This document will summarize the security vulnerability levels in the four most popular web browsers on Windows. The information was collected from Secunia, a leading computer software security monitoring company. These statistics cover all reported vulnerabilities in Windows versions of Internet Explorer, Firefox, Safari, and Opera.
The vulnerability information was last updated February 10, 2009.
The following table details the number of vulnerabilities and relative danger.
Historical cumulative values are provided in three forms: for all vulnerabilities in the entire of life of these products, for all vulnerabilities that were present within the first 365 days of the first vulnerability reported in the product, and for all vulnerabilities that were present within the last 365 days.
“High severity” values include vulnerability reports that were marked as “highly critical” and above. Relative danger levels are calculated by adding up the square of the criticality levels for each vulnerability report (not critical=1², extremely critical=5²).
A vulnerability is considered unfixed if the vulnerability report does not have a complete vendor patch.
Notice: Since Internet Explorer 7 was released, Secunia has not indicated which previously known unfixed Internet Explorer 6 vulnerabilities have been re-tested in IE 7, aside from the most recent few (which, by the way, were confirmed to still affect the new version). Secunia has a history of not listing very old vulnerabilities under new versions even if they still apply, and this is as true with Firefox and Opera as is assumed with Internet Explorer. Until Secunia updates the old advisories with an indication of the status in IE 7, this page will assume they still exist.
Notice: Safari for Windows is still fairly new, so there isn't much data yet. The current figures may not be particularly representative of the overall product.
| Aspect | Internet Explorer | Firefox | Safari | Opera |
|---|---|---|---|---|
| Historical cumulative values (Product life) | ||||
| Vulnerability reports | 140 | 77 | 7 | 70 |
| High severity vulnerability reports | 66 | 31 | 5 | 21 |
| Vulnerability issues | 274 | 271 | 22 | 98 |
| Relative danger | 1564 | 739 | 88 | 614 |
| Historical cumulative values (from first 365 days) | ||||
| Vulnerability reports | 31 | 20 | 7 | 18 |
| High severity vulnerability reports | 13 | 2 | 5 | 4 |
| Vulnerability issues | 69 | 39 | 22 | 23 |
| Relative danger | 331 | 156 | 88 | 138 |
| Historical cumulative values (from last 365 days) | ||||
| Vulnerability reports | 38 | 5 | 2 | 1 |
| High severity vulnerability reports | 1 | 0 | 0 | 0 |
| Vulnerability issues | 40 | 6 | 3 | 1 |
| Relative danger | 161 | 19 | 8 | 1 |
| Highest values at one time | ||||
| Vulnerability reports | 39 | 9 | 2 | 4 |
| High severity vulnerability reports | 5 | 2 | 1 | 1 |
| Vulnerability issues | 41 | 13 | 3 | 8 |
| Relative danger | 204 | 44 | 20 | 27 |
| Mean average per day (from last 365 days) | ||||
| Vulnerability reports | 38 | 5 | 2 | 1 |
| High severity vulnerability reports | 1 | 0 | 0 | 0 |
| Vulnerability issues | 40 | 6 | 3 | 1 |
| Relative danger | 161 | 19 | 8 | 1 |
| Median average per day (from last 365 days) | ||||
| Vulnerability reports | 38 | 5 | 2 | 1 |
| High severity vulnerability reports | 1 | 0 | 0 | 0 |
| Vulnerability issues | 40 | 6 | 3 | 1 |
| Relative danger | 161 | 19 | 8 | 1 |
| Present values | ||||
| Vulnerability reports | 38 | 5 | 2 | 1 |
| High severity vulnerability reports | 1 | 0 | 0 | 0 |
| Vulnerability issues | 40 | 6 | 3 | 1 |
| Relative danger | 161 | 19 | 8 | 1 |
Internet Explorer has had 140 vulnerability reports. 25 were marked as moderately critical, 50 were marked as highly critical, and 16 were marked as extremely critical. There are still 38 remaining, including 9 that were marked as moderately critical and 1 that was marked as highly critical.
Firefox has had 77 vulnerability reports. 19 were marked as moderately critical, 31 were marked as highly critical, and 0 were marked as extremely critical. There are still 5 remaining, including 1 that was marked as moderately critical.
Safari has had 7 vulnerability reports. 0 were marked as moderately critical, 5 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 remaining, both of which were marked as less critical or not critical.
Opera has had 70 vulnerability reports. 20 were marked as moderately critical, 20 were marked as highly critical, and 1 was marked as extremely critical. There is still 1 remaining, which was marked as not critical.
Many vulnerabilities are discovered by the browser vendors and patched before they are ever publicly known. Vulnerabilities are most dangerous when they are found elsewhere with no patch available. The following are historical cumulative vulnerability values that only include those vulnerabilities that were publicly known before a patch was available.
| Aspect | Internet Explorer | Firefox | Safari | Opera |
|---|---|---|---|---|
| Historical cumulative values (Product life) | ||||
| Vulnerability reports | 97 | 42 | 4 | 31 |
| High severity vulnerability reports | 29 | 7 | 2 | 4 |
| Vulnerability issues | 127 | 54 | 6 | 36 |
| Relative danger | 892 | 271 | 40 | 213 |
| Historical cumulative values (from first 365 days) | ||||
| Vulnerability reports | 22 | 14 | 4 | 14 |
| High severity vulnerability reports | 5 | 1 | 2 | 3 |
| Vulnerability issues | 31 | 17 | 6 | 19 |
| Relative danger | 185 | 100 | 40 | 105 |
| Historical cumulative values (from last 365 days) | ||||
| Vulnerability reports | 38 | 5 | 2 | 1 |
| High severity vulnerability reports | 1 | 0 | 0 | 0 |
| Vulnerability issues | 40 | 6 | 3 | 1 |
| Relative danger | 161 | 19 | 8 | 1 |
Internet Explorer has had 97 reports of vulnerabilities discovered in the public without a patch. 21 were marked as moderately critical, 17 were marked as highly critical, and 12 were marked as extremely critical.
Firefox has had 42 reports of vulnerabilities discovered in the public without a patch. 11 were marked as moderately critical, 7 were marked as highly critical, and 0 were marked as extremely critical.
Safari has had 4 reports of vulnerabilities discovered in the public without a patch. 0 were marked as moderately critical, 2 were marked as highly critical, and 0 were marked as extremely critical.
Opera has had 31 reports of vulnerabilities discovered in the public without a patch. 10 were marked as moderately critical, 3 were marked as highly critical, and 1 was marked as extremely critical.
The following values only include vulnerabilities that had publicly known exploits or proof-of-concept exploit code before a patch was available, according to Secunia's advisories.
It should be noted that not all theoretical exploits hold the same likelihood of attack. Some vulnerabilities may have publicly available proof-of-concept code that is very difficult to exploit in practice. Criticality levels often provide some indication of the ease of exploitation, but they also represent the sheer potential impact of the flaw whether easily exploitable or not.
| Aspect | Internet Explorer | Firefox | Safari | Opera |
|---|---|---|---|---|
| Historical cumulative values (Product life) | ||||
| Vulnerability reports | 46 | 14 | 4 | 10 |
| High severity vulnerability reports | 18 | 2 | 2 | 1 |
| Vulnerability issues | 66 | 15 | 6 | 14 |
| Relative danger | 511 | 75 | 40 | 67 |
| Historical cumulative values (from first 365 days) | ||||
| Vulnerability reports | 6 | 2 | 4 | 3 |
| High severity vulnerability reports | 1 | 0 | 2 | 1 |
| Vulnerability issues | 6 | 2 | 6 | 7 |
| Relative danger | 41 | 13 | 40 | 30 |
| Historical cumulative values (from last 365 days) | ||||
| Vulnerability reports | 14 | 2 | 2 | 1 |
| High severity vulnerability reports | 0 | 0 | 0 | 0 |
| Vulnerability issues | 15 | 2 | 3 | 1 |
| Relative danger | 50 | 5 | 8 | 1 |
| Highest values at one time | ||||
| Vulnerability reports | 15 | 7 | 2 | 2 |
| High severity vulnerability reports | 3 | 1 | 1 | 1 |
| Vulnerability issues | 16 | 7 | 3 | 6 |
| Relative danger | 107 | 31 | 20 | 25 |
| Mean average per day (from last 365 days) | ||||
| Vulnerability reports | 14 | 2 | 2 | 1 |
| High severity vulnerability reports | 0 | 0 | 0 | 0 |
| Vulnerability issues | 15 | 2 | 3 | 1 |
| Relative danger | 50 | 5 | 8 | 1 |
| Median average per day (from last 365 days) | ||||
| Vulnerability reports | 14 | 2 | 2 | 1 |
| High severity vulnerability reports | 0 | 0 | 0 | 0 |
| Vulnerability issues | 15 | 2 | 3 | 1 |
| Relative danger | 50 | 5 | 8 | 1 |
| Present values | ||||
| Vulnerability reports | 14 | 2 | 2 | 1 |
| High severity vulnerability reports | 0 | 0 | 0 | 0 |
| Vulnerability issues | 15 | 2 | 3 | 1 |
| Relative danger | 50 | 5 | 8 | 1 |
Internet Explorer has had 46 fully-disclosed vulnerability reports. 6 were marked as moderately critical, 6 were marked as highly critical, and 12 were marked as extremely critical. There are still 14 remaining, including 3 that were marked as moderately critical.
Firefox has had 14 fully-disclosed vulnerability reports. 2 were marked as moderately critical, 2 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 remaining, both of which were marked as less critical or not critical.
Safari has had 4 fully-disclosed vulnerability reports. 0 were marked as moderately critical, 2 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 remaining, both of which were marked as less critical or not critical.
Opera has had 10 fully-disclosed vulnerability reports. 3 were marked as moderately critical, 0 were marked as highly critical, and 1 was marked as extremely critical. There is still 1 remaining, which was marked as not critical.
It is also important to consider how quickly each web browser fixes its vulnerabilities. The following table lists the average time taken between Secunia's vulnerability reports and the release dates of their respective patches, if all aging unfixed vulnerabilities (vulnerabilities at least as old as the mean of all fixed vulnerabilities for that browser) were to be fixed today. Data does not include unfixed vulnerabilities less than that age, vulnerabilities with unknown fix dates, or vulnerabilities that were only publicly known after the patch release. Values listed are in days.
| Average | Internet Explorer | Firefox | Safari | Opera |
|---|---|---|---|---|
| Per vulnerability report | ||||
| Overall mean | 3700 | 973 | 3015 | 307 |
| Overall median | 6036 | 42 | 2994 | 35 |
| High severity mean | 410 | 13 | 21 | 8 |
| High severity median | 53 | 10 | 21 | 8 |
| Per vulnerability issue | ||||
| Overall mean | 3110 | 887 | 3023 | 309 |
| Overall median | 210 | 27 | 2994 | 44 |
| High severity mean | 307 | 17 | 21 | 8 |
| High severity median | 61 | 23 | 23 | 8 |
| Weighted by relative danger | ||||
| Overall mean | 2585 | 805 | 2017 | 163 |
| Overall median | 121 | 23 | 23 | 23 |
| High severity mean | 372 | 13 | 21 | 7 |
| High severity median | 52 | 10 | 21 | 1 |
| Per fully-disclosed vulnerability report | ||||
| Overall mean | 2720 | 1017 | 3015 | 718 |
| Overall median | 119 | 23 | 2994 | 12 |
| High severity mean | 57 | 5 | 21 | 1 |
| High severity median | 48 | 5 | 21 | 1 |
The following graphs illustrate present security figures in each browser over time. The graphs span from February 9, 2004 to today.
The following graphs only include vulnerabilities that had publicly known exploits or proof of concept exploit code before a patch was available, according to Secunia's advisories.
