Firefox: most vulnerabilities, but quickly patched

(heise online, 09.03.2009 14:06) Secunia has published its security report for 2008, saying that 115 vulnerabilities were eliminated from Firefox in 2008: more than those found in Internet Explorer, Safari and Opera put together

According to a 2008 report from the Danish computer security services provider Secunia, Mozilla had to patch 115 vulnerabilities in Firefox last year, more than Internet Explorer (31), Safari (32) and Opera (30) put together. However, after the vulnerabilities became known, the Firefox developers apparently dealt with them faster than Microsoft provided patches for its own browser.

The Secunia report then refers to the few outstanding vulnerabilities without patches at the time of publication. The report says there were six such vulnerabilities in Internet Explorer and three in Firefox. In one instance of a critical vulnerability involving flaws in same-origin and cross-domain security policies for IE 5 and 6, Microsoft left the flaw un-patched for 110 days.

Microsoft's "security evangelist", Jeff Jones, claimed in a study in late January that Firefox users had to live with open security vulnerabilities for 285 days. Critics responded that his counting method was incorrect.

Secunia's report for 2008 also shows the results displayed by its own in-house tally tool, Personal Software Inspector (PSI). For the ten most frequently installed application programs, at least one in four was vulnerable because patches had not been applied. The tally for Sun Java JRE 1.5.x/5.x showed that 96 per cent of installations were out of date, while 48 per cent of Adobe Flash Player 9.x instances were still insecure. Adobe Reader 8.x was vulnerable on one in four installations.

Secunia has one piece of good news to impart: its observations show that the number of zero-day exploits fell from 20 in 2007 to 12 in 2008. Nine of these were "Microsoft-related", and the remaining three affected third-party ActiveX controls in Internet Explorer.

See also:

• Ghostly threat to Internet Explorer users, a report from The H.