Wednesday, February 21, 2007


Browser security is extremely important. It is one of the major ways by which a remote attack can be made on your system. Any important information on your system can be easily read by a malicious hacker if you are not careful. Therefore, browser security is of prime importance.

There have been misguided, (and probably mischievous) attempts in the net to measure the security afforded by a browser just by the number of reported vulnerabilities. It is NOT necessary that a higher number of reported vulnerabilities implies an insecure browser. In fact, it may well reflect transparency on the part of the company to alert the users about the security hazards they would be facing if they either do not apply patches or try a workaround. On the other hand, a company refusing to acknowledge a discovered flaw and not patching it for months altogether is socially irresponsible.

The most important aspect for the end user should be the criticality of risk they are facing due to a program flaw and the number of days they are at risk due to that flaw remaining unpatched. A higher number of reported patched vulnerabilities before the error was publicly known is much more secure than just one critically risky flaw that will allow the hacker access to a computer for just a few days. In the former case, most hackers will not get at you, in the latter, anyone interested may get any information they want from your computer. Keeping this in mind, I propose that the number of risk-days due to a vulnerability be the true indicator of browser security. In this metric, the number of days a vulnerability remains unpatched equals the risk days for that vulnerability. In this way, the risk days for all the reported vulnerabilities may be added together to get an estimation of the risk, and therefore, the security provided by a browser may be measured. It should be noted that all the vulnerabilities are not of equal risk, and therefore the risk days for vulnerabilities of different risk categories should be calculated differently.

Keeping the above in mind, I attempted to calculate the risk an user faced in using a fully patched version of Internet Explorer, Mozilla Firefox and Opera in a Windows XP Operating System. I have also made the assumption that the user would upgrade the browser on the date of release., e.g an Internet explorer user would have downloaded IE 7 on October 18. Even otherwise, the conclusions of this study would have remained the same, but the numbers would have changed. All the vulnerabilities for the browsers have been taken from, the website of one of the most respected third party cyber security companies.
Secunia has divided vulnerabilities into 5 grades ranging from “not critical” to “extremely critical”. These have been translated as ranging from criticality 1x to criticality 5x in my study. The study period ranged from January 2006 to the present. The number of unpatched vulnerabilities were also noted. The interpretation of the criticality levels can be found at the website

Internet Explorer172296

Table 1: Showing the number of vulnerabilities reported for the different browsers in the period Jan 1 2006 to Mar2 2007

As can be seen from Table 1 above, Opera experienced the least number of vulnerabilities. The number of vulnerabilities of Firefox was higher than that of Internet Explorer, a finding by which some people have come to the (erroneous) conclusion that Firefox is less secure than Internet Explorer. However, Internet Explorer had vulnerabilities in the extremely critical range, meaning that a public exploit was already available at the time of the patch, and the user was already at risk even while the patch was being downloaded.

Internet Explorer2329621308620

Table 2: Showing the total risk days for vulnerabilities for the different browsers in the period Jan 1 2006 to Mar2 2007.

The total number of risk-days for the browsers given in Table 2 paint a more accurate picture of browser security. Opera had the least number of risk days and these were from the lowest risk category (labelled as “not critical” by secunia). Firefox had a much lower risk-days than Internet Explorer, showing that the developers of this browser is much more responsible in giving out security patches. Internet Explorer had the worst record, and even the most critcal vulnerability was left unpatched for some days.

Internet Explorer05100

Table 3: Showing the number of unpatched vulnerabilities in the period Jan 1 2006 to Mar 2 2007.

Table 3 shows the number of unpatched vulnerabilities. It again shows Opera in the most favourable light. At the moment, IE also has the highest number of unpatched vulnerabilities

Therefore, Opera is by probably the most secure major browser for Windows in the market today, beating the other two vendors by a fair margin in all the metrics of security. Firefox has, for the most part been much more secure than Internet Explorer, a fact which can be obscured by its higher vulnerability count. Internet Explorer has failed spectacularly in the security front. It is amazing, therefore, how IE apologists, still maintain that IE is secure, showing some superficial and inappropriate statistics.

In the end, what these statistics also show is that the best browser may have vulnerabilities discovered. In a way, this is to be expected, because software programs(like humans) are not perfect. This therefore serves also as a reminder to keep ones browser always updated.