Share of most secure browser versionsAccording to an independent study by Google Switzerland, IBM Internet Security Systems and CSG ETH Zurich, Mozilla Firefox users are the safest among web surfers (on average), because they are more likely to be running the latest and most secure version of their browser.
This research analyzed the user agent headers sent with Google search queries beetween January 2007 and June 2008 (lots of data points!), finding that more than 83% of the surveyed Firefox browsers were up-to-date. Safari scored 65.3%, Opera 58.1% and IE, not surprising, was the worst with 47.6% (it should be noticed, though, that IE6 has been considered, rightly, an “insecure version”).

The most important factor in this achievement is probably Firefox’s streamlined patching process, which is painless and hard to avoid: in facts, security updates are downloaded in background and proposed to the user as soon as they’re ready. He can refuse installing (e.g. not to interrupt his work), but as soon as the browser restarts they get installed nonetheless.
There’s obviously room for improvement. For instance, upgrading requires administrative privileges. Therefore, a warning to low-permissions users saying something like “You’re running an outdated version of Firefox, please ask your administrator to upgrade” would be helpful. But even so, Firefox already shows a stunning lead over its competitors.

One of the declared limits of this study is that nothing could be said about browser plugins, universally recognized as an endless source of security pain. Even on this side, though, Firefox has some clear advantages: plugins can be disabled either manually, from the Tools|Add-Ons|Plugins panel, or automatically through a centralized blacklist. Last but not least, if you’re really security minded, you can always adopt a whitelist approach.

20 Responses to “Firefox Users Are The Safest”

  1. #1 Zero Day mobile edition says:

    […] More from Asa Dotzler and Hackademix. […]

  2. #2 foxiewire.com says:

    Firefox Users Are The Safest

    According to an independent study by Google Switzerland, IBM Internet Security Systems and CSG ETH Zurich, Mozilla Firefox users are the safest among web surfers (on average), because they are more likely to be running the latest and most secure versi…

  3. #3 Ronald says:

    LOL, right. Like that proves anything. Here’s an idea, let’s share the most secure browser with Safari!

    I know what time it is, it is bullshit time. because that chart is deceivingly untrue. It’s crap, because many Opera users do not use Google but Yahoo, which renders this little chart useless. Don’t hold so much faith in your little fox, it’s next to MSIE and Safari the most insecure browser of all time. Look at securityfocus and their ‘true’ analysis of insecure browsers to understand the true story.

  4. #4 Giorgio says:

    @Ronald:

    It’s crap, because many Opera users do not use Google but Yahoo

    Hrm, on my Opera installation Google is the default search engine, and I do not remember to have changed it (also because I merely use Opera to test web designs).
    That said, your statement is a blatant non-sequitur: even if your numbers were right (and you still need to explain where you got them), you should also demonstrate that Opera users who prefer Yahoo over Google are not just the majority, but also the most security savvy ;)

  5. #5 Ronald says:

    Opera: http://secunia.com/graph/?type=sol&period=all&prod=10615
    MSIE7: http://secunia.com/graph/?type=sol&period=all&prod=12366
    Firefox: http://secunia.com/graph/?type=sol&period=all&prod=12434

  6. #6 Giorgio says:

    @Ronald:
    You can add these, too:

    Opera: http://secunia.com/graph/?type=cri&period=all&prod=10615
    MSIE7: http://secunia.com/graph/?type=cri&period=all&prod=12366
    Firefox: http://secunia.com/graph/?type=cri&period=all&prod=12434

    But they’re quite irrelevant, since Opera doesn’t need to publish the vulnerabilities found internally, while every each vulnerability in the Mozilla products has a (public after patching or disclosure) bug report attached.
    You’re comparing apple and oranges, my friend.

  7. #7 Ronald says:

    Yeah, but they are patched, the rest isn’t that is what the first charts show.

    Okay, here is a challenge then, show me a new vulnerability in Opera, or those who are un-patched until this date, then compare them to the rest of the browser racket. If I could find a vulnerability in Opera I would scream it from the sky, so will others. Look at the facts and try to find one. If you can I would be happy to write a full blog post about it and reclaim my ideas.

  8. #8 Giorgio says:

    I respect and try to protect users, even those who use the wrong browser like you :)
    Don’t you remember what happened last time that Opera folks couldn’t hide they had a vulnerability, even though they were notified in advanced and no details or exploitation code was given away publicly?

  9. #9 Ronald says:

    Yeah, did you know that this vulnerability was mine? I reported it to Mozilla, and Mozilla claimed it their ‘own’ which is fine by me but then they denied Opera the details because Mozilla was in a hurry to shove the next Firefox version, I don’t care I hate Mozilla anyways.

  10. #10 Giorgio says:

    Wait, are you really saying you reported it to Mozilla, which you hate, and forgot reporting it to your beloved Opera?!
    BTW, Mozilla didn’t “deny” anything: actually they were those who notified Opera and embargoed the details to script kiddies, otherwise it would have been a 0day…

  11. #11 AndrewC says:

    This is probably partly influenced by Gmail, Google Docs and Youtube’s annoying habit of often not working properly in Opera when the user agent is set to Opera. This causes many Opera users to set their user agent to Firefox for all Google related sites, although there are user javacript fixes for these issues. That being said, I have noticed that the available stats for many websites show an alarmingly large number of Opera users do use outdated versions, some extremely outdated. Is opening the help menu and clicking "Check for updates" really that hard?

  12. #12 Ronald says:

    Not sure what version of Opera you use, but I get alerts when a new version of Opera is available.

    @Giorgio, well I didn’t know Opera was vulnerable to it. I have hunch that it was a variant of the bug, Usually I test all browsers when I find some quirky thing, this time I didn’t try Opera.

  13. #13 Adrian says:

    Most updated != Safe

    And lets see what HACKERS think about it:

    http://www.0×000000.com/?i=592

  14. #14 Giorgio says:

    @Adrian:
    you realize (don’t you?) that the HACKERS you’re pointing at (0×000000) is just Ronald, whose love for Mozilla is well known here :)

  15. #15 Adrian says:

    Most updated != Safe && having a lot of firefox fanboy != safe

    Opera’s probably doing a better job in security.(can you find any critical vulnerability on Opera 9.5 ?)

    Firefox does even have vulnerability problem on the day they release 3.0.
    http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30
    Yea, problem doesn’t affect NoScript. So does it means Firefox sucks without extensions ?

  16. #16 Giorgio says:

    @Adrian:

    Can you find any critical vulnerability on Opera 9.5?

    Opera 9.51 Changelog

    Changes from 9.5

    1. Fixed an issue where <canvas> functions could reveal data from random places in memory, as reported by Philip Taylor. See our advisory.
    2. Fixed an issue that could be used to execute arbitrary code, as reported by Billy Rios. Details will be disclosed at a later date.
    3. Security status is now correctly set when navigating from HTTP to HTTPS.
    4. Corrected an issue related to OCSP and CRLs that would lower security.

    And yes, Firefox users are safer also because NoScript is available for Firefox: XSS is everywhere and most browser vulnerabilities, no matter the vendor, are exploitable either through JavaScript or plugins…

  17. #17 Adrian says:

    Alright, sorry for not typing the 0.01.
    Firefox is nice, which many of its extensions e.g. Firebug and Fireftp are very useful.
    But I want to point out that, I hate some of the firefox fanboys try to advertise Firefox by pissing off the others (and it isn’t true),
    which is really a bad attitude, and I think the atmosphere in Opera is much better.
    Everyone has they way of browsing, which I prefer Opera.
    (There are also fanboys for Opera in Opera community, operawatch and more)

    p.s. Opera does also has anti XSS-like extension
    http://adn.exofire.net/stuff/arioso.js

  18. #18 franco says:

    Giorgio, you are doing a great job to make firefox a safer browser and I’ve often thought to switch back to it (I’ve been a Phoenix 0.2 user) just for NoScript. But Opera is simply a better browser. Leaner, smoother, ecc..
    As for the survey, there’s a logical error in it.
    Most updated could only mean more secure INSIDE ITS family. Any other conclusion outside it can be drawn only taking into account the specific vulnerabilities.

  19. #19 Show your boxes with color or border says:

    In fact, if you install FF in any folder other than Program Files, you do NOT need to be an administrator, also with Opera 9.5, you MUST be an administrator, as Opera 9.5 now insists on installing an .ocx and 2 .dll files in the Windows folder (annoying and COMPLETELY unecessary, and in fact LESS secure than when you could install Opera any damn foler you wanted and all its files would only go in THAT folder). Learn Windows, Georgio, you do not know that much about it.

  20. #20 Giorgio says:

    @Show your boxes with color or border:
    Here we’re talking about making upgrades as seamless as possible for the majority of users, i.e. those who install software in its default location.

Bad Behavior has blocked 33433 access attempts in the last 7 days.