According to an independent study by Google Switzerland, IBM Internet Security Systems and CSG ETH Zurich, Mozilla Firefox users are the safest among web surfers (on average), because they are more likely to be running the latest and most secure version of their browser.
This research analyzed the user agent headers sent with Google search queries beetween January 2007 and June 2008 (lots of data points!), finding that more than 83% of the surveyed Firefox browsers were up-to-date. Safari scored 65.3%, Opera 58.1% and IE, not surprising, was the worst with 47.6% (it should be noticed, though, that IE6 has been considered, rightly, an “insecure version”).
The most important factor in this achievement is probably Firefox’s streamlined patching process, which is painless and hard to avoid: in facts, security updates are downloaded in background and proposed to the user as soon as they’re ready. He can refuse installing (e.g. not to interrupt his work), but as soon as the browser restarts they get installed nonetheless.
There’s obviously room for improvement. For instance, upgrading requires administrative privileges. Therefore, a warning to low-permissions users saying something like “You’re running an outdated version of Firefox, please ask your administrator to upgrade” would be helpful. But even so, Firefox already shows a stunning lead over its competitors.
One of the declared limits of this study is that nothing could be said about browser plugins, universally recognized as an endless source of security pain. Even on this side, though, Firefox has some clear advantages: plugins can be disabled either manually, from the Tools|Add-Ons|Plugins panel, or automatically through a centralized blacklist. Last but not least, if you’re really security minded, you can always adopt a whitelist approach.
July 1st, 2008 at 10:35 pm
[…] More from Asa Dotzler and Hackademix. […]
July 1st, 2008 at 10:50 pm
Firefox Users Are The Safest
According to an independent study by Google Switzerland, IBM Internet Security Systems and CSG ETH Zurich, Mozilla Firefox users are the safest among web surfers (on average), because they are more likely to be running the latest and most secure versi…
July 1st, 2008 at 10:59 pm
LOL, right. Like that proves anything. Here’s an idea, let’s share the most secure browser with Safari!
I know what time it is, it is bullshit time. because that chart is deceivingly untrue. It’s crap, because many Opera users do not use Google but Yahoo, which renders this little chart useless. Don’t hold so much faith in your little fox, it’s next to MSIE and Safari the most insecure browser of all time. Look at securityfocus and their ‘true’ analysis of insecure browsers to understand the true story.
July 1st, 2008 at 11:35 pm
@Ronald:
Hrm, on my Opera installation Google is the default search engine, and I do not remember to have changed it (also because I merely use Opera to test web designs).
That said, your statement is a blatant non-sequitur: even if your numbers were right (and you still need to explain where you got them), you should also demonstrate that Opera users who prefer Yahoo over Google are not just the majority, but also the most security savvy ;)
July 1st, 2008 at 11:53 pm
Opera: http://secunia.com/graph/?type=sol&period=all&prod=10615
MSIE7: http://secunia.com/graph/?type=sol&period=all&prod=12366
Firefox: http://secunia.com/graph/?type=sol&period=all&prod=12434
July 2nd, 2008 at 12:10 am
@Ronald:
You can add these, too:
Opera: http://secunia.com/graph/?type=cri&period=all&prod=10615
MSIE7: http://secunia.com/graph/?type=cri&period=all&prod=12366
Firefox: http://secunia.com/graph/?type=cri&period=all&prod=12434
But they’re quite irrelevant, since Opera doesn’t need to publish the vulnerabilities found internally, while every each vulnerability in the Mozilla products has a (public after patching or disclosure) bug report attached.
You’re comparing apple and oranges, my friend.
July 2nd, 2008 at 12:18 am
Yeah, but they are patched, the rest isn’t that is what the first charts show.
Okay, here is a challenge then, show me a new vulnerability in Opera, or those who are un-patched until this date, then compare them to the rest of the browser racket. If I could find a vulnerability in Opera I would scream it from the sky, so will others. Look at the facts and try to find one. If you can I would be happy to write a full blog post about it and reclaim my ideas.
July 2nd, 2008 at 12:33 am
I respect and try to protect users, even those who use the wrong browser like you :)
Don’t you remember what happened last time that Opera folks couldn’t hide they had a vulnerability, even though they were notified in advanced and no details or exploitation code was given away publicly?
July 2nd, 2008 at 12:45 am
Yeah, did you know that this vulnerability was mine? I reported it to Mozilla, and Mozilla claimed it their ‘own’ which is fine by me but then they denied Opera the details because Mozilla was in a hurry to shove the next Firefox version, I don’t care I hate Mozilla anyways.
July 2nd, 2008 at 1:00 am
Wait, are you really saying you reported it to Mozilla, which you hate, and forgot reporting it to your beloved Opera?!
BTW, Mozilla didn’t “deny” anything: actually they were those who notified Opera and embargoed the details to script kiddies, otherwise it would have been a 0day…
July 5th, 2008 at 11:27 am
This is probably partly influenced by Gmail, Google Docs and Youtube’s annoying habit of often not working properly in Opera when the user agent is set to Opera. This causes many Opera users to set their user agent to Firefox for all Google related sites, although there are user javacript fixes for these issues. That being said, I have noticed that the available stats for many websites show an alarmingly large number of Opera users do use outdated versions, some extremely outdated. Is opening the help menu and clicking "Check for updates" really that hard?
July 8th, 2008 at 2:31 am
Not sure what version of Opera you use, but I get alerts when a new version of Opera is available.
@Giorgio, well I didn’t know Opera was vulnerable to it. I have hunch that it was a variant of the bug, Usually I test all browsers when I find some quirky thing, this time I didn’t try Opera.
July 9th, 2008 at 6:20 pm
Most updated != Safe
And lets see what HACKERS think about it:
http://www.0×000000.com/?i=592
July 9th, 2008 at 6:29 pm
@Adrian:
you realize (don’t you?) that the HACKERS you’re pointing at (0×000000) is just Ronald, whose love for Mozilla is well known here :)
July 9th, 2008 at 6:44 pm
Most updated != Safe && having a lot of firefox fanboy != safe
Opera’s probably doing a better job in security.(can you find any critical vulnerability on Opera 9.5 ?)
Firefox does even have vulnerability problem on the day they release 3.0.
http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30
Yea, problem doesn’t affect NoScript. So does it means Firefox sucks without extensions ?
July 9th, 2008 at 6:52 pm
@Adrian:
And yes, Firefox users are safer also because NoScript is available for Firefox: XSS is everywhere and most browser vulnerabilities, no matter the vendor, are exploitable either through JavaScript or plugins…
July 9th, 2008 at 7:45 pm
Alright, sorry for not typing the 0.01.
Firefox is nice, which many of its extensions e.g. Firebug and Fireftp are very useful.
But I want to point out that, I hate some of the firefox fanboys try to advertise Firefox by pissing off the others (and it isn’t true),
which is really a bad attitude, and I think the atmosphere in Opera is much better.
Everyone has they way of browsing, which I prefer Opera.
(There are also fanboys for Opera in Opera community, operawatch and more)
p.s. Opera does also has anti XSS-like extension
http://adn.exofire.net/stuff/arioso.js
July 13th, 2008 at 8:50 am
Giorgio, you are doing a great job to make firefox a safer browser and I’ve often thought to switch back to it (I’ve been a Phoenix 0.2 user) just for NoScript. But Opera is simply a better browser. Leaner, smoother, ecc..
As for the survey, there’s a logical error in it.
Most updated could only mean more secure INSIDE ITS family. Any other conclusion outside it can be drawn only taking into account the specific vulnerabilities.
September 2nd, 2008 at 4:29 pm
In fact, if you install FF in any folder other than Program Files, you do NOT need to be an administrator, also with Opera 9.5, you MUST be an administrator, as Opera 9.5 now insists on installing an .ocx and 2 .dll files in the Windows folder (annoying and COMPLETELY unecessary, and in fact LESS secure than when you could install Opera any damn foler you wanted and all its files would only go in THAT folder). Learn Windows, Georgio, you do not know that much about it.
September 2nd, 2008 at 6:00 pm
@Show your boxes with color or border:
Here we’re talking about making upgrades as seamless as possible for the majority of users, i.e. those who install software in its default location.