Saturday, March 26, 2005
So which web browser is more secure, anyway?
The more you think about that question the more you realize it's meaningless. But you still have ot make a decision about what program you use to poke around the web.
A Belgian security firm called ScanIt has tried measuring browser security. They took several browser programs and counted how many days of the year each one had publicly known vulnerabilities without a patch available.
I compliment their work, but keep in mind that it's not the last word. For one thing, bad guys may know about a vulnerability before the public does. They only counted bugs that allow taking over your computer. Also, not all browsers are equally likely to get attacked on days when they are (known to be) vulnerable. You'd call ScanIt's work "a metric", "approximate", "debatable", or "lame" depending on what your job is and how old you are.
I'm sorry. That parapraph was too abstract. All it means is Your Mileage May Vary. ScanIt's numbers, like mileage numbers, are useful but you need to remember their limits.
The envelope please
The numbers are dramatic compared to gas mileage numbers. Microsoft Internet Explorer was "vulnerable", by their definition, for 98% of the year 2004. There was only a single week, in mid-October,when a fully patched IE installation could stand up to publicly known attacks.
The Mozilla/Firefox family was vulnerable for "only" 15% of the year. To do even that well you'd have to install every patch the day it came out.
The sleeper was a small, fast, feature rich web browser called Opera. Opera had a "window of vulnerability" for 17% of the year but nobody spotted any malicious software to attack it. The total number of problems was much lower than for the other two, but maybe that's because fewer people were looking.
Here are the ScanIt browser vulnerability study results. Just skim over the parts you don't understand: it's clearly written but assumes that you read all the security news.
Scanit also offers an online browser vulnerability test you can take to see if you're at risk now.
|
A Belgian security firm called ScanIt has tried measuring browser security. They took several browser programs and counted how many days of the year each one had publicly known vulnerabilities without a patch available.
I compliment their work, but keep in mind that it's not the last word. For one thing, bad guys may know about a vulnerability before the public does. They only counted bugs that allow taking over your computer. Also, not all browsers are equally likely to get attacked on days when they are (known to be) vulnerable. You'd call ScanIt's work "a metric", "approximate", "debatable", or "lame" depending on what your job is and how old you are.
I'm sorry. That parapraph was too abstract. All it means is Your Mileage May Vary. ScanIt's numbers, like mileage numbers, are useful but you need to remember their limits.
The envelope please
The numbers are dramatic compared to gas mileage numbers. Microsoft Internet Explorer was "vulnerable", by their definition, for 98% of the year 2004. There was only a single week, in mid-October,when a fully patched IE installation could stand up to publicly known attacks.
The Mozilla/Firefox family was vulnerable for "only" 15% of the year. To do even that well you'd have to install every patch the day it came out.
The sleeper was a small, fast, feature rich web browser called Opera. Opera had a "window of vulnerability" for 17% of the year but nobody spotted any malicious software to attack it. The total number of problems was much lower than for the other two, but maybe that's because fewer people were looking.
Here are the ScanIt browser vulnerability study results. Just skim over the parts you don't understand: it's clearly written but assumes that you read all the security news.
Scanit also offers an online browser vulnerability test you can take to see if you're at risk now.
# posted by Frederick @ 6:47 AM Email to a friend:
Haloscan: they provide trackback