As we've been saying for quite some time, browser vulnerability is not just a bug counting exercise. What matters is the real risk to users and when you start talking about user risk, the best possible metric is "how many days is a user vulnerable to real attacks on the web."
Security expert at the Washington Post, Brian Krebs, explains:
For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.
He even provides a nice chart demonstrating how, through out the year, IE users were under nearly constant attack on the web.
Brian goes on to describe Firefox:
In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.
Security is a process that includes among other things careful design, intense code review, heavy testing, and quick response when flaws are discovered. While all software as complex as web browsers will have flaws, including security and privacy vulnerabilities, it is clear that some organizations have processes in place that are better equipped to manage and mitigate the risk. This article leaves little doubt that the process we have at Mozilla has been orders of magnitude more effective at protecting users from online threats than what Microsoft customers have been offered.
Posted by: Jere | January 4, 2007 2:47 PM
Jere, the other browsers don't have enough users to warrant tracking :-)
- A
Posted by: Asa Dotzler | January 4, 2007 2:59 PM
Depends on how many are enough. Not long ago, Opera claimed 10-15M users on the desktop and 7M Opera Mini users, plus a 40M-phone install base of Opera Mobile. Not to mention the DS and Wii.
I did some comparisons, and worked out that if even 10% of those people with Opera on their phones actually use it, the number of Opera users is comparable to the population of Texas.
So while the percentage doesn't look terribly impressive, the raw numbers are worth considering.
IMO, the reason the article didn't bother checking Opera or Safari is that people in general like duality. Light vs. dark, East vs. West, yin vs. yang, Democrats vs. Republicans, Angelina vs. Jen, Windows vs. Mac, Netscape vs. IE, etc. Tech journalists are no exceptions. A two-horse race is an easy sell. So either you get "The Web = IE" or you get "IE vs. the challenger."
Posted by: Kelson | January 4, 2007 4:06 PM
As always Aza ignores the facts:
Firefox has had more vulnerabilities in 2006 than IE:
http://poptech.blogspot.com/2006/09/internet-explorer-6x-more-secure-than.html
That is the reality.
Posted by: Funny | January 4, 2007 5:29 PM
Alas that is true, at least in the eyes of Brian Krebs anyway.
His contact details can be found on his about this blog page.
You get let-off this time Asa. :P
Posted by: BtEO | January 4, 2007 5:33 PM
I always had a few pet peves with this.. I probably just don't understand the situation though..
When is a bug considered fixed? I don't think having a security bug fixed in a nightly build considered fixed.. I consider a security bug fixed for the public when a new public, supported build is posted that people can download with support.
How are these days with open security bugs determined? Days that nightly builds have it fixed, or days where a public patch or full version is available?
*hugs*
Posted by: larfnarf | January 4, 2007 11:45 PM
@ Funny
As always, 'Funny' ignores the facts.
1) Read Asa's comment again. Actually read it, all the words. You'll come across this sentence:
"As we've been saying for quite some time, browser vulnerability is not just a bug counting exercise"
Why would Asa say that? Well, if you keep reading, you'll also come across this sentence:
"What matters is the real risk to users and when you start talking about user risk, the best possible metric is "how many days is a user vulnerable to real attacks on the web."
That's a long sentence, so I'll focus on the part that's important:
"how many days is a user vulnerable to real attacks on the web."
I'm happy to assume, without checking, that the page you linked to (which I have read), is correct, and that Firefox had more vulnerabilities at that time than IE6.
But how long did the vulnerabilities go unpatched for?
If Browser A has 100 security holes, and Browser B has 50, then is Browser B more secure? What if Browser A had its holes plugged within 9 days, and Browser B didn't have its holes plugged until 98 days?
Which is more secure now?
Firefox has it's vulnerabilities patched quicker than IE6. Users of Firefox are therefore less open to attack than users of IE6.
That is the reality.
Posted by: Mr Lizard | January 4, 2007 11:56 PM
"Jere, the other browsers don't have enough users to warrant tracking"
Translation: They have fewer and less serious vulnerabilities, so Mozilla doesn't want to mention those.
:-D
Posted by: Moozilla | January 5, 2007 12:45 AM
The chart is just plain misleading. (I suppose the counting of days is not)
But I could not help but notice that for most bugs (example the first one) discovered on Dec 27, patched Jan 5 , the red risk area spans from Start of December, to end of Jan that is two months, for less than two weeks of actual vulnerability.
The same thing is done to all bugs except two bugs in Sep 2006
My point is, showing the real dates will get your point across as easily, why also stretch the dates to cover whole months and make your point weaker by looking much more biased?
And about Opera, I suppose when discussing number of days where users are at risk, the total number of users is irrelevant, when person X downloads opera in order to be safe he does not care how many other users are safe or at risk! However the number of users might have an effect on the number of compatible sites, which is a whole different issue.
Posted by: Pat | January 5, 2007 1:46 AM
"They have fewer and less serious vulnerabilities, so Mozilla doesn't want to mention those."
Oh, I didn't knew that the Washington Post was part of Mozilla...
Posted by: Anonymous | January 5, 2007 1:50 AM
Oh, I didn't knew that the Washington Post was part of Mozilla...
Don't you know? Those Mozilla people have spies everywhere! :-)
Posted by: Kelson | January 5, 2007 12:36 PM
Well, with 59 million on board, they could have! ;)
Posted by: David Naylor | January 5, 2007 4:31 PM
err... I mean 52
Posted by: David Naylor | January 5, 2007 4:31 PM
one thing we all can agree on, fixing these exploits are a pain in the ass. for both developer and user.
Posted by: a | January 5, 2007 7:45 PM
The problem with the above 'counting days' method is the whole security-by-obscurity issue. Just because it's not known to you doesn't mean it's not known. There's also the point that Mozilla hides security flaws in the bug database while they're being fixed. Are they counting the time only from when the bug is made public to the point when the release is pushed out? Because I can't imagine that every single one of those bugs were found, fixed and the fixed version released to the public in less than one day (if they actually did, my respect for them just went up several notches).
The 'announcement' of the vulnerabilities fixed by 2.0.0.1 was the same day it was released, so marketing can say they were fixed the same day they were announced. That doesn't change the fact that those bugs were known (by the programmers at the very least) for some time before that date, and that the vulnerabilities existed for 56 days (Oct 24 - Dec 19). If you really want to count days, with 5 serious security bugs fixed in 2.0.0.1 (per release notes) and a 56 day window, that's essentially 280 bug-days worth of vulnerability.
Of course if you measured that way, you'd get somewhere around 7200 bug-days of vulnerabilities in 1.5 (40 serious bugs fixed over about one year, taking an average of 6 month duration per bug cause I don't want to work it all out), and a number like that isn't something the marketing folks will like handing out, and the journalists will probably have trouble with it as well. The "well known" clause for day-counting does help with a perhaps more realistic view on the likelyhood of being exploited, and conveniently helps marketing minimize the apparent risk.
Posted by: David Smith | January 7, 2007 10:58 PM
Why no statistics for other browsers? How about... surprise... Opera?