14 DAY TRIAL // Internet Explorer and Firefox are equally insecure, exposing their users to the same amount of exploits, while Safari is the most closed down browser, with Opera not too far behind. This is the conclusion Symantec presented in its Internet Security Threat Report - Trends for January-June 07. The Cupertino-based security company has taken into consideration the window of exposure for the main four Web browsers on the market today, namely Internet Explorer, Firefox, Safari and Opera. "The window of exposure is the difference in days between the time at which exploit code affecting a vulnerability is made public and the time at which the affected vendor makes a patch available to the public for that vulnerability," Symantec stated.
The graphic at the bottom of this article illustrates how many days Microsoft, Apple, Mozilla and Opera have spent in July-December 2006 and in January-June 2007 patching security flaws, between the moment the vulnerabilities were publicly disclosed and the time an update was made available. While Safari delivered a poor performance in 2006, this year Apple has changed its tune, and now the Mac native browser benefits from the smallest window of exposure.
"During the first half of 2007, Apple Safari had a window of exposure of three days, a decrease over the 62-day window in the second half of 2006 (figure 22). The window of exposure for the first half of 2007 was based on a sample set of 13 vulnerabilities, with a maximum patch time of eight days. The results for the second half of 2006 were based on a sample set of one vulnerability with a patch time of 62 days," Symantec revealed.
According to the Cupertino-based company, the release of Safari for 32-bit and 64-bit Windows XP and Windows Vista in 2007, and the rapid response with updates to the vulnerabilities flood which ensued contributed to reducing the timeframe of the browser's exposure window. Opera follows Safari in terms of the company's response time to security flaws.
"In the first six months of 2007, Opera had a window of exposure of four days based on a sample set of five patched vulnerabilities. This is an increase over the 23-day window in the second half of 2006, which was based on a sample set of three patched vulnerabilities. In the current reporting period, Opera had maximum patch development time of 23 days. This can be attributed to a few vulnerabilities in a small sample data set that disproportionately affected the average. In the previous six-month period, a maximum of 46 days elapsed before a patch was available for vulnerabilities in Opera," Symantec added.
Of course that the most important aspect of a comparison between browsers is the face-off between Internet Explorer and Firefox. Mozilla's open source browser is without a doubt perceived as delivering superior security compared to IE. The Symantec report indicates that the two browsers have the same window of exposure. Still, Microsoft's patching process performed excellent for Internet Explorer, toning down the number days users were exposed to attacks.
"In the first half of 2007, Microsoft Internet Explorer had a window of exposure of five days based on a sample set of 17 patched vulnerabilities. This is a decrease from the 10-day time period in the second half of 2006, which was based on a sample set of 15 patched vulnerabilities. The maximum patch development time for Internet Explorer vulnerabilities during the current reporting period was 90 days. In the second half of 2006, the maximum patch development time was 78 days," Symantec stated.
One point that Symantec makes is the fact that all browsers delivered superior security in 2007 compared to 2006, as the companies deployed patches more rapidly. All... with the exception of Firefox. Mozilla is the only company that is exposing its users to an increased window of attacks this year compared to 2006. What is interesting is that 2007 for Mozilla is equivalent with the increase in dominance of Firefox 2.0 over Firefox 1.5, with the latest version applauded as delivering additional security.
"During the first six months of 2007, Mozilla had a window of exposure of five days based on a sample set of 22 patched vulnerabilities. This is an increase over the window of exposure of two days in the second half of 2006, which was based on 36 patched vulnerabilities. During the current reporting period, Mozilla had a maximum patch development time of 83 days. In the second half of the year, the maximum patch development time was 33 days", Symantec said.
