Thursday, December 20, 2007

Why Linux is More Secure Than Windows

In my last post, I showed how the vulnerability counts for Ubuntu Dapper LTS were lower than Windows Vista. However, I also mentioned that this should be used only to counter Microsoft FUD, and not as a measure of security. What, then, shows that Linux is actually more secure than Windows?

To answer this, we first have to look at what security actually is. Too many people make the mistake of calling a product secure, e.g Linux is more secure than Windows, Opera is more secure than IE etc. Now, security is not a product. It is a process with the user in a central role. Security is a state to be actively attained by proper interaction of the user and the software. Vulnerability patch management is just an important part of this process. What are perhaps more important are proper tools for patch management, stronger defaults and a multilayered approach to security keeping in mind the practical security scenario for that particular software, with the user forming both the first and last line of defence.

With this is mind, I turn to the reasons why an educated user using a Linux distro is in general more secure than while using Windows:

  1. Much better patch management tools: In Windows, the automated update procedure just updates the components supplied by Microsoft. No third party applications are patched. Now, third party applications make up the bulk of the security vulnerabilities. Using Real player? You have to update separately. Using Flash? Update separately. So, for all applications, you have to regularly check for updates for each and every software. This is extremely cumbersome, (though, fortunately, this experience is made tolerable by use of the Secunia PSI) and most users just forget to do it. In Linux, you have automated update system which will update all your software. In Ubuntu, any product you have downloaded, if present in the repository, will be updated at the single click of a mouse. In other distros, if the downloaded software is not present in the repository provided by the distro, adding the product repository is a one time process. This greatly increases user compliance in staying fully updated.

  2. Much stronger default configuration: Linux was designed to be a multi-user system. Therefore, the underlying system files will remain protected even if the user is compromised. If, unfortunately, any remote code execution takes place, it will only take place locally. This is to be contrasted to Windows XP, where the user logs in as administrator by default, and any compromise takes on a system wide character. Windows Vista has also moved to a limited user account by default, and therefore is more secure than its predecessor.

  3. Modular Design: Linux is modular by design, that is, any system component may be removed if unnecessary. As a result, if the user feels that a part of the system is more insecure, he or she may remove that component. The same cannot be said of the Windows system. e.g If I feel that Firefox is the most vulnerable part of my Linux distro, I may remove it completely and replace it with another browser, say, Opera. In Windows, I cannot remove Internet Explorer.

  4. Better tools to protect against zero-day attacks: It is not always sufficient to keep oneself fully patched. Zero-day attacks (an attack where the exploit code is released before the vendor patches the vulnerability) are increasingly becoming common. One study has also shown that it takes only six days for crackers to release exploits, it takes vendors much longer to release them. Therefore, a sensible security policy will make provisions for zero-day attacks. Windows XP has no such provision. Vista, in protected mode, though useful, provides only limited protection to Internet Explorer Attacks. Contrast it to the protection provided by AppArmor or SELinux, both of which provide finely granular protection against any types of remote code execution attacks. It is increasingly becoming common for Distros to ship with AppArmor (e.g SuSE, Ubuntu Gutsy) or SELinux(Fedora, Debian Etch, Yellow Dog) by default. In others, they can be downloaded from the repositories (e.g AppArmor in Mandriva 2008)

  5. Open Source Architecture: In Linux, it is mostly “What you see is what you get” as far as security is concerned. The Open code means that vulnerabilities are seen by “many eyes” and fixed as fast as possible. What, more importantly, this also means, is that there is no scope to hide the patched vulnerabilities, there are no hidden fixes. The user, if motivated, may find out the security issues known for his Operating System, and take precautionary measures against potential exploits, even if the vulnerabilities are not patched. In the Windows world, however, many security issues are hidden. Internally found flaws are not publicly released, and the vendor waits for a major update or service pack to patch silently. While this may lead to lesser vulnerability counts, and better publicity using flawed statistics, this keeps the user in ignorance. As a result, an user may not patch a system if he finds that he is not vulnerable to the reported vulnerabilities, while he may, in reality, be affected by a hidden patch.

  6. Diverse Environment: The Windows environment has been likened to a monoculture. There is great homogeneity which makes it easier for crackers to write exploit code, viruses and the like. Compare this to the Linux world. Here, a program can be a .deb, .rpm, or source code, to name a few. This heterogeneity makes it difficult for crackers to have the widespread impact that is possible on Windows.

Finally, however, the security of a system is in the hands of the user. A knowledgeable user can use a Windows 98 safely, an ignorant user may even compromise OpenBSD based systems. Therefore, it is extremely important to know how one can be compromised, and how one can protect oneself against getting owned. Remember that!

Tuesday, December 18, 2007

Ubuntu vs Vista Vulnerability Counts in 2007 : Destroying the FUD



There has been a lot of FUD flying around stating that Microsoft Windows Vista is more secure compared to Linux. What has been actually compared are the number of vulnerabilities fixed, for a distribution of Linux and Windows Vista. Both 3 month and 6 month studies have been published, with the intention of showing Linux security in a poor light. Now, this is in no way an apples to apples comparison, because Linux contains plenty of applications. Furthermore, vulnerabilities for server applications had also been included. For an apples to apples comparison, just the OSes have to be compared. Now, I went to Secunia, and found out the vulnerabilities affecting Ubuntu 6.06 and Vista for the entire year 2007 till date. What I found was surprising, since in 2007, in the OS (which I took to be the Kernel + X windows + Desktop environment for Ubuntu with their libraries), Ubuntu had only three highly critical vulnerabilities. Windows Vista, in fact had 10. Check it out for yourself.

For this study, I checked only the highly and extremely critical vulnerabilities because these are the vulnerabilities which hackers actually use to get into the system. The moderately critical vulnerabilities give DoS attacks causing crashes, while the mildly critical vulnerabilities do not cause system compromise or require a local access. However, these mildly critical reportedvulnerabilities are increased in the Linux distros.

All the other vulnerabilities in Linux were due to other applications like Firefox or Xine or Open Office. My earlier analysis has already shown that Firefox is more secure than Internet Explorer, even though Firefox had more vulnerabilities. If comparable applications in Windows Vista were installed, the vulnerability counts of Vista, in all probability would have exceeded Ubuntu. Especially if Quicktime or Real were installed along with an instant messenger service in Vista, the comparison would have been really interesting, but I am leaving that for my next post.


Note that this analysis is just for disproving the FUD. Actually, the reason why Linux is more secure is different. It has a more secure architecture, and has a wonderful tool (synaptic)which can update all the applications in a single click, an ease which is simply missing in Windows, as a result of which many people do not update their third party software properly. But more of that later. Just remember, this graph above is an argument against FUD. The real reasons for security is different. Vulnerability counts are a horribly flawed metric to compare Operating systems. Furthermore, even days-of-risk are not a good measure to campare security in Linux distributions relative to closed source OSes.

N.B: For the record, the highly and extremely critical vulnerabilities are 10 for Vista, 13 for IE7 on Vista, 3 for Windows mail and 2 for Windows media player.
For Ubuntu, all the three vulnerabilities listed above were in Open SSL (I disagree with the criticality, but that is another matter). There were other highly critical vulnerabilities in Firefox, Open Office, Poppler, imagemagick, Xine-lib , krb5 ,and w3m, for the default desktop installation. If possible, and my ISP permits (they are a stupid lot), I will give more information tomorrow. Since more patches may come in the rest of the year, I am not giving the exact numbers now.

This comparison is just from the information found in Secunia. Other security analysts may give different ratings.

Update: These packages showed highly critical vulnerabilities till 12/19/2007

Package Advisory
OpenSSL SA27363

SA27021
Firefox SA24205

SA25469

SA25984

SA26095

SA27311

SA27725

SA23282
Open Office SA27077

SA26022

SA24647

SA23711
Imagemagick SA27048

SA25992
Poppler SA27632
Xine-UI SA24462
w3m SA23588
Koffice SA27658
Thunderbird SA27383

SA26572

SA24410

SA23591
Krb5 SA26644

SA25801

SA23772
php SA26102

SA25372
tcpdump SA26286

Of these, only OpenSSL can be considered a part of the OS. Kerberos is not enabled, php and tcpdump are server packages and the others are applications packages (of which Koffice and thunderbird are not a part of the default installation in Ubuntu anyway). I will update the list again at the end of the year.Also note that these are advisories. An advisory may contain more than one vulnerability. e.g OpenSSL has 2 advisories but 3 vulnerabilities. For this study, vulnerability checking of the applications have also been done upstream.

Monday, December 3, 2007

Internet Explorer Shows Amazing Security Gains in 2007

(..Ok, Opera finished as the safest browser, but that's nothing new)

I have finished calculating the total number of risk-days (for those who want to know what risk-days is, read my earlier research) for browsers for the period January 2006 till now. Whew! And the surprising result is that Internet Explorer has improved markedly on the security front in 2007. When compared for the entire period of the study, IE finished as the most vulnerable browser. However, when comparing the years 2006 and 2007 separately, a pleasant surprise awaited me!

Edit: I celebrated too soon. In December, 1 more zero day vulnerabilities were announced in IE. There were also three more highly critical IE flaws and four more highly critical Opera flaws reported, but they were not associated with an increased risk-days (updated on 01/22/2008)

In 2006, the security record of Internet Explorer was abysmal! It was no where near its competitors. 2007 also began inauspiciously, with a zero-day vulnerability in January. However, since then, there has been to date not a single highly or extremely critical risk-day (See graph)! Well, neither did Firefox (if you leave out the URI vulnerability, which was basically a Windows problem) or Opera, but for Internet Explorer, it is definitely a first.


Graph I: The high criticality risk days for the different browsers in 2006 and 2007 (upto 1st December). Note that Opera just does not appear, and none of the browsers appear in 2007.For explanation for the two bars of Firefox, read the last paragraph of the article.






Graph II: The Risk days for each browser for 2006 and 2007(upto 1st December). Opera clearly has the best record. Firefox has a better record than Internet Explorer.

However, as is Microsoft's wont, the risk-days for low risk vulnerabilities have shot through the roof, and resulted in it having by far the highest number of risk-days among the major browsers. However, I suspect that there is improvement in that sphere also. Actually, the tables below flatter Microsoft's record in 2006 as it does not consider the number of unpatched vulnerabilities it carried into 2006. Now, low-risk weaknesses are also important since it can be a source of a cross-site scripting or similar attacks, where important user information may be stolen from an unwary user. This is a problem area for Internet Explorer and to a lesser extent, Firefox. Opera was also plagued by cross scripting vulnerabilities.




Tables I, II and III: Showing the different risk days for the different categories of vulnerabilities, for the different browsers.

The methodology of the study was the same as in the previous study. A search of Secunia was made for all the reported vulnerabilities, and the risk-days. Risk days is the sum of the total number of days for which vulnerabilities in a particular application were publicly announced , but still unpatched.
There were plenty of problems faced while making the analysis. Secunia gives total advisories, however, all the vulnerabilities within an advisory are not of equal severity. Secunia usually gives the advisory the highest criticality rating . This results in not so severe vulnerabilities being classified as a critical bug if the Secunia advisory is followed. Usually, this causes no problems for a risk-days analysis because a multiple vulnerability advisory is mostly the vendor advisory, where vulnerabilities disclosed have a zero-risk day. In one case, however, (Firefox, 2006) a moderate criticality bug was not properly patched, raising its risk-days to 45. Since this was part of an advisory reporting highly critical flaws, it got a 4x tag attached to it unfairly. However, to maintain uniformity in the analysis, this was still kept in the highly critical group. If a fair assessment is made, however, the number of risk-days for Firefox in the 4x group should be 7 and 3x should be 45. In 2007, Secunia showed a security flaw in Firefox for the infamous URI bug, but it was shown just as a Firefox bug. Since it was primarily a Windows bug , and depended upon IE,(and is still classified as an IE bug in NVD), I have decided to remove it from the analysis.To safeguard against any faulty conclusion, I therefore compared all the high criticality flaws (4x and above) and confirmed it with the NVD database. There was the further question of how to measure the risk-days for zero-day vulnerabilities. However, on account of an accurate date for the emergence of the bug being elusive, I did not give any numbers for the zero day bug in 2007 for IE but replaced it with a query mark. I suppose some mistakes may still be made, so I will try to upload the files where it can be downloaded from and scrutinized properly.. These inaccuracies should necessitate looking at the big picture than just counts of the vulnerabilities. Vendor supplied ratings, where applicable, are many times a better guide.

Sunday, December 2, 2007

Former Microsoft Security Strategist Says Microsoft Does Not Report All Security Issues

Respected security strategist, Window Snyder, presently Head of Security Strategy at Microsoft and formerly senior security strategist at Microsoft and security lead and signoff on Microsoft Windows XP Service Pack 2 and Windows Server 2003, has mentioned that Microsoft does not publicly report security issues found internally. Rebutting the study comparing IE security to Firefox by one of the directors of security at Microsoft she stated in her blog that:
"One of the goals of the bug counting report is to demonstrate that Microsoft fixed fewer bugs for IE than Mozilla did for Firefox. Unfortunately for Microsoft (and for anyone trying to use this report as analysis of useful metrics) he does not count all the security issues...... He counts only the public issues, because that is all Microsoft will tell us about......... the set of issues that are available for public comparison is limited to the set of vulnerabilities that are reported externally AND fixed in security updates.

This is a small subset of all the vulnerabilities, because the vulnerabilities that are found through the QA process ..... are fixed in service packs and major updates"

This, coming from a former Microsoft Security Strategist is a big deal and confirmation that all the studies coming out from Microsoft comparing the security of their products with their competitors is just hogwash.
She also says that Microsoft is worried that if they publicly release X updates , 
the world will focus on those X updates not that they are now fixed and no longer
 a risk.  
This actually leads to some questions for our mainstream technology media. Why is actually counting bugs important? I am no supporter of Microsoft, but why are they villified at every opportunity for fixing bugs? Fixing bugs is essential, and all vendors do it. Perhaps if our attitude to bug counts change, Microsoft will become more open in this regard. OK, Microsoft are prats, but to some extent, the media, in search of a good story, (and nothing sells like bashing a giant) are also to blame.

Friday, November 30, 2007

The Microsoft FUD Machine cometh again: Firefox said to be less secure than Internet Explorer

I had lost all interest in blogging, but the latest installment of FUD by Microsoft has made me again take it up. Jeff Jones , security guy at Microsoft has published a paper stating that Firefox has more number of unpatched vulnerabilities, and is more insecure. Now, I had done a small study a few months back comparing the vulnerabilities of the three major browsers on the Windows platform, and could come to no conclusion except that IE was the most insecure browser.
I will go through his paper thoroughly now, and also refine my analysis, but I can tell you two things:
i) Jeff Jones is extremely competent about calculating the "days of risk" in comparing Linux and Windows, but he has not done so in his study. I will determine over the next two days what the "days of risk" actually were. I just suspect he has something to hide over there ;)
ii) The above "days of risk" are theoretical, the "actual days of risk", that is the days that the user was actually under attack even though fully patched, is also important. 
You may have just one vulnerability, but if that is undergoing a zero day attack and 
you have not patched it, then it is much less secure for all practical purposes than 
a software with a hundred patched vulnerabilities having a thousand "days of risk". 
IE has undergone too many zero day exploits to be called a secure browser under XP. This is never mentioned by any Microsoft report. So, if someone tells you that IE is more secure than Firefox, just mention the words "Zero day".
iii) Since he is so self congratulatory about the vulnerability counts of IE, let him compare IE with Opera, and follow his thread of reasoning  in assessing the security of the browsers.
iv) Vulnerability counts are not everything, thay are just one metric. I have to say that if UAC is switched on in Vista, it would make IE 7 more secure than even Opera, even if IE has more unpatched vulnerabilities. However, for Windows XP, IE was till a few months ago the most insecure browser. Let me see if things have changed! I strongly suspect NOT!
Till then read my previous blog about that subject and tell me if you have any objections to my methodology. I did not use the NVD ratings, but did use another respected third party rating, so I do not think there is any issue there.
Till then, stay well and beware of FUD

Thursday, March 8, 2007

GIMP: The best image editing software for home users

GIMP is the best image editing software for amateurs and home users. You can download it here. You will also need a few tutorials, which you can get here. There has been a lot of arguments about which is better, the GIMP or Adobe photoshop. Philip McClure has done a nice analysis on GIMP vs Photoshop, and has found GIMP to be better for home users while the photoshop to be better for professional use. However, be warned, GIMP takes time to learn, but in the end, it is worth the effort.

Sunday, February 25, 2007

ONLINE MALWARE SCANNERS, A GREAT COMPLEMENT TO YOUR ANTI-VIRUS


You have a good anti-virus, congratulations. You are conscientous about spyware and have included a good anti-spyware. Further congratulations. However, you have to remember that all anti-viruses will miss something, and there is no anti-spyware which gives 100% results. This fact was borne out to me when, inspite using an anti-virus with an above 99% detection rate (the best in the industry), I found two malwares in my system on taking the Trend Micro online scanner. Therefore, I recommend that an additional online scan be taken for the syatem occasionally (every 7 or 15 days) so that there is an additional layer of security. It is to be noted that some of the scans just detect malware, but cannot remove them (e.g Kaspersky online scan), while some both detect and remove the virus/trojan/spyware (e.g Trend Micro).

Check out the following sites:

Trend Micro(scans and repairs files damaged by viruses, deletes spyware)

http://housecall.trendmicro.com/


Panda (detects and removes viruses, and trojans, only detects spyware)

http://www.pandasoftware.com/products/ActiveScan.htm


Bit Defender (scans and repairs files damaged by viruses)

http://www.bitdefender.com/scan8/ie.html


e-Trust(detects and removes viruses)

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx


Kaspersky (only detection)

http://www.kaspersky.com/virusscanner


Symantec (only detects viruses)

http://security.symantec.com


McAfee (only detects viruses)

http://us.mcafee.com/root/mfs/scan.asp


F-Secure(only detection)

http://support.f-secure.com/enu/home/ols.shtml


Please note that you have to run Internet Explorer for most of these scans.Also read the FAQ and EULA before scanning. You have to download a program of a few MB size and then continue.

Note: The scans may take a long time, so make sure you scan when you have plenty of free time.

Further IMPORTANT note: The online virus scans are a complement, not a replacement for your anti-virus. An AntiVirus having real time scanning is a must.

Saturday, February 24, 2007

WHICH IS THE BEST FREE ANTI-VIRUS PROGRAM


There are 6 major anti-virus programs: AOL Active Virus Shield, Avira AntiVir Personal Edition Classic, Bit Defender Free edition, Avast! Home edition, AVG Free edition and ClamWin. To compare between the best programs, we need to know the detection rates, how the program affects the system speed, and the scanning speed. In this article, I will compare these programs across these parameters to decide which should be the best for most users.


DETECTION RATES:

From www.virus.gr:

AOL Active Virus Shield: 99.62%

Bit Defender Freeware: 95.57%

Avira AntiVir Classic: 94.26%

Avast! Freeware: 87.46%

AVG Free: 82.82%

ClamWin: 51.23%

Virus type / Antivirus AntiVir 7.01.01.02 Classic Active Virus Shield by AOL 6.0.0.299 BitDefender 8.0.202 freeware Avast 4.7.871 freeware AVG 7.1.405 freeware ClamWin 0.88.4







File (256) 231 253 185 174 43 135

90.23% 98.83% 72.27% 67.97% 16.80% 52.73%
MS-DOS (38851) 37929 38748 37585 36702 33433 29612

97.63% 99.73% 96.74% 94.47% 86.05% 76.22%
Windows.* (1978) 1858 1928 1728 1761 1639 1055

93.93% 97.47% 87.36% 89.03% 82.86% 53.34%
Macro (7638) 7444 7632 7374 7218 7213 6192

97.46% 99.92% 96.54% 94.50% 94.44% 81.07%
Malware (7769) 4826 7614 5163 4535 3919 2721

62.12% 98.00% 66.46% 58.37% 50.44% 35.02%
Script (10003) 9608 9875 9833 8971 8223 5569

96.05% 98.72% 98.30% 89.68% 82.21% 55.67%
Trojans-Backdoors (80689) 76833 80571 78800 69372 67432 30124

95.22% 99.85% 97.66% 85.97% 83.57% 37.33%
Total (147184) 138729 146621 140668 128733 121902 75408

94.26% 99.62% 95.57% 87.46% 82.82% 51.23%







Boot disk/cd NO NO NO NO YES NO







Right-click scan YES YES YES YES YES YES







Online update YES YES YES YES YES YES







Background scanning YES YES NO YES YES YES







Folder-only scan YES YES YES YES YES YES

Another important consideration is whether the product has a succession of VB100 certificates. However, it is difficult to know whether the certificates are for the professional paid version or also for the free version. Going by the vendor,

AOL Active Virus Shield: Did not enter. However, it is powered by the kaspersky engine, which has passed all tests it entered in 2006.

Bit Defender: Passed all tests in 2006, did not enter in 2007

Avira AntiVir: Passed two tests, but failed 1 in 2006, did not enter in 2007

Avast!: Entered 4 tests from 2006-2007, passed all (certified fit for windows Vista)

AVG: Entered 4 tests from 2006-2007, passed all.(certified fit for Windows Vista)

Clam Win: Did not enter


ICSA certified for virus detection: Bit Defender, Avira AntiVir, Avast!, AVG (all are for Windows XP)(Kaspersky is also ICSA certified)


ICSA certified for Virus cleaning: Bit Defender (all are for Windows XP), (Kaspersky also has that certificate)


AV Comparatives gives perhaps the best comparison of antivirus detection ability. According to that site, the professional editions of Kaspersky and Avira were rated the highest among the companies listed here. However, their data cannot be given over here for copyright reasons, and you have to go to their website to access their articles. Avira was the best for polymorphic viruses. However, that site rated the professional editions, and may not hold true for free editions.
Winner: AOL Active Virus Shield. It is powered by Kaspersky, which has the highest detection rates for any anti-virus.

Because of the low rate of detection, Clam Win will not be discussed any further.

HOW THE PROGRAM AFFECTS THE SYSTEM:

AOL Active Virus Shield affects the startup time the least, followed by Avira, Avast!, Bit Defender and AVG.

SCANNING is done in the least time by Avira, followed by Bit Defender, Avast!, AOL Active Virus Shield and AVG.

AVG is the only free antivirus in which a rescue CD can be built.

Other Quirks: Bit Defender lacks real time scanning.


Overall, FOR WINDOWS XP, THE WINNER IS AOL ACTIVE VIRUS SHIELD, closely followed by Avira, and then Avast!, AVG and Bit Defender. It is fast, has a higher detection rate than all other paid anti-viruses, and does not slow down the system much. In fact, it has got the feature of releasing memory when another concurrent program is running, so that the user is not hampered by the scan.

Avira AntiVir is also an excellent choice, as is Avast! . AVG is a standard product which has the added advantage of having a rescue CD .Bit Defender is good, but lacks real time scanning, a real necessity, and therefore is not recommended, inspite of having high detection rates.

FOR WINDOWS VISTA, only Avast! and AVG have got the certification. Therefore, for the present, these are the two best products


I will try to post the exact boot times and scanning times for my computer within the next few posts. Other reviews on how the antivirus affects the system performance will be found here and here

For the best comparison of anti-virus detection rates, you can go here.


Wednesday, February 21, 2007

WHICH IS THE MOST SECURE BROWSER?

Browser security is extremely important. It is one of the major ways by which a remote attack can be made on your system. Any important information on your system can be easily read by a malicious hacker if you are not careful. Therefore, browser security is of prime importance.

There have been misguided, (and probably mischievous) attempts in the net to measure the security afforded by a browser just by the number of reported vulnerabilities. It is NOT necessary that a higher number of reported vulnerabilities implies an insecure browser. In fact, it may well reflect transparency on the part of the company to alert the users about the security hazards they would be facing if they either do not apply patches or try a workaround. On the other hand, a company refusing to acknowledge a discovered flaw and not patching it for months altogether is socially irresponsible.

The most important aspect for the end user should be the criticality of risk they are facing due to a program flaw and the number of days they are at risk due to that flaw remaining unpatched. A higher number of reported patched vulnerabilities before the error was publicly known is much more secure than just one critically risky flaw that will allow the hacker access to a computer for just a few days. In the former case, most hackers will not get at you, in the latter, anyone interested may get any information they want from your computer. Keeping this in mind, I propose that the number of risk-days due to a vulnerability be the true indicator of browser security. In this metric, the number of days a vulnerability remains unpatched equals the risk days for that vulnerability. In this way, the risk days for all the reported vulnerabilities may be added together to get an estimation of the risk, and therefore, the security provided by a browser may be measured. It should be noted that all the vulnerabilities are not of equal risk, and therefore the risk days for vulnerabilities of different risk categories should be calculated differently.

Keeping the above in mind, I attempted to calculate the risk an user faced in using a fully patched version of Internet Explorer, Mozilla Firefox and Opera in a Windows XP Operating System. I have also made the assumption that the user would upgrade the browser on the date of release., e.g an Internet explorer user would have downloaded IE 7 on October 18. Even otherwise, the conclusions of this study would have remained the same, but the numbers would have changed. All the vulnerabilities for the browsers have been taken from www.secunia.com, the website of one of the most respected third party cyber security companies.
Secunia has divided vulnerabilities into 5 grades ranging from “not critical” to “extremely critical”. These have been translated as ranging from criticality 1x to criticality 5x in my study. The study period ranged from January 2006 to the present. The number of unpatched vulnerabilities were also noted. The interpretation of the criticality levels can be found at the website www.secunia.com.


1x2x3x4x5x
Opera12040
Firefox421710
Internet Explorer172296

Table 1: Showing the number of vulnerabilities reported for the different browsers in the period Jan 1 2006 to Mar2 2007

As can be seen from Table 1 above, Opera experienced the least number of vulnerabilities. The number of vulnerabilities of Firefox was higher than that of Internet Explorer, a finding by which some people have come to the (erroneous) conclusion that Firefox is less secure than Internet Explorer. However, Internet Explorer had vulnerabilities in the extremely critical range, meaning that a public exploit was already available at the time of the patch, and the user was already at risk even while the patch was being downloaded.


1x2x3x4x5x
Opera34000
Firefox1483627550
Internet Explorer2329621308620

Table 2: Showing the total risk days for vulnerabilities for the different browsers in the period Jan 1 2006 to Mar2 2007.


The total number of risk-days for the browsers given in Table 2 paint a more accurate picture of browser security. Opera had the least number of risk days and these were from the lowest risk category (labelled as “not critical” by secunia). Firefox had a much lower risk-days than Internet Explorer, showing that the developers of this browser is much more responsible in giving out security patches. Internet Explorer had the worst record, and even the most critcal vulnerability was left unpatched for some days.



1x2x3x4x5x
Opera01000
Firefox11000
Internet Explorer05100


Table 3: Showing the number of unpatched vulnerabilities in the period Jan 1 2006 to Mar 2 2007.

Table 3 shows the number of unpatched vulnerabilities. It again shows Opera in the most favourable light. At the moment, IE also has the highest number of unpatched vulnerabilities

Therefore, Opera is by probably the most secure major browser for Windows in the market today, beating the other two vendors by a fair margin in all the metrics of security. Firefox has, for the most part been much more secure than Internet Explorer, a fact which can be obscured by its higher vulnerability count. Internet Explorer has failed spectacularly in the security front. It is amazing, therefore, how IE apologists, still maintain that IE is secure, showing some superficial and inappropriate statistics.


In the end, what these statistics also show is that the best browser may have vulnerabilities discovered. In a way, this is to be expected, because software programs(like humans) are not perfect. This therefore serves also as a reminder to keep ones browser always updated.

Monday, February 19, 2007

WHICH IS THE BEST BROWSER OF THEM ALL?

WHICH IS THE BEST BROWSER OF THEM ALL?
There has been numerous arguments as to which is the best browser, Internet Explorer, Mozilla Firefox or Opera. All three have their own strong points, making it very difficult to decide as to which is the best browser. Added to that are the differing philosophies behind the creation of each browser: Firefox has a simple default install and gives the owner the freedom to customize the browser to his or her choice. Opera, on the other hand, gives a feature packed default install to make browsing as powerful as possible. Also coming into the question is the open-source proprietary debate. As a result of all these, this article will try to assess subjectively which the best browser is. Perhaps the question cannot be answered at all, and in the end, just show the writers perception and needs. Therefore, what follows is the authors two paise on the browsers.
For this article, the different browsers will be judged according to the following criteria:
1.Page rendering and viewability-40%
2.Web standards compliance -10%
3.Security-20%
4.Features-20%
5.Speed-10%
Of these, page rendering and viewability is the most important fiunction. A person uses a browser to view web pages and check web mail. Therefore it is given the greatest weightage. However, many browsers suffer because many web pages are not standards compliant and have been optimised for a single browser. Standards are extremely important and adherence to these standards show, to an extent, the social responsibility of the browser manufacturers. Therefore, an additional 10% have been given for web standards compliance. The standards compliance have been tested using the acid2test and another web page showing the extent of standards compliance of the browsers.
Security is extremely critical, and the data extracted from secunia.com has been used for measuring this component. What has been seen are the number of reported vulnerabilities, the time taken to patch the critical (and not so critical) vulnerabilities and the number as well as the severity of unpatched vulnerabilities.
Comparison of features is difficult to measure. It is extremely difficult to give a number to useful features. Therefore, this portion will be the most subjective of the various assesments. What complicates the matter further is that Opera has more installed features, while Firefox gives the user the choice to extend his browsing capabilities. Therefore, what this will intend to measure is the features that an User may wish to install, whether or not that comes with the default installation.
Speed is the fifth component of this comparison. I felt that this is not as important an component as features or security, and therefore gave it the least weightage. Now , on to the comparison:

Page rendering and viewability: There is no question about who the winner in this category will be. Due to its immense market share, only a foolish web page maker will make a page not correctly viewable in Internet Explorer. Therefore, almost all the webpages are viewable in IE7. Moreover, the presence of ActiveX allows some thing not possible in other browsers, e.g: Online malware scanning. Firefox comes near, but there are still a few pages which do not show well in it. The loser in this category is Opera. Many pages are optimised for IE or Firefox. Even though the Mask as Firefox or Mask as Internet Explorer feature does an admirable job,and perhaps more than 99% of the pages render perfectly, some pages are broken (though functional).Also, it is a pain trying to use online office suites in Opera. ( I know it is not Opera's fault, but this analysis was done keeping the end users in mind, and Opera, having a low market share, has to suffer). The marks given are:
IE7 40
Firefox- 38
Opera 34

Web standards compliance: There is again very little doubt about the winner in this category. Opera is the only browser among the three to pass the Acid2test. Furthermore a look at the standards compliance shows Opera to be ahead in most of the important features. Internet Explorer has a pathetic compliance for standards, and though Firefox is good, it could be better. Of course development builds of Firefox (the Gran Paradiso) have passed the Acid2test and will lessen the gap in the coming months.
IE 3
Firefox 7.5
Opera 9

Security: Again, there is little doubt as to the winner in this category. Opera has no unpatched vulnerabilities, and took very little time to patch those as well. Firefox has done well, patching the critical vulnerabilities fast and leaving no critical vulnerability unpatched. IE also has unpatched vulnerabilities. It has to be mentioned here that Firefox has more reported vulnerabilities than IE, but this should not be a criterion for marking. The nature of Open Source is such that more vulnerabilities will be reported because they have more eyes scanning them. What is really important is the promptness with which the vulnerabilities are repaired. Now two of the unpatched vulnerabilities in Firefox are relatively long standing ( June and November 2006) and blots its security record. Opera is almost perfect, but they could have been more open about the patches. As Asa Dotzler pointed out (even though “Asa is a troll”), they did not inform the users about the patches to the critical vulnerabilities. This is an extremely lax attitude and offsets some of their almost perfect record, and 10% of the total points have been docked. Still, they are the runaway winners in this category.IE also has 1.5 points docked for not acknowlwdging security flaws reporting to them and keeping them unpatched.
IE 6
Firefox 13
Opera 18

Features: This was difficult, mind you. On one hand, the numerous extensions of Firefox gave the user an almost unbelievable power. However, extensions have an effect on the memory footprint and speed (and to come anywhere near the functionality of Opera, you need to have more than 40 extensions installed). Opera, had an amazingly feature packed default install and can do many of the things by default that the most popular Firefox extensions do. Furthermore, being a full featured internet suite, it has an inbuilt mail client, news feed reader and chat client, with the former two (I believe) adding much more functionality than any extension. Besides that online presentations can be prepared with Opera. That along with MDI closes the huge gap in functionality that the extensions in Firefox seem to have built up. Internet Explorer had Active X and first and third party add ons, (in fact, it haa entire browsers browser-Maxthon, Avant as add ons). Therefore, the marks given in this category is extremely subjective and prone to debate.
IE 14
Firefox 18
Opera 14

Speed: Opera is a hands down winner in this category. It renders pages faster, loads very fast and makes the other browsers seem dead slow. There have been different articles showing that Opera is indeed the fastest, and by a large margin. And for the ones needing text really fast, it can run in text mode.
IE 7
Firefox 7
Opera 9

Final marks: IE 71
                       Firefox 83.5
                       Opera 84

And the winner is: Opera (though by a small margin). However, the small margin of victory has emphasised that there will be plenty of users (especially those for whom customisability is important) for whom Firefox will be the browser of choice. Also, as web page makers build good pages, Opera should gain more users. A fairer assessment should perhaps be that Opera and Firefox are both Winners. For me, however, inspite of being a supporter of the open source philosophy, Opera rules.