informa
/
Risk
Commentary

Firefox On Fire

Firefox is hot. The latest numbers show it now owns one-fourth of the browser market right now. But fame, of course, comes with a price: A recent, separate report shows that Firefox accounted for nearly 45 percent of all Web vulnerabilities in the first half of this year.
Firefox is hot. The latest numbers show it now owns one-fourth of the browser market right now. But fame, of course, comes with a price: A recent, separate report shows that Firefox accounted for nearly 45 percent of all Web vulnerabilities in the first half of this year.It's no surprise that Mozilla's browser's rise in popularity also makes it a more attractive target. (Apple, take note). But for those who had made the switch from Internet Explorer to Firefox for security reasons, it makes you wonder if it may be time to re-evaluate your browser of choice again.

According to November market share data from Net Applications, Mozilla's Firefox added about 0.7 percent market share last month to its 24.72 percent, while Internet Explorer's (IE) share dropped from 64.64 percent in October to 63.62 percent in November. IE has been mostly on a downward spiral all year, starting at 69.72 percent in January.

The bad news for Firefox is it had more vulnerabilities than IE in the first half of the year. For the first and second quarters of 2009, IE had about 15 percent of all browser bugs, Safari had 35 percent, and Firefox had 44 percent, according to Cenzic's Web Application Security Trends Report (PDF), which was released last month. Overall, 90 percent of Web vulnerabilities during that period were in commercial Web apps, 8 percent in browsers, and 2 percent in Web servers, according to the report.

The report doesn't drill down into the trends of the types of vulnerabilities found in Firefox, but it was a busy year for Mozilla's security team. The first zero-day exploit for version 3.5 of the open-source browser was unleashed in July as Mozilla rushed to patch the vulnerability in its Just-in-Time JavaScript compiler.

No browser is foolproof, of course. And the only way to avoid many browser-borne attacks is to go forgo Web 2.0 and go retro with an old-school, text-based browser like Lynx. Uh -- no thanks. I'll just keep on patching.

-- Kelly Jackson Higgins, Senior Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5