No web browser is fully secure and research shows that vulnerabilities in web browsers are a target for hackers and criminals. Patching your browser will reduce the risk of a security breach. And there is good reason why. In 2011, as in 2010, web browsers had the higher number of security vulnerabilities reported compared to other applications. And these vulnerabilities can be used to target web servers, web applications and end-user machines, thus the considerable interest around them.

In 2011, the National Vulnerability Database reported that the top five browsers together had 515 vulnerabilities. This is more than the vulnerabilities reported for all operating systems together and on an ascending trend since 2010, when it was reported that together they had 472 vulnerabilities.

However not all browsers have similar trends. Mozilla Firefox, Microsoft Internet Explorer and Apple Safari have less vulnerabilities compared to last year, while Google Chrome and Opera Browser have more. Below are more detailed statistics for each browser:

Google Chrome: Security vulnerabilities reported is on a highly ascending path. Google Chrome is the application with highest number of security vulnerabilities reported for the second year in a row. 275 new security vulnerabilities were discovered last year and the number is really impressive. For example, Microsoft “only” had 244 vulnerabilities reported in 2011 in all their products!

Mozilla Firefox: Vulnerabilities reported is on a descending trend after it had a peak in 2009, when it was the application with highest number of vulnerabilities discovered for the year. 97 new security vulnerabilities were discovered last year. This is slightly lower than the 103 vulnerabilities reported in 2010.

Internet Explorer: Security improvements added in latest versions contributed to the constantly descending number of discovered vulnerabilities in the browser for the past years. 45 new security vulnerabilities were discovered last year in Microsoft Internet Explorer. This is less than the 59 vulnerabilities reported in 2010.

Apple Safari: After the peak it had in 2010, the number of vulnerabilities is lower in 2011. 45 new security vulnerabilities were discovered last year. This is good improvement compared with the 122 vulnerabilities reported in 2010.

Opera Browser: The number of vulnerabilities reported in 2011 is on an ascending path, but the trend started from low levels and the number of critical vulnerabilities is still way below other browsers. 53 new security vulnerabilities were discovered last year. This is more than the 36 vulnerabilities reported in 2010.

96% of all vulnerabilities in web browsers were disclosed to public only after a fix was available from the vendor. This indicates that keeping your systems fully patched is crucial to reduce the risks of a security breach caused by a vulnerability in the web browser.

20 vulnerabilities out of the total of 515 either do not have a fix from vendor at all or it was released after the vulnerability was disclosed to public. These are what security specialists call zero-day vulnerabilities and are usually very dangerous because it is hard or impossible to protect against attacks exploiting vulnerabilities that have no fix available.

Public exploits for vulnerabilities reported in 2011 are available on the Internet for each web browser. Zero-day exploits are ones that were available on the Internet before a fix was available from vendor. Here is what I easily found out (a deeper research would have probably found out more):

While there are some differences in the number of vulnerabilities and exploits for each browser the fact is that there is no such thing as a web browser that’s completely secure and therefore, patching them is one way to lower the risk of a security breach as much as possible.


Vulnerability and exploit sources used in this research:

http://nvd.nist.gov
http://www.exploit-db.com
http://www.osvdb.org