Research: Web Browser War, Security Battle in 2011
No web browser is fully secure and research shows that vulnerabilities in web browsers are a target for hackers and criminals. Patching your browser will reduce the risk of a security breach. And there is good reason why. In 2011, as in 2010, web browsers had the higher number of security vulnerabilities reported compared to other applications. And these vulnerabilities can be used to target web servers, web applications and end-user machines, thus the considerable interest around them.
In 2011, the National Vulnerability Database reported that the top five browsers together had 515 vulnerabilities. This is more than the vulnerabilities reported for all operating systems together and on an ascending trend since 2010, when it was reported that together they had 472 vulnerabilities.
However not all browsers have similar trends. Mozilla Firefox, Microsoft Internet Explorer and Apple Safari have less vulnerabilities compared to last year, while Google Chrome and Opera Browser have more. Below are more detailed statistics for each browser:
Google Chrome: Security vulnerabilities reported is on a highly ascending path. Google Chrome is the application with highest number of security vulnerabilities reported for the second year in a row. 275 new security vulnerabilities were discovered last year and the number is really impressive. For example, Microsoft “only” had 244 vulnerabilities reported in 2011 in all their products!
Mozilla Firefox: Vulnerabilities reported is on a descending trend after it had a peak in 2009, when it was the application with highest number of vulnerabilities discovered for the year. 97 new security vulnerabilities were discovered last year. This is slightly lower than the 103 vulnerabilities reported in 2010.
Internet Explorer: Security improvements added in latest versions contributed to the constantly descending number of discovered vulnerabilities in the browser for the past years. 45 new security vulnerabilities were discovered last year in Microsoft Internet Explorer. This is less than the 59 vulnerabilities reported in 2010.
Apple Safari: After the peak it had in 2010, the number of vulnerabilities is lower in 2011. 45 new security vulnerabilities were discovered last year. This is good improvement compared with the 122 vulnerabilities reported in 2010.
Opera Browser: The number of vulnerabilities reported in 2011 is on an ascending path, but the trend started from low levels and the number of critical vulnerabilities is still way below other browsers. 53 new security vulnerabilities were discovered last year. This is more than the 36 vulnerabilities reported in 2010.
96% of all vulnerabilities in web browsers were disclosed to public only after a fix was available from the vendor. This indicates that keeping your systems fully patched is crucial to reduce the risks of a security breach caused by a vulnerability in the web browser.
20 vulnerabilities out of the total of 515 either do not have a fix from vendor at all or it was released after the vulnerability was disclosed to public. These are what security specialists call zero-day vulnerabilities and are usually very dangerous because it is hard or impossible to protect against attacks exploiting vulnerabilities that have no fix available.
Public exploits for vulnerabilities reported in 2011 are available on the Internet for each web browser. Zero-day exploits are ones that were available on the Internet before a fix was available from vendor. Here is what I easily found out (a deeper research would have probably found out more):
While there are some differences in the number of vulnerabilities and exploits for each browser the fact is that there is no such thing as a web browser that’s completely secure and therefore, patching them is one way to lower the risk of a security breach as much as possible.
Vulnerability and exploit sources used in this research:
http://nvd.nist.gov
http://www.exploit-db.com
http://www.osvdb.org
About the Author: Cristian Florian
Cristian Florian is product manager at GFI Software. Starting as a software developer, he developed his career step by step gaining more than 12 years of experience in network security and software development. He currently oversees GFI LanGuard, a successful network security scanning and patch management solution.
As a Chrome user, these numbers are highly alarming, but when I try to think of the reason for the spike in vulnerabilities, it’s pretty easy to point to the “app store” interface and the move toward cloud-based applications as breaking the hornet’s nest wide open. Still, I didn’t expect the security to be THAT bad.
The only reason why Google Chrome and Mozilla Firefox are the two of the most vulnerable web browsers today is because they’re the two of the most popular rising browsers today. In IT world, if you are popular and widely used, expect more attacks – this is how the game works especially to web apps.
This is also the reason why Google Chrome and Firefox is two of most updated programs on the World Wide Web. I admit it, I’m a huge fan of Firefox. I’ve been using it since November 2004 – the browser’s initial release. I found it to be the most secure web browser then and now PERIOD.
Well, the study shows it. Opera is the most secure and least vulnerable web browser to date. This is the reason why the mobile version of Opera is also the most widely installed and used mobile web browser. Almost 80 million users use Opera Mini.
In fact, Opera Mini is the default browser of some of the top smartphones to date – Samsung Galaxy, Qualcomm, HTC, etc. All these figures just prove that you don’t have to have the backing of a mega company to create an outstanding web browser. What you say Apple and Microsoft?
Nice work Cristi…
What’s striking me most is that except Opera, all the other browsers have a lot of severe vulnerabilities. With Firefox I presume this has to do with the rapid release cycle – I can’t count how many new versions they released in the last couple of years. I have never been a fan of rapid releases but when this is at the expense of security, this is totally wrong for me.
I wouldn’t worry about Chrome so much, the spike on the first graph is mostly vulnerabilities found by the staff and testers.
Implying a browser is more or less secure by the initial graph is ignorant, if the staff don’t find bugs in their own software then they could be equally as incompetent as those who introduce the bugs, it can also boil down to prototyping style and release frequency.
It’s the last two graphs people should be focusing on. These are the real issues we face every day when browsing.