Security Report: Firefox Most Vulnerable

Application security vendor Cenzic today released its security trends report for the first half of 2009 application. In it, Cenzic claims that the Mozilla's Firefox browser led the field of Web browsers in terms of total vulnerabilities.

According to Cenzic, Firefox accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009. In contrast, Apple's Safari had 35 percent of all reported browser vulnerability, Microsoft's Internet Explorer was third at 15 percent and Opera had just six percent share.
The 2009 figures stand in contrast to Cenzic's Q3/Q4 2008 report, where IE accounted for 43 percent of all reported Web browser vulnerabilities and Firefox followed closely at 39 percent.
As to why Firefox's numbers were so high, Cenzic has a few ideas.

"It's a combination of different things," Lars Ewe, CTO of Cenzic, told InternetNews.com. "They've gotten more traction as a browser, which is good for them and the more you get used the more exposure you have. As well a fair amount of the vulnerabilities have come by way of plug-ins."
One key area that Ewe said was responsible for a number of reported Firefox vulnerabilities is with how the browser handles plug-ins.

"The plug-in architecture that they have is a selling fact for the browser and one of the reasons why I love using it," Ewe said. "They can't control security aspects of all the plug-ins and the vulnerabilities are a side effect of that."

Mozilla has made numerous efforts this year to bolster its plug-in security. Recently they launched a plug-in checker service to ensure that users are running up-to-date versions. The Firefox 3.0.9 update, which came out in April, specifically addressed several key plug-in vulnerabilities.

Though Firefox had the highest number of vulnerabilities, that doesn't necessarily mean that Firefox users were more vulnerable.

Ewe said that Cenzic looked at all reported vulnerabilities. There is no specific differentiation for zero day bugs in the browser vulnerability count either. All that raises the question of how Cenzic actually came up with their vulnerability counts in the first place.

"The process that we follow is looking at a number of different vulnerability databases and sources that we have and trying to come up with a fair percentage based on the deviations we see between the databases," Ewe said. "You could make the argument, that's its 40 percent or 42 percent and there might be some variation on how you analyze it, but certainly it's not off by 20 percent."

While the Cenzic report shows Firefox at the top of the browser vulnerability pile, Ewe was quick to note that Cenzic uses Mozilla technology within its own solutions.

"Full disclosure here, Mozilla plays an important role in Cenzic's solution," Ewe said. "We are actually sitting on top of Mozilla as our agent of preference for scanning sites."

Cenzic develops an application scanning solution that uses the underlying Mozilla browser technology to test out security on Web site insides of a real browser context.

"We have a technology that we refer to as stateful assessment technology," Ewe said. "The idea behind it is to have as faithful an interaction with a Web site as possible and to determine vulnerabilities not on simple signatures but on behavioral basis of the application."

Ewe explained that when you do a cross-site scripting attack with a signature-based approach you'd just look for a server response that would indicate that the script tag has been injected. He added that the problem with that approach is that it's not faithful and the security researcher doesn't know if there is any additional logic on the client side that takes care of the script tag.

"If you want to be really faithful in the process you need to have full rendering capabilities and have all the JavaScript event handling," Ewe said. "So we leverage the entire Firefox architecture in order for us to actually have as faithful an interaction with a server as possible and maintain the client state. That results in low false-positives."

0 comments: