I know that there’s a direct correlation between the size of a program’s user base to the amount of security exploits; but what I didn’t figure was that the correlation would be this influential on the actual numbers.

There are far fewer exploits written against the newer revs of browsers simply because the economy of scale has the majority of black hats going after the best bang for the buck which means they will concentrate on the most installed applications, and focus on known code bases.

It’s also hard to know what to think of a single lumping of “Internet Explorer” since the IE8 code base is very different from IE7, and both are very different from IE6 which is generally regarded as the champ for successful exploits among browsers. For that matter, lumping Safari as if it was a single application code base is equally misleading. Safari for OSX vs. Safari for Win are different beasts entirely, and I personally wont allow Safari for Win on the system I administer because of it’s history of being poorly written (and Apple’s lax patching history) more than concerns for risk.

While this is useful information it addresses too few variables to be useful in determining which apps are the most exploitable.

I assume Safari has recently become attractive for attackers because of the success of iPhone and iPad.

As I stated in the article I think that all important browsers are vulnerable to an extent and that makes discussions on which is the most secure/less vulnerable quite irrelevant.

Indeed numbers of vulnerabilities do not cover all security aspects of a product, but they do offer important information. They indicate which products are the preferred targets for hackers and malware. They show network administrators which applications need more attention and must be considered as high priority for patch management.

Regarding the time that vendors need to fix vulnerabilities – as you correctly say, this is an important metric when talking about product security. However, equally or even more important is the time taken for users to apply the patches made available by the vendor. From this perspective it is easier to manage patches that are released on a regular schedule as Microsoft does. This tends to leave companies with less time between deploying Microsoft updates than the time needed to deploy updates for other vendors like Mozilla or Adobe.

Now the increased usage of Firefox and high media attention that Apple gets lately made them high priority targets for hackers and malware, while Internet Explorer 8 has made important progress from a security point of view when compared with previous versions.

Anyway all important browsers have plenty of vulnerabilities. It is hard to say which one is more secure. What is certain – and it can be noticed from the number of vulnerabilities – is that Safari, Firefox and Chrome got important enough to be attractive for hackers.

What do you think now – which one of these two is more secure?