Are all browsers equally vulnerable?

With all these Internet Explorer insecurity issues coming to light, a common argument is:

“All browsers are insecure, just practice safer browsing by not clicking on links in unsolicited mail.”

Sure, that’s a important part of being safe on the net, but it’s only half of the picture. Of course all browsers will have security holes at particular points in time, no software is perfect.

However, what we should be looking at is a vendor’s response to security vulnerabilities. It’s how quickly a vendor can patch a hole and distribute the fix which is most important. (Of course, security by design and underlying operating system are also important factors.)

To which end, I came across an entry in Wikipedia which provides a comparison of unpatched publicly known vulnerabilities in the latest stable versions of major browsers. It is based on vulnerabilities reports by SecurityFocus and Secunia.

From the list, you can see that all version of Internet Explorer have dozens of unpatched security holes, while most other browsers have none (Safari and Chrome have only one unpatched vulnerability, which is classified as “less critical”).

According to the latest information, security research firm SecurityFocus reports that IE6 has 396 known unpatched vulnerabilities, IE7 has 15, and IE8 has 32. The oldest known unpatched vulnerabilities for IE6, IE7, and IE8 date from November 20, 2000, May 17, 2007, and April 11, 2009 respectively.

How many does Firefox have? Zero. That’s right. NONE.

So yes, you should practise safe surfing, but the browser you choose will have a MAJOR impact on overall security of your system (so does the operating system). Anyone who claims that Internet Explorer is just as secure as the other major browsers is either insane or stupid.

One thought on “Are all browsers equally vulnerable?

Leave a Reply

Your email address will not be published. Required fields are marked *