Cenzic says Firefox and Safari are the least secure browsers? Really?

According to Computerworld, security firm Cenzic has released a report showing that Firefox and Safari were the least secure browsers in the first half of 2009. That's the impression you get by simply skimming the article anyway. The actual report from Cenzic only counts the number of security flaws, and concludes that Firefox had 44% of all vulnerabilities, Safari had 35%, IE had 15%, and Opera a mere 6%.

Does that really mean that IE is more secure than Firefox and Safari?

I'm not sure a conclusion like that can be drawn at all. There are other aspects to security vulnerabilities that were not covered, such as the severity, and how long the vendor takes to fix them. Furthermore, security reports sometimes elevate standard crash bugs into security bugs, for example referring to them as "Denial of Service Vulnerabilities".

It's great to see that Opera has a low number of vulnerabilities, and I am confident that we would look good if severity and "time to fix" were taken into account as well. But until the report actually includes those relevant details, it isn't really that useful.

Statistics are great, though. You can make them show just about anything.


15 thoughts on “Cenzic says Firefox and Safari are the least secure browsers? Really?

  1. Most people don't know or understand those issues with the report, so they just buy into it, the same way that they buy that javascript benchmarks measure real world web page performance. At least the misinformation campaign this time is on our side.

  2. The other thing of course is that Safari and Mozilla are open-source, and by definition more open about their security issues.

  3. This article also states:

    Other factors need to be taken into account for a proper comparison; this includes the type of vulnerabilities and thus the underlying type of coding errors, the impact of the vulnerabilities, the time it takes the vendor to fix the reported vulnerabilities, how easy it is to update the software thus how quickly the users (learn about and is able to) apply the patches.


  4. Haavard: You're a big, big man for defending other minority browsers given the untrue & misplaced attacks on Opera (and omissions) I read from their blogs and tech stories…constantly. NOt sure they deserve it until I see some admission from them. Maybe the aria inside the Opera House drowns out that ugly outside noise, but still. ;)@xErath: Exactly my first thought. haha. I guess one-out-of-a-million isn't bad. I hope Opera works harder/smarter to change this faster. Ugh.

  5. Yeah, Opera is the safest (graphical and script-enabled) browser on Earth 🙂 This adds to being the fastest, with most integrated features and since 10.0 with the most pretty default interface. Not bad for a single product, does it. On my personal list for best-coded Windows programs, Guild Wars is #1, Opera and Ultra Edit share the 2nd place.

  6. @Chas4: you’re right of course that Safari itself isn’t open source, but nearly all security bugs that don’t rely on social engineering occur in the browser engine which is Safari’s case is the open source WebKit.Also, security by obscurity? It only works if you’re only obscure as long as it takes to fix the bug.

  7. What I am really concerned about is the time taken to fix those vulnerabilities. Thats what matters, especially for a browser like Fx which has automatic incremental updates.

  8. bugscout that site says that ff is the only browser with XXS protection (with an add on), I know that Safari has something, I would guess so does Chrome, I belive Opera also has one (if the google traslator work correctly)Speed test not only depend on the browser but the hardware in the system 512 mb of ram vs 2 to 3gb of ram will make a difference

Comments are closed.