Web security firm ranks Firefox, Safari browsers as flaw prone

By Robert Westervelt, News Editor 12 Nov 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Mozilla Firefox accounted for 44% of browser-based vulnerabilities in the first half of 2009, more than any other browser, according to a new report from Cenzic Inc.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Apple's Safari browser came in second, with 35% of all browser-based flaws, followed by Internet Explorer (15%). The Santa Clara, Calif.-based penetration testing vendor said the Safari vulnerabilities were due to issues discovered in the Apple iPhone-based browser. Cenzic said browser vulnerabilities accounted for 8% of the total Web vulnerabilities.

The browsers were ranked by the number of bugs in a study reviewing Web-based vulnerability data collected by Cenzic in the first half of 2009. The firm said that78% of the 3,100 reported vulnerabilities it identified were Web-based.

Experts caution that the number of vulnerabilities addressed by a browser maker doesn't necessarily mean a particular browser is less secure. For example, Mozilla may be more proactively reporting and repairing vulnerabilities than other browser makers.

Web security vulnerabilities: How to use Internet security threat reports: Security threat reports help drive security vendor business, but they can also provide some useful information for IT security pros.  Web-based attacks skyrocket, pirating sites surge, security firms say: Reports highlight surge in spam as well as an increase in malicious Web pages attacking visitors with Trojan malware and downloaders.  SANS: Application threats, website flaws pose biggest security threats: A new report from the SANS Institute calls flaws in client-side applications often the most ignored by IT professionals.

Johnathan Nightingale, Mozilla's security and usability expert called bug counting a waste of time. Nightingale said it ignores the fact that Mozilla can get a patch out to 90% of its user base in less than five or six days, a feat unmatched by many other browser makers.

"What would certainly help make a better assessment is if everyone was open about all the bugs they fixed and if every security fix was well documented," Nightingale said. "There are vendors out there not doing that or bundling several patches together to keep the numbers low and they are going to show up well in these reports."

More important is the fact that many users have outdated third-party browser components, a favorite target of attackers, Nightingale said. Mozillla launched a tool in October that scans Firefox to detect outdated plugins.

The number of Web application vulnerabilities increased more than 10% from the second half of 2008. The flaws were contained in Web servers, applications, Web browsers. plug-ins and ActiveX controls. Information leakage, cross-site-scripting (XSS) errors and improper authentication bugs were among the biggest issues found in many Web applications, Cenzic said.

"Of the published vulnerabilities in commercial off-the-shelf applications, SQL injection, and XSS were once again the most common, which is why it is no coincidence that most of the attacks in the first half [of the year] exploited these two vulnerabilities," the Cenzic report noted.

Information leakage errors accounted for 87% of vulnerabilities discovered by Cenzic tests. Web applications that reveal sensitive user data or HTML comments left by developers could be used by hackers to gather data and attempt to penetrate a company's defenses, Cenzic said. XSS errors accounted for 73% of vulnerabilities discovered. The flaws enable an attacker to inject malicious code into the application to spoof content or hijack legitimate websites to target visitors.

SearchSecurity radio:

Authentication flaws also increased, accounting for 56% of vulnerabilities encountered by Cenzic. The errors allows users to login without supplying correct credentials. Sometimes the errors can reveal valid usernames and passwords, allowing an attacker to easily gain access to systems, Cenzic said.

The firm also cited a number of different high-profile attacks carried out by hackers exploiting common Web-based vulnerabilities. Hackers carried out XSS attacks against HSBC and Barclays banking websites in June. Turkish hackers gained access to low-level U.S. Army Web servers in May by exploiting SQL injection vulnerabilities, redirecting a website to a webpage protesting climate change.

"It's evident from some of the highly visible attacks in the last couple of years that many attacks go unnoticed for months and years before they are caught, and even those are by accident," the report noted. "We believe that for every attack that's reported, there are a hundred more that have gone unnoticed, as most companies don't know when they are being hacked."

Tags: Web Browser Security,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud Web Browser Security Research Web Application and Web 2.0 Threats New Facebook worm propagates using sexy model Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary