updated 03:50 pm EST, Wed November 11, 2009
Study says Firefox 44% of web exploits
Despite stereotypes, Mozilla's Firefox is significantly more vulnerable to web attacks than any of its rivals, a Cenzic study (PDF) claimed late yesterday. About 44 percent of the 3,100 exploits tracked by the researchers attacked the open-source browser where only 15 percent of them would work in Internet Explorer. Safari is notably much closer to Firefox in vulnerability as 35 percent of exploits could affect the platform, while Opera's small market share left just 6 percent of attacks putting it at risk.
The Safari share is partly affected by Cenzic's inclusion of the mobile Safari browser on the iPhone and iPod touch, which triggered a "vast increase" in the number of available exploits for Safari as a whole. Jailbreaks for Apple's devices have sometimes relied on web exploits in the past to run arbitrary code and break code signing requirements for iPhone apps. Apple has only recently been mending some of these exploits and in iPhone OS 3.1 forced jailbreak developers to switch away from a longstanding trick.
Of all attack types, SQL injections are the most common at 25 percent while cross-site scripting (17 percent), phishing (14 percent) and rogue web servers (12 percent) also have some of the greatest effect.
Open-source advocates have historically argued that Firefox should be more secure as the ability of authors to discover and fix bugs mid-cycle where others are often unaware of apps due to obscurity. Internet Explorer in the past has been criticized for tools like ActiveX, which have often given websites direct access to a user's PC, but has since had most of its vulnerabilities closed off both through the browser and through patching holes in Windows.