Browser Security 2005

Browser security is an area of some of the more heated discussions on the Internet. From the anti-Microsoft types, to the “only Microsoft” types the websites that carry these so-called discussions can get as hot as a volcano.

For years I have disliked the Microsoft Internet Explorer web browser for reasons of browser security, and have switched my clients over to another Internet browser. I originally started with Netscape when version 3 came out, and a lot of that was due to standards that Internet Explorer was failing to adhere to as well as some sentimental feelings toward the originators of the public web browser – the crew at Netscape.

So of course when many of the Netscape engineers started supporting and upgrading the Mozilla browser, I switched my alliances to that package.

And when the browser was separated out from the Mozilla suite of web packages and offered last year under the name of Firefox, I went along with that package, and cried ‘yeah guys!’ when the many news articles came out supporting Firefox use over the Microsoft Internet Explorer web browser for reasons of browser security and usability options.

I had also heard of the Opera browser from my webmaster, DianeV web design studio, but I didn’t really venture forth into that browser very much, even after Opera offered it for free in a similar funding program to what the Mozilla guys came up with for Firefox.

None of these decisions were based off of any real hard data. So… Off I went to the database of cyber security vulnerabilities run by the National Institute of Standards and Technology.

I searched through this list for the words “Internet Explorer”, “Opera browser” and “Firefox” in separate searches to come up with totals and to browse the results for data on how many vulnerabilities each had in total, and for the year 2005 up to today’s date – 09 Dec, 2005.

Here is a table explaining what I found. Web browsers listed in order of world-wide usage.

“Web Browser” is the program I searched for. “Total vulns” is the total number of vulnerabilities in the list for that software package. “1st record” is the month of the first reported vulnerability for that package. “2005” is the number recorded for the calendar year 2005 up to today’s date – 09 Dec, 2005. “Per year” is the total number divided by the number of years (rounded to the closest ½ year) since the 1st record.

Web Browser……………….Total vulns…………….1st record…………..2005………….Per year
Internet Explorer…………………..335……………..Mar 1997……………..53……………….39.41
Firefox……………………………….102……………….Jul 2004……………..76………………68.00
Opera…………………………………..51……………..Aug 1998……………..21……………….7.29

Notice anything odd here? (At least to someone who’s been pushing Firefox lately…)

I then decided to see what percentage of the total number of vulnerabilities each web browser had were created in the calendar year 2005 up to today’s date – 09 Dec, 2005. This would tell me how each did in relation to the others this year alone.

Web Browser…………………….Total vulns…………..2005…………% in 2005
Internet Explorer……………………….335………………53……………..15.82%
Firefox…………………………………….102………………76……………..74.51%
Opera………………………………………..51………………21……………..41.18%

This indicates how each web browser is doing this year compared to it’s history of browser security. As you can see, Microsoft seems to have pulled a relatively good year. However, this comparison totally ignores the actual number of vulnerabilities each had for the year.

I next checked the ratio (percentage) of High, Medium and Low vulnerabilities of each of the above in relation to browser security for the vulnerabilities for listed, again only for the calendar year 2005 up to today’s date – 09 Dec, 2005.

Web Browser…………………..High…………Medium……….Low
Internet Explorer…………..33.96%………..9.43%………56.60%
Firefox……………………….35.53%………..6.58%………57.89%
Opera…………………………38.10%………..4.76%………57.12%

This indicates that each of the web browsers above are pretty much in the same boat in the area of what percentage of the vulnerabilities they each have are serious or not.

Conclusions:
This comparison was done using data from one location only because it was there, and it was searchable in a form that made it easy to extrapolate data. This is never a complete picture when looking at any subject, but it can be a good indicator. Treat this article in this light and you will get the intention of it.

Looking at raw total numbers, and using Internet Explorer as a base (because Internet Explorer has the largest number of users) I came up with the following:
…1) Firefox has 30.45% of the total number of vulnerabilities that Internet Explorer has had.
…2) Opera has 15.22% of the total number of vulnerabilities that Internet Explorer has had.

However, this year alone:
…1) Firefox had 143.39% of the vulnerabilities that Internet Explorer had this year.
…2) Opera had 39.62% of the vulnerabilities that Internet Explorer had this year.

Internet Explorer has been around the longest of the three, and also has the largest number of vulnerabilities. This by itself means little. The fact that Internet Explorer had the lowest percentage of it’s vulnerabilities this year in comparison to the other web browsers is a good thing, but don’t forget to take into account that the number of vulnerabilities is only ranked a mid-range #2.

Firefox appears not to be what I thought it was. (Notice how hard this is for me?) I sincerely hope the Mozilla guys get it together because there are many capabilities that Firefox has that I like – a lot.

Opera deserves a good look. It literally blows away the other two web browsers in the area of browser security by a wide margin. The only negative point worth mentioning is that the majority of Opera’s total vulnerabilities occurred this year – hopefully Opera can reverse this trend or else they will lose the lead they have in this area.

Don’t get me wrong here. I still don’t like the Microsoft Internet Explorer web browser for reasons of browser security and for the facts that:
…1) The majority of the web browser “drive-by hijackings” occur with this web browser.
…2) The number of anti-virus, firewall and financial products using Internet Explorer code, thereby in effect allowing the wolf to guard the sheep.

Maybe version 7 of Internet Explorer will be safer due to it’s being again separated out from Windows – but this is a strong ‘maybe’ due to Microsoft’s previous security record.

As it stands, I believe I’ll be using Opera more…

Side note:
I have had one question raised often in web browser comparisons such as this:
“What about AOL!?”

Answer – If you are using AOL, you are using Internet Explorer. This is due to an agreement that Microsoft and AOL came to when Microsoft settled a legal case with AOL that originated from Netscape. AOL bought Netscape before that case was settled.

Browser sources:
Opera browser
Mozilla Firefox
Microsoft Internet Explorer

Data sources:
The National Institute of Standards and Technology maintains “a comprehensive cyber vulnerability resource” which is sponsored by DHS National Cyber Security Division/US-CERT. This is a searchable database of security vulnerabilities known to exist by the U.S. government – by no means complete.

The Mitre Corporation maintains and hosts the Common Vulnerabilities and Exposures (known as the CVE List) which is also sponsored by US-CERT at the U.S. Department of Homeland Security. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures.

As a side note, the separately managed U.S. CERT searchable database can be found here.