DealsOnTheWeb Daily Deal: Computer Geeks' Ho Ho Holiday Deals - Save Up to 80%
Study: Firefox Most Secure Browser
by , 4:10 PM EDT, July 1st, 2008
One way to evaluate the security of a Web browser is to determine what percentage of its users are using the latest version. In a study released on Tuesday by S. Frei et al, it was found that Firefox users are most likely to be up to date.
Now that modern software and hardware firewalls have blocked incoming intrusions via TCP/IP ports, the most favored method of attack on computers connected to the Internet is via data returned to the Web browser that exploits browser code or plug-in vulnerabilities. As a result, keeping the browser updated to the latest version these days is paramount.
The authors, in their paper, "Examination of vulnerable online Web browser populations and the 'insecurity iceberg'" look at the rates of adoption of the latest browser versions and the impact it has on users.
Their definition of the most secure browser was as follows. "...the most secure browser designates the latest official public release of a vendor's Web browser at a given date. Beta versions are not considered an official public release."
 From the Authors' Paper |
|---|
The chart above shows the rate of adoption of the latest major version of each browser, for example Firefox 2 or IE 7.
By this standard, Firefox is the most secure browser because 83.3 percent of the users have the very latest version. Safari was ranked second at 65.3 percent, Opera third with 56.1 percent and IE 7 last at 47.6 percent. Note that, unlike the chart above, these numbers speak to the very latest version, for example Safari 3.1.2.
The paper raises some interesting questions. It's understandable how IE could lag thanks to corporate rules and compatibility testing with internal products. That can slow dow the rate of adoption. However for users who can use automatic update notifications, like Safari, Opera and Firefox, there are key difference in the methodology.
For example, the update mechanism of Firefox was considered noteworthy: "We believe the auto-update mechanism as implemented within Firefox to be the most efficient patching mechanism of the Web browsers studied. Firefox's mechanism regularly polls an online authority to verify whether a new version of the Web browser is available and typically prompts the user to update if a new version exists....
"With a single click (assuming that the user has administrative rights on the host), the update is downloaded and installed. Just as importantly, Firefox also checks for many of the currently installed Firefox plug-ins if they are similarly up to date, and, if not, will prompt the user to update them," the authors noted.
In contrast, the authors pointed out that "While Firefox and Opera check for updates when the browser is used, Safari relies on an external Apple-updater that appears to only poll for new updates at scheduled regular intervals while Internet Explorer gets updated as part of the monthly distributed Windows patches."
This scheduled updates for Safari can be as seldom as "never" if the user elects to uncheck the "Check for Updates box" in the Software Update. In addition, the Adobe Flash plug-in has no automatic update feature, and users must attended to that update manually. TMO notes that all this could explain the lag Safari has compared to Firefox.
There is much more detail in the paper, including a discussion of plug-in vulnerabilities. While some of the content is quite technical, any user interested in browser security should take a look at this report.
Observer Comments
It's an interesting way of looking at it, but it seems like a stretch to equate it so directly with "security". Who's to say the newest version of Firefox has fewer vulnerabilities than the previous version of Safari, or vice-versa? If Mozilla releases an update to Firefox tomorrow, that will not suddenly make the current version of any other browser more secure than today's version of Firefox.
I'll bet a VERY high percentage of IE for Mac users are using the latest version. That doesn't make it secure. 
Tue Jul 01, 2008 7:46 pm Subject: I'm inclined to agree
How current the installed base is more a function of factors other than security. Firefox was pushing for a record number of downloads to speed its adoption plus it still has an air of 'geek cred'. IE has not been updated for the Mac in years so nearly everyone has "the latest version" even though it's not very current. IE7 has been a slow update because (such as at my company) some corporations have not approved it's adoption yet.
I think it's a stretch to assume that, as Mikuro pointed out, latest=most secure. I also think it's a stretch to assume that people update primarily because of security.
Given these two, what I view as unwarranted logical assumptions I'm skeptical of the papers conclusion.
This is a very, very lame analysis. Or rather, the analysis was perhaps thorough, but the original hypothesis is utter garbage. I could propose that the first version of Mosaic from the mid-90's is the most secure web browser and prove it based on the fact that the only thing it could display was text and inline graphics. This would contradict the "latest is most secure" theory, thus proving it invalid.
Ridiculous? Yes. But no more ridiculous that what this paper concludes.
The hypothesis is most certainly not absurd. Remember the pwn to own contest? It utilized a known weakness in Safari that hadn't been patched yet--at least on the computer being used in the contest (I don't remember the specifics at this moment). The premise is that any discovered holes--that attackers would be aware of--are typically fixed in the latest release, thus, by virtue of the plugging of known holes, it is more secure. Of course, the one downside of this approach to security is that no one knows if some cracker/thug already knows about some unpatched hole, and is preparing to deploy something to exploit this unknown hole. However, since most people who do these things are rather lame, and not so technicially capable as that, I suppose it's not so much a worry as it could be.
However, in any case, the hypothesis is _not_ absurd. Read the second paragraph again:
QuoteNow that modern software and hardware firewalls have blocked incoming intrusions via TCP/IP ports, the most favored method of attack on computers connected to the Internet is via data returned to the Web browser that exploits browser code or plug-in vulnerabilities. As a result, keeping the browser updated to the latest version these days is paramount.
It's the rest of the premise that has me curious.... It's more about a critique on the various update methods used by the various browsers. Firefox _has_ to use the update method it uses, because it's not connected with an OS. By virtue of it's being third-party, it will always win such "contests." It was not by design that Firefox is more "secure" in this manner.
-Jon
Wed Jul 02, 2008 3:53 am Subject: Browser with unpatched holes can`t be most secure
Browser with unpatched holes can`t be most secure at all. Now all FireFox 2/3 versions have upatched highly critical vulnerability that "can be exploited to execute arbitrary code e.g. when a user visits a specially crafted web page". See Secunia advisory for details at http://secunia.com/advisories/30761/
Wed Jul 02, 2008 4:41 am Subject:
OK - tell me about these "specially crafted web pages". Where are they? Are there any genuinely malicious ones around? How come I'm not tripping over them all the time?
And when I get there, will my computer spontaneously burst into flames? will my bank account be sucked dry? will my wife leave me for another operating system?
When the breakins exist at a rate of more than one part in infinity, I'll start getting worried.
In the meantime I will continue to practise safe hex. As we all should. But frightened I am not.
Recent Headlines - Updated Wednesday, November 19th, 2008
- Wed., 4:20 PM
- iPodObserver - FlightTrack for iPhone Reduces Air Travel Anxiety
- 3:45 PM
- Just a Peek - StoryMill
- 3:30 PM
- iPO First Look Review - Google Mobile App's Voice Search
- 3:15 PM
- iPodObserver - Analyst Confirms Wal-mart to Sell iPhones
- 2:45 PM
- Toshiba Unveils Whisper-Quiet 500GB MK5055GSX Notebook Hard Drive
- 12:25 PM
- Hidden Dimensions - Another Christmas Arrives, Same Old Apple TV
- 11:45 AM
- Apple Unix Director: Snow Leopard Coming Q1 2009
- 10:45 AM
- Hot Forum Topic - Picking the Big Players in the Tech Stock World
- 10:20 AM
- KeyCue 4.3 Improves Activation Controls, More
- 9:45 AM
- TMO Quick Tip - iCal: Automated Custom Email Reminders
- 8:40 AM
- Judge Dismisses Pystar Antitrust Claims Against Apple
- 7:50 AM
- QuickerTek Unveils New MacBook Juicz Battery and Charger
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
New iMac 800Mhz Memory 4GB $54. New MacBook & MacBook Pro DDR3 PC8500 4GB Kit $116. MacBook/MacBook Pro / MacMini / iMac Intel Core2 DUO DDR2 667Mhz 4GB Kit $58, 3GB Kit $44, 2GB Kit $30. Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: Mac Pro FB-DIMMs: 2Gig kit $95, 4Gig Kit $179, 8Gig Kit $355! MacBook 2Gig Kit $78, 4Gig Kit $149! Click hereFor the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
Aliph JawBone Bluetooth Headset Cellular Phone Edition with Noise Shield Technology: $49.00 
Samsung WEP250 Bluetooth Headset: $12.00 A/R 
Navigon 7100 Portable GPS System with Reality View: $192.99 A/R 
PQI 4GB Traveling Disk i231 USB Flash Drive: $8.49 Delivered - $4.00 Drop 
Black USB Vacuum Cleaner with LED Light: $3.99 Delivered 
