Friday, May 11, 2012

Which Browser is the most secure?

By:  S.S., Senior Security Engineer @ G2

It seems like every few weeks you see some supposed authority claiming that this web browser is the most secure, only to be refuted the next day by another supposed authority that says another is clearly the best. I was reminded of this the other day when I saw that Google was backing out of this year's Pwn2Own contest (rightfully so) and putting up their own challenge with more money on the line. Chrome has come away unscathed over the last few years at Pwn2Own, so clearly it must be the most secure browser, right?
While there are many ways to define "secure", with the Pwn2Own goal being just one, I thought I'd take a look at some data. One way to measure the security of a browser might be to count how many vulnerabilities have been reported. Conveniently we can consult the NVD  to find how many CVEs there have been for each browser. Let's take a look at the CVE count for the last 4 years:

2009 2010 2011 2012 Recent history total
Chrome 39 152 270 41 502
Firefox 126 107 101 11 345
IE 27 59 48 4 138
Safari 72 122 49 0 243
Raise your hand if that's what you expected. Now put your hand down, you look silly with your hand raised.
Is Google overly confident given the track record of Chrome? Are these numbers a reflection of the relative maturity of each browser? Are they related to rapidly the browser changes and thus open to the introduction of new vulnerabilities? What does it all mean? I don't know, but I did find the numbers to be somewhat surprising.

No comments:

Post a Comment