Web browser security summary

This document will summarize the security vulnerability levels in the four most popular web browsers on Windows. The information was collected from Secunia, a leading computer software security monitoring company. These statistics cover all reported vulnerabilities in Windows versions of Internet Explorer, Firefox, Safari, and Opera.

The vulnerability information was last updated February 10, 2009.

Table of Contents

  1. Vulnerabilities
  2. Publicly disclosed without a patch
  3. Fully-disclosed
  4. Patch delay
  5. Graphs
    1. Total vulnerabilities
    2. Fully-disclosed vulnerabilities

Vulnerabilities

Up

The following table details the number of vulnerabilities and relative danger.

Historical cumulative values are provided in three forms: for all vulnerabilities in the entire of life of these products, for all vulnerabilities that were present within the first 365 days of the first vulnerability reported in the product, and for all vulnerabilities that were present within the last 365 days.

“High severity” values include vulnerability reports that were marked as “highly critical” and above. Relative danger levels are calculated by adding up the square of the criticality levels for each vulnerability report (not critical=1², extremely critical=5²).

A vulnerability is considered unfixed if the vulnerability report does not have a complete vendor patch.

Notice: Since Internet Explorer 7 was released, Secunia has not indicated which previously known unfixed Internet Explorer 6 vulnerabilities have been re-tested in IE 7, aside from the most recent few (which, by the way, were confirmed to still affect the new version). Secunia has a history of not listing very old vulnerabilities under new versions even if they still apply, and this is as true with Firefox and Opera as is assumed with Internet Explorer. Until Secunia updates the old advisories with an indication of the status in IE 7, this page will assume they still exist.

Notice: Safari for Windows is still fairly new, so there isn't much data yet. The current figures may not be particularly representative of the overall product.

Security vulnerabilities
Aspect Internet Explorer Firefox Safari Opera
Historical cumulative values (Product life)
Vulnerability reports 140 77 7 70
High severity vulnerability reports 66 31 5 21
Vulnerability issues 274 271 22 98
Relative danger 1564 739 88 614
Historical cumulative values (from first 365 days)
Vulnerability reports 31 20 7 18
High severity vulnerability reports 13 2 5 4
Vulnerability issues 69 39 22 23
Relative danger 331 156 88 138
Historical cumulative values (from last 365 days)
Vulnerability reports 38 5 2 1
High severity vulnerability reports 1 0 0 0
Vulnerability issues 40 6 3 1
Relative danger 161 19 8 1
Highest values at one time
Vulnerability reports 39 9 2 4
High severity vulnerability reports 5 2 1 1
Vulnerability issues 41 13 3 8
Relative danger 204 44 20 27
Mean average per day (from last 365 days)
Vulnerability reports 38 5 2 1
High severity vulnerability reports 1 0 0 0
Vulnerability issues 40 6 3 1
Relative danger 161 19 8 1
Median average per day (from last 365 days)
Vulnerability reports 38 5 2 1
High severity vulnerability reports 1 0 0 0
Vulnerability issues 40 6 3 1
Relative danger 161 19 8 1
Present values
Vulnerability reports 38 5 2 1
High severity vulnerability reports 1 0 0 0
Vulnerability issues 40 6 3 1
Relative danger 161 19 8 1

Internet Explorer has had 140 vulnerability reports. 25 were marked as moderately critical, 50 were marked as highly critical, and 16 were marked as extremely critical. There are still 38 remaining, including 9 that were marked as moderately critical and 1 that was marked as highly critical.

Firefox has had 77 vulnerability reports. 19 were marked as moderately critical, 31 were marked as highly critical, and 0 were marked as extremely critical. There are still 5 remaining, including 1 that was marked as moderately critical.

Safari has had 7 vulnerability reports. 0 were marked as moderately critical, 5 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 remaining, both of which were marked as less critical or not critical.

Opera has had 70 vulnerability reports. 20 were marked as moderately critical, 20 were marked as highly critical, and 1 was marked as extremely critical. There is still 1 remaining, which was marked as not critical.

Publicly disclosed without a patch

Up

Many vulnerabilities are discovered by the browser vendors and patched before they are ever publicly known. Vulnerabilities are most dangerous when they are found elsewhere with no patch available. The following are historical cumulative vulnerability values that only include those vulnerabilities that were publicly known before a patch was available.

Security vulnerabilities (in public)
Aspect Internet Explorer Firefox Safari Opera
Historical cumulative values (Product life)
Vulnerability reports 97 42 4 31
High severity vulnerability reports 29 7 2 4
Vulnerability issues 127 54 6 36
Relative danger 892 271 40 213
Historical cumulative values (from first 365 days)
Vulnerability reports 22 14 4 14
High severity vulnerability reports 5 1 2 3
Vulnerability issues 31 17 6 19
Relative danger 185 100 40 105
Historical cumulative values (from last 365 days)
Vulnerability reports 38 5 2 1
High severity vulnerability reports 1 0 0 0
Vulnerability issues 40 6 3 1
Relative danger 161 19 8 1

Internet Explorer has had 97 reports of vulnerabilities discovered in the public without a patch. 21 were marked as moderately critical, 17 were marked as highly critical, and 12 were marked as extremely critical.

Firefox has had 42 reports of vulnerabilities discovered in the public without a patch. 11 were marked as moderately critical, 7 were marked as highly critical, and 0 were marked as extremely critical.

Safari has had 4 reports of vulnerabilities discovered in the public without a patch. 0 were marked as moderately critical, 2 were marked as highly critical, and 0 were marked as extremely critical.

Opera has had 31 reports of vulnerabilities discovered in the public without a patch. 10 were marked as moderately critical, 3 were marked as highly critical, and 1 was marked as extremely critical.

Fully-disclosed

Up

The following values only include vulnerabilities that had publicly known exploits or proof-of-concept exploit code before a patch was available, according to Secunia's advisories.

It should be noted that not all theoretical exploits hold the same likelihood of attack. Some vulnerabilities may have publicly available proof-of-concept code that is very difficult to exploit in practice. Criticality levels often provide some indication of the ease of exploitation, but they also represent the sheer potential impact of the flaw whether easily exploitable or not.

Security vulnerabilities (fully-disclosed)
Aspect Internet Explorer Firefox Safari Opera
Historical cumulative values (Product life)
Vulnerability reports 46 14 4 10
High severity vulnerability reports 18 2 2 1
Vulnerability issues 66 15 6 14
Relative danger 511 75 40 67
Historical cumulative values (from first 365 days)
Vulnerability reports 6 2 4 3
High severity vulnerability reports 1 0 2 1
Vulnerability issues 6 2 6 7
Relative danger 41 13 40 30
Historical cumulative values (from last 365 days)
Vulnerability reports 14 2 2 1
High severity vulnerability reports 0 0 0 0
Vulnerability issues 15 2 3 1
Relative danger 50 5 8 1
Highest values at one time
Vulnerability reports 15 7 2 2
High severity vulnerability reports 3 1 1 1
Vulnerability issues 16 7 3 6
Relative danger 107 31 20 25
Mean average per day (from last 365 days)
Vulnerability reports 14 2 2 1
High severity vulnerability reports 0 0 0 0
Vulnerability issues 15 2 3 1
Relative danger 50 5 8 1
Median average per day (from last 365 days)
Vulnerability reports 14 2 2 1
High severity vulnerability reports 0 0 0 0
Vulnerability issues 15 2 3 1
Relative danger 50 5 8 1
Present values
Vulnerability reports 14 2 2 1
High severity vulnerability reports 0 0 0 0
Vulnerability issues 15 2 3 1
Relative danger 50 5 8 1

Internet Explorer has had 46 fully-disclosed vulnerability reports. 6 were marked as moderately critical, 6 were marked as highly critical, and 12 were marked as extremely critical. There are still 14 remaining, including 3 that were marked as moderately critical.

Firefox has had 14 fully-disclosed vulnerability reports. 2 were marked as moderately critical, 2 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 remaining, both of which were marked as less critical or not critical.

Safari has had 4 fully-disclosed vulnerability reports. 0 were marked as moderately critical, 2 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 remaining, both of which were marked as less critical or not critical.

Opera has had 10 fully-disclosed vulnerability reports. 3 were marked as moderately critical, 0 were marked as highly critical, and 1 was marked as extremely critical. There is still 1 remaining, which was marked as not critical.

Patch delay

Up

It is also important to consider how quickly each web browser fixes its vulnerabilities. The following table lists the average time taken between Secunia's vulnerability reports and the release dates of their respective patches, if all aging unfixed vulnerabilities (vulnerabilities at least as old as the mean of all fixed vulnerabilities for that browser) were to be fixed today. Data does not include unfixed vulnerabilities less than that age, vulnerabilities with unknown fix dates, or vulnerabilities that were only publicly known after the patch release. Values listed are in days.

Patch delay (in days)
Average Internet Explorer Firefox Safari Opera
Per vulnerability report
Overall mean 3715 977 3030 308
Overall median 6066 42 3009 35
High severity mean 411 13 21 8
High severity median 53 10 21 8
Per vulnerability issue
Overall mean 3122 891 3038 310
Overall median 210 27 3009 44
High severity mean 308 17 21 8
High severity median 61 23 23 8
Weighted by relative danger
Overall mean 2595 808 2027 163
Overall median 121 23 23 23
High severity mean 373 13 21 7
High severity median 52 10 21 1
Per fully-disclosed vulnerability report
Overall mean 2731 1021 3030 721
Overall median 119 23 3009 12
High severity mean 57 5 21 1
High severity median 48 5 21 1

Graphs

Up

The following graphs illustrate present security figures in each browser over time. The graphs span from February 9, 2004 to today.

Total vulnerabilities

Up

The following graphs include all vulnerabilities listed by Secunia.

A graph showing the number of security advisories over time in Internet Explorer, Firefox, and Opera.

A graph showing the number of high severity security advisories over time in Internet Explorer, Firefox, and Opera.

A graph showing the number of security vulnerabilities over time in Internet Explorer, Firefox, and Opera.

A graph showing the relative cumulative danger of security vulnerabilities over time in Internet Explorer, Firefox, and Opera.

Fully-disclosed vulnerabilities

Up

The following graphs only include vulnerabilities that had publicly known exploits or proof of concept exploit code before a patch was available, according to Secunia's advisories.

A graph showing the number of fully-disclosed security advisories over time in Internet Explorer, Firefox, and Opera.

A graph showing the number of fully-disclosed high severity security advisories over time in Internet Explorer, Firefox, and Opera.

A graph showing the number of fully-disclosed security vulnerabilities over time in Internet Explorer, Firefox, and Opera.

A graph showing the relative cumulative danger of fully-disclosed security vulnerabilities over time in Internet Explorer, Firefox, and Opera.