Firefox tops list for reported vulnerabilities in 2009

By Justin Mann on November 9, 2009, 6:00 PM
One of the primary reasons many people initially switched from Internet Explorer to Firefox in the early days was security. Internet Explorer has often been ridiculed as one of the least secure browser platforms around, and several years back that was most likely true. ActiveX was considered by many to be a dangerous technology, and Firefox enjoyed a substantial user growth in part due to that.

A recent study by a security vendor offers another, more updated perspective on browser security. Research conducted by Cenzic earned Firefox the number one spot in 2009 for total security vulnerabilities reported, taking a 44% stake all around. That was put in comparison to Apple's Safari, which had 35%, and Internet Explorer, which weighed in at a meager 15%.

At first glance, you might question the numbers. Is Cenzic a reputable source? How were those figures derived, and how do they compare to previous years? All are fair questions. One of the reasons cited was Firefox's ability to foster plugins. Arguably one of the best features Firefox has to offer, plugins also pose an interesting challenge to security. Most plugins are crafted by third parties, and the approval process for them doesn't generally worry about security concerns.

The safeguards in place can't protect people from writing insecure code in the first place, so a lot of it may be out of Mozilla's hands. Mozilla is well aware of this problem, of course, and has been working for quite a while on improving the state of security in third party plugins.

Cenzic also noted that just because Firefox had more reported vulnerabilities, it wasn't necessarily less secure. Mozilla has fixed or disclosed many of the bugs discovered by the group. Further, there's no breakdown of how many of those reported flaws could result in system compromise, or how many were just annoyances.

Given the very public nature of Firefox development, I wouldn't call this news as a setback to Firefox at all -- or even bad news. I take it as an encouraging sign that Mozilla is very actively developing Firefox, and tackling security issues nonstop.




User Comments: 15

Got something to say? Post a comment
Kibaruk Kibaruk, TechSpot Paladin, said:

With this sort of news, to try a beta gives me the creeps!

teklord teklord said:

Whatever people use, that is what the hackers will attack.

wolfram wolfram, TechSpot Paladin, said:

Still, I feel much safer using Firefox than IE

JieMan JieMan said:

I could care less about security,, I have a Gateway router , and a firewall , and nod32

If someone really wanted to compromise my PC and try and remotely play some games good for them if they can manage , as long as I'm not playing one myself...

I love Firefox for its customization and speed ,, the new Personas are the best , I tried Chrome but I think its slower, at least on the sites I use and I cant stand the tabs on top,, IE 8 is fast and works with most every webpage but I cant stand how it looks ,,

Guest said:

I really don't see this issue as being noteworthy. So what if Mozilla is more public about vulnerabilities? Exploits come up, and they fix them. Better that than the way Microsoft used to just ignore things for years. This is not unlike every time Microsoft posts a bunch of fixes on Patch Tuesdays and then the online squawking starts about whatever 'record breaking' number of patches are being pushed down the pipes -- the past year or two Microsoft for the first time in it's pathetic, self-absorbed history has started to take online security issues seriously. I think it's a good thing to see an abomination like Windows made safer for the general public to use.

Operating systems and application development is a very, very complicated matter. And the Internet is getting more advanced and more dangerous all the time. I think frequent patches and fixes are a good sign, not something to get all paranoid about.

JieMan JieMan said:

Guest user, has a good take on this, by Mozilla acknowledging these threats and acting accordingly they succeed. It seems to me I'd rather be on a browser with 5000 known exploits than be on one that has only 5 known exploits... I wonder how many times M$ has pulled the curtains over our eyes .. or even Google with its new Chrome.

tengeta tengeta said:

People just use stupid addon's that are malicious. Its like Windows, if you know what you are doing you get along just fine.

MaXtor MaXtor said:

Pffft...

Firefox is one of the most actively developed browsers available. With public betas and a huge user base, of course more vulnerabilities are reported. This just means they're doing a better job discovering vulnerabilities than their competitors. That's why Firefox is such a great browser, because it is actively developed so vulnerabilities are found and fixed quickly.

Just because other browser developers haven't reported vulnerabilities, it doesn't mean they aren't there. It means they aren't doing a good enough job looking for vulnerabilities. It's the undiscovered vulnerabilities that cause an epidemic when they're discovered by the wrong person or group of people.

zaidpirwani said:

maxtor said

Just because other browser developers haven't reported vulnerabilities, it doesn't mean they aren't there. It means they aren't doing a good enough job looking for vulnerabilities. It's the undiscovered vulnerabilities that cause an epidemic when they're discovered by the wrong person or group of people.

Completely in agreement with Maxtor, though I would also like to point out that most of these vulnerabilities are because of the add-ons, and these add-ons are distinction of firefox, and with such a rapidly active community of firefox, no vulnerability is left un-resolved and everything has stayed fine till now and will stay that way.

I myself use chrome for its speed and use firefox when I want to use any of its add-ons, and I use the most updated version of firefox, cause that is the most secure and all those who use firefox are always updated to the new version, so no vulnerability is ever exploited by the wrong person, where as in other browsers, this is not the case, the vulnerability is always found by the wrong person...

Puiu Puiu said:

tengeta said:

People just use stupid addon's that are malicious. Its like Windows, if you know what you are doing you get along just fine.

If you have addons that are know to be safe then FF is much (MUCH!!) more safe that IE (or other browser that i can think of). I only use a few addons that trully help me when i surf the internet. Here's my fav list:

1)DownloadThemAll!

2)Download StatusBar

3)DownloadHelper

4)ChatZilla

5)Littlefox

6)Adblock Plus

+ a few others that i don't use very often (i only install those that i use often the rest when i need them)

rgdot said:

The user can do a lot to protect himself/herself. With every piece of code there are possible exploits, the developers' responsiveness and users' actions mitigate a lot of malicious stuff.

polidiotic said:

I've been an advocate for FF for quite a long time, but recently there's been a stability issue with FF, causing the browser to crash, consistently, while using web apps that use Ajax. On several sites that use Ajax for posting comments, the bigger the post, the more frequent the crash. This doesn't occur with IE, so I've had to leave the comfort of FF for IE, which I haven't used in years... and believe me, it's taking a while to get used to, again. ;P

Can't wait for the new version of FF, b/c this issue has been addressed on several occasions, and I'm quite sure it will be amended with the new release. Until then, however, it's just easier to use a crappier browser.

JudaZ said:

Puiu said:

If you have addons that are know to be safe then FF is much (MUCH!!) more safe that IE (or other browser that i can think of).

What do you base that on really.

I could be that FF is more secure then IE, but how do you know really?

My experience is that FF users are equally as much attacked and infected as IE users...(even a bit more but that might just my experience)

and i fix 30 -40 computers a week, mostly stupid lame maleware or "viruses." when its not hardware issues, so its not just me grabbing facts from the air.

if you compare FF with IE6 i can agree, but IE6 is really old, and no matter what it did it had its issues and problems.

...but compared to IE8, im not so sure one defenitly can say for sure FF is the safest browser....not without some facts

...in the end its always down to the user how secure a system is....., and also the most common browser or Os will always get most attacks.

alcarin2030 alcarin2030 said:

Firefox with No-Script. That is all you need. Peroid

Guest said:

Sounds like a bunch of nothing to me.

So they included the vulnerability of FF plugins in an assessment of its security? That doesn't mean anything at all. If you use plugins, you should be aware of their security flaws, just like you should be aware of your browser's security flaws.

If plugins are to present a security threat, that is a reflection of the end user making bad decisions, not FireFox being a less secure browser.

Security can't envelope the whole of end-user decision making.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.