multiple fixes in one patch, so multiple IE holes are counted as just one... http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/

Shenanigans (1)

killmenow (184444) | more than 4 years ago | (#30063330)

Study/article is misleading and useless.

Also: Chrome, Bitches!

I have experience here (2, Interesting)

Effugas (2378) | more than 4 years ago | (#30063346)

So, I'm posting as somebody who has gotten critical fixes pushed into both IE and Firefox. (Technically, Chrome and Opera too, but those were the pure crypto vulns.)

It's genuinely hard to write a secure web browser. Forget plugins -- you have a complex internal object model, subject to all sorts of very fine grained rules ("the filename on an input type=file form must not be settable from Javascript"), which can be made into a pile of moving parts under the control of an attacker. What's happened somewhat recently is a lot more people have gotten into bashing Firefox. You know those "many eyes" theories of open source, and how they're usually kind of full of it?

Well, "many eyes" are visiting it now, and Mozilla to their credit is doing a lot of very hard work to deal with the influx. Good on them.

From the report... (1, Informative)

Anonymous Coward | more than 4 years ago | (#30063470)

Here's the gist of Cenzic's _marketing_ report as it applies to browsers:

"
78 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers. Plugins and ActiveX, which is a significant increase from earlier in the year.

Of the Web vulnerabilities, Web Browser vulnerabilities comprised (sic) eight percent of the total vulnerabilities found, and Web servers comprised two percent. Vulnerabilities in the code of commercial Web applications was 90 percent of the total Web related vulnerabilities. Looking at the various classes of vulnerabilities, we found that SQL Injection and Cross Site Scripting (XSS) vulnerabilities continued to dominate with 25 percent and 17 percent respectively. Authorization and Authentication vulnerabilities were higher at about 14 percent of total Web vulnerabilities followed by Directory Traversal at 12 percent.
"

Apparently they don't discriminate among versions of browsers, plugins, or web apps. Firefox 1 + 2 + 3 = Firefox.

Nor do they say how they identified browsers. (Presumably the ID came from each source that reported the results.)

They also don't report any specifics of browser vulnerabilities (kind, duration, patch, etc).

open source means vulnerabilities found and fixed (0, Troll)

goffster (1104287) | more than 4 years ago | (#30063486)

How many secret unfixed vulnerabilities in IE?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?