AAPL Stock: 118.3 ( + 0.49 )

Printed from

Firefox most vulnerable browser, Safari close

updated 03:50 pm EST, Wed November 11, 2009

Study says Firefox 44% of web exploits

Despite stereotypes, Mozilla's Firefox is significantly more vulnerable to web attacks than any of its rivals, a Cenzic study (PDF) claimed late yesterday. About 44 percent of the 3,100 exploits tracked by the researchers attacked the open-source browser where only 15 percent of them would work in Internet Explorer. Safari is notably much closer to Firefox in vulnerability as 35 percent of exploits could affect the platform, while Opera's small market share left just 6 percent of attacks putting it at risk.

The Safari share is partly affected by Cenzic's inclusion of the mobile Safari browser on the iPhone and iPod touch, which triggered a "vast increase" in the number of available exploits for Safari as a whole. Jailbreaks for Apple's devices have sometimes relied on web exploits in the past to run arbitrary code and break code signing requirements for iPhone apps. Apple has only recently been mending some of these exploits and in iPhone OS 3.1 forced jailbreak developers to switch away from a longstanding trick.

Of all attack types, SQL injections are the most common at 25 percent while cross-site scripting (17 percent), phishing (14 percent) and rogue web servers (12 percent) also have some of the greatest effect.

Open-source advocates have historically argued that Firefox should be more secure as the ability of authors to discover and fix bugs mid-cycle where others are often unaware of apps due to obscurity. Internet Explorer in the past has been criticized for tools like ActiveX, which have often given websites direct access to a user's PC, but has since had most of its vulnerabilities closed off both through the browser and through patching holes in Windows.

by MacNN Staff



  1. danviento

    Joined: Dec 1969


    On Mobile Browsing

    You really have to ask if they are using market share to help compute the relative vulnerability of a browser, did they bother to note that many of the plugin exploits just plain won't work using Safari on an iPhone/iPodTouch? Not to mention the fact that if the iPhone/iPodTouch isn't jailbroken, there's even less risk.

    Then there's the fact that beside crashing Safari on regular OS X, exploits can only work if a user gives them permission (username&password) to do so.

    Seriously, people. We know you want the shock value of headlines/"conclusions" like these, but before you go scaring uninformed IT managers, it'd be best to at least put an asterisk next to sentences like these.

  1. aristotles

    Joined: Dec 1969


    Cenzic is a MSFT Certified Parnter

    This is just another hack job paid for by MSFT.

  1. Jittery Jimmy

    Joined: Dec 1969


    Vulnerability Counting

    As a professional security consultant, we don't simply look at the length of a vulnerability report to determine system risk. Such a weak analysis would be woefully inadequate and would undoubtably lead clients into focusing on the wrong things.

    A true vulnerability analysis requires a heavy duty amount of critical thinking, analyzing each point and weighing each risk. A security consultant that is focusing on "which browser is most secure" is almost certainly not in the business of helping any client anywhere.

    Sadly, these days, there are thousands of "security consultants" that exist merely to collect client funds. They have no training, no expertise, no experience, and certainly cannot help clients with anything other than give them a false sense of security. Buyer beware.

  1. eckenheimer

    Joined: Dec 1969


    Congrats, MacNN!

    What an excellent cut-and-paste regurgitation of a press release by a known Microsoft shill group, touting their latest "objective security study." Once again, for the umpteenth time, Cenzic, a Microsoft Partner, discovers that Microsoft's software is immeasurably more secure than all that other lame software that persists in attempting to compete with mighty Redmond's stellar offerings.

    You even copied their headline and subhead, which, had you taken the time to actually read the self serving press release, much less the actual PDF of the "study", you might have wanted to reword thusly: "MS Partner astonishingly finds highest number of security vulnerabilities in Firefox & Safari, fewest in IE / basis for conclusion and source of numbers not clearly specified"

    As a way to fill space using the least possible effort, it works. Did Cenzic or M$ at least pay you for publishing their dreck?

  1. jsrjenkins

    Joined: Dec 1969


    SQL injections are not a Browser vulnerability

    [quote]Of all attack types, SQL injections are the most common at 25 percent while cross-site scripting (17 percent), phishing (14 percent) and rogue web servers (12 percent) also have some of the greatest effect.[/quote]

    An SQL injection attack (the most common vulnerability listed) are not even browser attacks strictly speaking. An SQL attack is when the URL can be crafted so as to modify the database using the software (such as PHP) installed on the server. It is an exploit that attacks rather the structure of the website itself not the browser.

    The forum software phpBB for example was a common victim of these kinds of attacks, where one would add to the url &"droptable;'insert "a,b,c" '; or something similarly crafted in order that the forum software would erase or modify its SQL database. It has nothing to do with the browser other than the browser has to make the request for the attack to work - it is rather the designer of the server side software who must protect his database by de-quoting the input or somehow protecting the input url from being interpreted by the SQL client.

    This article is thus not only misleading it is also completely incompetent.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented