browser security by fix rate

Back in 2005 I compared the patch rates of IE, Firefox and Opera. In the past few days the subject of browser security has come up a few times, so I thought I'd revisit the topic to see what (if anything) has changed.

data source

I'm using Secunia advisories again, to keep the data source consistent. The product pages are:

Note that Secunia's data starts from February 2003, regardless of each product's release date. You can investigate Secunia's methodologies if you will; there are some quirks. However I'm not after a perfect scientific investigation, so much as a broad strokes impression.

what am i comparing here?

Since each browser has a different release date and lifespan, comparing raw numbers of problems isn't really useful. However we can compare the percentage of patches/fixes from the vendor - it's not how many security issues were identified, rather it's about how many were fixed.

I would have added in "time to patch" and "days vulnerable" and so on, but Secunia doesn't currently graph that information (as far as I know).

I thought about sorting out standardised timeframes and so on, but the bottom line here is how secure can a user's browser be today? I say "can" since we can't assume that all browsers are up to date with the latest patch (or even close), but we can at least evaluate the potential for a conscientious user to keep up. After all, we can only apply the patches that are available.

Having discussed the user acceptance issue in the previous article (to patch or not to patch?) I won't rehash it here. However I will mention that according to Secunia Opera users really need to update their browsers.

patch rates - july 2005

First, let's remind ourselves of the data from 2005:

Browser patch success rate (Feb 2003 to July 2005)
Browser IE 6 Firefox 1 Opera 7/8**
Number of advisories since Feb 2003* 83 21 42
Vendor patch 55% 81% 100%
Vendor workaround 1% 0 0
Partial fix 13% 5% 0
Unpatched 30% 14% 0

* Firefox advisories start from August 2004.
** Opera 7 and 8 are combined to create a better comparison in terms of the number of advisories.

[Note - yes I know it didn't really make sense to combine Opera 7 and 8, but both had a 100% success rate so it didn't really change the outcome.]

patch rates - january 2007

First off, let's compare the patch rates of the same browsers (and we'll add Safari so people don't accuse me of forgetting Macs). Remember that these are all superceded versions now:

Browser patch success rate (Feb 2003 to Jan 2007)
Browser IE6 FF1 Op8 Saf1
Number of advisories since Feb 2003 110 39 15 15
Vendor patch 67% 87% 100% 93%
Vendor workaround 2% 0 0 0
Partial fix 11% 3% 0 0
Unpatched 20% 10% 0 7%

So, no change for the three browsers compared last time. Safari slots in at second, after Opera and before Firefox.

Now let's have a look at the latest versions of the four browsers:

Browser patch success rate (Feb 2003 to Jan 2007)
Browser IE7 FF2 Op9 Saf2
Number of advisories since Feb 2003 4 2 3 6
Vendor patch 25% 50% 100% 33%
Vendor workaround 0 0 0 0
Partial fix 0 0 0 0
Unpatched 75% 50% 0 67%

This produces very clear results, but the low number of advisories exaggerates the margins. The previous versions all have a higher number of advisories, but actually the only change in ranking is that Safari drops from second to third. The sharp drop in patch rate between Safari 1.x and 2.x makes it hard to get any useful conclusions - has Apple really dropped the ball?

For the other three browsers, the rankings remain:

  1. Opera (100% patched, no change)
  2. Firefox (50% patched, down from 87%)
  3. IE (25% patched, down from 67%)

It's worth noting that the patch rate for both Firefox 1.x and IE 6.x improved between 2005 and 2007. However both dropped noticeably between their previous and current versions (same as Safari). The proportion is exaggerated by the low number of advisories for the newest products.

conclusions?

Well, one clear thing is that Opera is the only vendor with a 100% patch record according to Secunia. Opera is also the only vendor that maintained its patch rate between versions - in fact you have to go back to Opera 6 to find an unpatched advisory (and there's only one).

It's also clear that IE has the worst patch rate of all the browsers compared. You could say that's a result of having a much bigger user base and a correspondingly higher incident rate. But then Microsoft has more resources than the other three vendors combined so it's a pretty weak excuse for leaving security issues unpatched.

Meanwhile Firefox does pretty well for an open-source product, consistently beating IE - even if not by much. Apple meanwhile needs to get Safari 2 sorted out; but we'll see what happens as more data becomes available (for all four browsers).

So at this time Opera wins the patch stakes. The argument can be made that Opera attracts fewer attacks due to small marketshare. That could be true - there's no way to truly know, since malicious hackers aren't polled - but when I'm doing my banking I don't care if it's true. I just care that my browser is secure; and Opera currently has the best record for fixing security issues.

Labels: , , , , , , ,

Comments

  1. Anonymous Anonymous, January 29, 2007 7:40 am: 

    Opera may be patching 100%, but its users are not, in the vast majority, applying those patches, which is just as important.

    See the "insecure" percentages, also from Secunia, at http://msmvps.cm/spywaresucks

  2. Blogger 200ok, January 29, 2007 9:28 am: 

    Like I said, Opera users really need to update their browsers.

    But then so do millions of IE users - but they still won't be secure even if they apply all available patches.

  3. Anonymous Anonymous, February 02, 2007 5:35 am: 

    At least Opera users CAN update their browsers to get 100% coverage, which is the key issue.

about

Web development and standards, as seen by Ben Buchanan.