digg

Facebook Connect Join Digg About

Study: Firefox Tops Vulnerability List (44 Percent)

internetnews.com Firefox accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009.

Who dugg this? Made popular 19 days ago

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

71 Comments

show profanity settings
expand all
  • asadotzler, on 11/09/2009, -9/+74Another worthless "we just count up the vendor disclosed bugs and compare" piece.

    http://weblogs.mozillazine.org/asa/archives/2007/0 ... and
    http://weblogs.mozillazine.org/asa/archives/2007/0 ... explain what really matters.

    - A
  • Frozenfuryblade, on 11/10/2009, -10/+37Statistics are the most easily manipulated figures in the world. Depending on how you ask questions, or what set of data you choose to observe, statistics can easily bend from one side to the other, and I know that much just from a short 3 weeks of stats.

    I'm not saying that this isn't true, but something tells me Internet Explorer needs better protection way more than Firefox does.
  • warmonger256, on 11/10/2009, -8/+29Firefox is getting a bit on my nerves, it's getting slower, has problems getting some pages to work, slow flash capabilities (even when the save tabs are fixed), memory leaks, etc. etc.

    I'm trying to get used to Chrome, but the important add-ons I use in Firefox are not available on Google's browser (sigh).
  • ayeroxor, on 11/10/2009, -0/+17someone has to
  • Spawn2105, on 11/10/2009, -3/+18All of you that are now all of a sudden bashing FF or saying the FF fanboys are ignoring this, i hope you read the whole article:

    "Though Firefox had the highest number of vulnerabilities, that doesn't necessarily mean that Firefox users were more vulnerable."

    and

    "While the Cenzic report shows Firefox at the top of the browser vulnerability pile, Ewe was quick to note that Cenzic uses Mozilla technology within its own solutions. "Full disclosure here, Mozilla plays an important role in Cenzic's solution," Ewe said. "We are actually sitting on top of Mozilla as our agent of preference for scanning sites." "

    Also, this was all from the first half of 2009, Mozilla has fixed plenty of security issues since then in the new versions.
    Besides, the article mentions that in Q3 / Q4 of 2008 FF was at 39%, thats only a 5% increase to this year, and can be traced back to the increase in market share they acquired since then.

    This is nothing to make big noise about.
  • skatopher, on 11/10/2009, -10/+22ummm thats because we've all had IE install a worm or 7 on us, or had to force quit IE twice a week, and with very few exceptions this dosen't happen once we found firefox.

    Also if you bothered read the article it says this is mostly a plug-in issue, and since it dosen't mention which plug ins its kinda hard to point a finger at mozilla, but keep crying in caps up there, someone will listen
  • kspanks04, on 11/10/2009, -11/+23Chrome!
  • fittysix, on 11/10/2009, -6/+17Difference being - Mozilla/Firefox have a history of actually patching known vulnerabilities. Having less reported vulnerabilities is useless when you don't fix the ones that are reported.
  • IHaveIssues, on 11/10/2009, -0/+11I don't know why you're getting dugg down, there have been at least two large FF updates since that article.
  • TrellSaracen, on 11/10/2009, -4/+14Well, there's an unbiased source...
  • cocopuffz, on 11/10/2009, -3/+13How about FF on Linux?
  • skipvt, on 11/10/2009, -2/+10It's a good thing we're in the second half of 2009.
  • ChileanGoD, on 11/10/2009, -0/+8With statistics and stupid hypothesis you can easily come to a conclusion that breathing air contributes to cancer.
  • dsfjvhbd, on 11/10/2009, -5/+11Vulnerability counts are useless. ONE vulnerability that is known to attackers and allows execution of code will take over your system. Any number of vulnerabilities, that were unknown to attackers before being fixed are harmless.
    Counting vulnerabilities of plugins that are not included by default is like counting vulnerabilities of any piece of software as vulnerabilities of the operating systems it can run on.
  • fack0, on 11/10/2009, -0/+6FTA
    "Though Firefox had the highest number of vulnerabilities, that doesn't necessarily mean that Firefox users were more vulnerable."

    "Ewe said that Cenzic looked at all reported vulnerabilities. There is no specific differentiation for zero day bugs in the browser vulnerability count either. All that raises the question of how Cenzic actually came up with their vulnerability counts in the first place."

    "One key area that Ewe said was responsible for a number of reported Firefox vulnerabilities is with how the browser handles plug-ins. "
    ..."They can't control security aspects of all the plug-ins and the vulnerabilities are a side effect of that."

    Seems to me it's not a browser issue, just a plugin issue.
  • jfitz369, on 11/10/2009, -3/+9Every browser has vulnerabilities. Firefox is the only one that lets you block and choose which scripts to run on every web page making it hands down the safest browser.

    Firefox + NoScript = zero problems.

    Get NoScript add-on here: https://addons.mozilla.org/en-US/firefox/addon/722

    Sorry to sound like an advertisement but seriously, this free add-on is what I use and I love it. I've had no virus or spyware issues since the late 90's before I found Firefox and NoScript.
  • JQP123, on 11/10/2009, -10/+15"... but something tells me Internet Explorer needs better protection way more than Firefox does."

    That little voice in the back of your head has a name, it's called "bias".
  • gr8fuldane, on 11/10/2009, -2/+7All software has vulnerabilities. The only reason more exploits are directed towards IE is because IE has always been the more prominent browser. As Firefox becomes more mainstream, so too will the exploits directed towards it. People should quit focusing on the software companies to protect them and should learn that security has much more to do with your education. Smarter browsing will keep you safer than any programmer will.
  • 13ohemian, on 11/10/2009, -2/+7Seriously guys, Mozilla was my favorite, but after chrome ...I am sorry ,chrome is faster AND lighter.

    Although i do agree it does have fewer options.
  • vilago, on 11/10/2009, -1/+5wow i guess you offended some IE users, or maybe the clowns
  • JQP123, on 11/10/2009, -5/+8FireFox copied the biggest security hole from IE --- plug-ins. The most secure plug-in is no plug-in.
  • JQP123, on 11/10/2009, -1/+4Yes, but why is a "plug-in" required for this?

    Opera can disable scripts on a site by site basis --- no plug-in required. As this article points out, plug-ins are a gaping security issue.
  • parestrep, on 11/10/2009, -20/+22That's just because the clowns using IE don't know when they're infected, so they don't report it.
  • robbiekhan, on 11/10/2009, -0/+2Noscript is great but there was a recent time when the NoScript developer force-added sites into AdBlock's accept list - there was a big huff about it all and many people uninstalled NoScript.

    Has this changed?

    I personally use AdBlock and subscribe to the EasyLists database in it. I also keep it up to date, currently on 3.6b2.

    I feel FF offers the best level of security and customisation to get the browser just how you like.

    Case in point:
    My Firefox: http://robbiekhan.co.uk/root/temp/stratabuddy.jpg
  • akula89, on 11/10/2009, -0/+2though Mozilla should improve their addon security framework to prevent bad addons from reeking havoc on browsers.

    (PEBKAC is probably the biggest issue: IE: Don't install "JIMBOB'S SECURITY TOOLBAR 3000" ; install AdBlock and NoScript, Stumbleupon etc.. trusted addons)
  • kylere, on 11/10/2009, -1/+3Slanted article, IE has the same security holes forever, so of course less are being reported.
  • akula89, on 11/10/2009, -0/+2I need my firefox addons. until chrome can do everything the addons I use for FF can do I won't be changing web browsers.
  • onefix, on 11/10/2009, -0/+2IE's "patch tuesday" is like a firefox upgrade from 3.5.4 to 3.5.5 which contains many fixes to multiple vulnerabilities.
  • F4d3d, on 11/10/2009, -1/+2I've been using Opera for a long time now, and although I've used Firefox at times, it has never taken over the number one spot for me. I'm happy to see that Opera holds its reputation here as being a secure browser.
  • jfitz369, on 11/10/2009, -0/+1@JQP123 - Sure, maybe Firefox should come bundled with NoScript but it's like a one minute install so what's the difference? Also, it's the add-ons and plug-ins that give the browser it's advantages over others like Opera - just as the iphone apps give that device it's advantages.


  • akula89, on 11/10/2009, -2/+3perhaps you need to read the comment above yours as well as the first comment on this digg story. to state that Firefox has had more vulnerabilities than IE (7 or 8) is laughable.
  • IHaveIssues, on 11/10/2009, -1/+2Just ***** right off. Dugg down and reported.
  • TheSwashbuckler, on 11/10/2009, -0/+1It's not a lie, but it is not the complete truth either.
  • InMSWeAntitrust, on 11/10/2009, -6/+7Okay, here's some wisdom which I will most likely get dugg down for.

    The article is probably true, and thats actually a good thing!
    Firefox, until now, had been too small of a target to be feasible to attack; having the most vulnerabilities is a sign that Firefox is truly gaining ground. Now security researchers and virus authors see Firefox as worth their time and research. All software will be susceptible to vulnerabilities at one time or another. The difference between a Firefox vulnerability and an IE vulnerability is usually scope and response time. Mozilla probably responded to known vulnerabilities within a week at most with a patch, whereas sometimes it would take at least a month for patch Tuesday for IE. Add to that the fact that IE, until very recently, had been a core subsystem of Windows and you've got a recipe for disaster. The result of having all the market share and all the vulnerabilities on Firefox's side, though is that the vulnerabilities will get fixed and as a result, more people will be using a stable, secure browser, forcing virus venders to various other venues.
  • JQP123, on 11/10/2009, -0/+1"Also, it's the add-ons and plug-ins that give the browser it's advantages over others like Opera..."

    And I'm sure MS followed similar logic with IE.

    But Opera took a different approach. The features that most people want from add-ons are built in by default. And it is still lighter than FireFox.
  • ryan850, on 11/10/2009, -12/+13Interesting to see so many explain away the data. I wonder how different these comments would be if IE topped the list.
  • jfitz369, on 11/10/2009, -0/+1You love Opera! ;P
  • JQP123, on 11/10/2009, -0/+1I appreciate the security and the full set of features. Opera is a complete product --- not a DIY construction kit.

    When setting up a Windows home computer for "noob" friends and family, the first two things I do is:

    1) Create a restricted user account and set it for automatic login at bootup.

    2) Install Opera and remove IE from all the menus.

    Based on my experience, these two simple steps will eliminate most viruses.
  • JQP123, on 11/10/2009, -0/+1Apparently not from a security perspective.
  • Celina24, on 11/10/2009, -1/+2It doesn't really matter how many vulnerabilities Firefox has, Mozilla patches them so fast it barely matters and according to Secunia (http://secunia.com/advisories/product/25800/). There are no vulnerabilities that are not patched... Compared with Internet Explorer 8 (http://secunia.com/advisories/product/21625/) which has two vulnerabilities and is rated at "less critical". Lets look at the others anyway.. Google Chrome 3.x (http://secunia.com/advisories/product/25720/) no problems there.

    Apple Safari 4.x (http://secunia.com/advisories/product/25519/) no problems again. Opera 10.x (http://secunia.com/advisories/product/26745/) no problems again. Did I miss any? (Don't say Lynx...) It seems to me that browsing the web should be safer as far as the programs are concerned.. My opinion is the scams are good and the majority of people don't think before they click (or act for that matter).

    The story has a bad title, it's obvious what it's aimed at, discrediting Firefox.. The little part somewhere in the middle of the article and I quote: "Though Firefox had the highest number of vulnerabilities, that doesn't necessarily mean that Firefox users were more vulnerable." and "Ewe said that Cenzic looked at all reported vulnerabilities. There is no specific differentiation for zero day bugs in the browser vulnerability count either. All that raises the question of how Cenzic actually came up with their vulnerability counts in the first place."

    As for what browsers I like? I think all of them are fine I've used every single one and they all worked extremely well. My current favorite is Chromium though I'm using the daily builds..
  • JQP123, on 11/11/2009, -0/+1"It's true. I use Firefox."

    And that makes it the most secure browser available --- in your mind.
  • akula89, on 11/10/2009, -0/+1which pages don't work, out of curiosity? your post implies that these pages would've worked with older versions of firefox?

    I haven't ran into a single page that Firefox can't run other than one outdated supplier I use at work who has an outdated "IE ONLY" website (frustrating as all hell)
  • strickdd, on 11/10/2009, -0/+1Use HailStorm, a Cenzic product, at work and don't agree with the statement that Cenzic products produce few false positives. I see a false positive almost every report. I admit that it has found actual vulnerabilities, but when it detects a SQL Injection on a page with no database backend, it concerns me.

    I don't think their browser testing suite could be much better. Testing against a website for vulnerabilities is MUCH easier than a browser itself.

    On top of all that, they tend to report the same exact bug multiple times on a report. This artificially boosts the count of vulnerabilites. A cross site scripting vulnerability on one page means 1 vulnerability, NOT 14.
  • WafflesID, on 11/12/2009, -0/+1I got buried?

    Go watch Penn and Teller you *****.
  • Frozenfuryblade, on 11/10/2009, -0/+1It's true. I use Firefox.
  • FaceTheSlayer, on 11/11/2009, -0/+1Opera rules again!
  • warmonger256, on 11/13/2009, -0/+1It's not because Firefox can't open the web page, it's because Firefox takes too long to open it. On Chrome it takes a bit like eight seconds, but on Firefox it can take up to twenty seconds.
  • rgemmell, on 11/10/2009, -0/+1but isn't that true of almost all propoganda?

    PS. Digg is truly amazing, you apple hate and you get dugg down, I would have figured that if I MS hated I would get dugg up, WTF.
  • Fetching more discussions...
    Show 51 - 74 of 74 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.