Here in the UK it is pantomime season. A peculiar form of traditional slapstick stage play that is performed during the Christmas season. In essence favourite tales such as Peter Pan, Aladdin, Jack and the Beanstalk and Aladdin are retold with the lead boy played by a girl and an ugly woman played by a man. There are stock phrases such as ‘it’s behind you’ and ‘oh no it isn’t - oh yes it is’ which the audience yell at predefined moments, and all in all the event is regarded as a must see at this time of year. Why am I mentioning all this? Because the Secunia Year End Report 2006 has been published and has more than a touch of the pantomime about it: you have to see it, you feel like shouting out loud while you are reading it, and it’s not in the least bit funny to a grown up.
Some of the content is predictable, such as the conclusion that system access has had the most impact during the year. Encompassing both system compromise and code execution, the stats show an alarming rise over the last 3 years which seems unlikely to slow. Secunia first started collecting such vulnerability intelligence in 2003, and back then the end of year number of advisories with system access as the impact was ‘just’ 1020. This rose to 1156 during 2004, or a jump of 13%, and to 1698 or up nearly 50%. Although, bizarrely, the end of year report has been published before the end of the year, the figure just before Xmas 2006 was up almost 25% at 2,086.
Perhaps as predictable was the prevalence of zero day bugs within Microsoft Office, six of them to be precise with another four discovered in other Microsoft software. A zero day attack is when a previously unknown vulnerability is exploited before it has been disclosed publicly, and so before users have had a chance to update their security protection or patch the application to prevent being exposed to the risk. And talking of vulnerabilities, 2006 saw what Secunia describe as being a ‘substantial’ increase over 2005 with no less than 75 of them being uncovered of which 70 have so far been announced publicly (the remainder are awaiting publication after vendor agreement.) To put this into context, last year there were 53 vulnerabilities discovered by Secunia, although a ‘beefed up’ security team might well have more to do with the increase than any more damaging trend. I guess we won’t really know the answer to that one until the 2007 end of year report is published. More clear cut is the fact that the majority of these were rated as being either highly critical (21) or moderately critical (39) with only a handful less critical (9) or not critical (1).
During the course of 2006, Secunia published in excess of 5000 advisories to bring the total in its database to 15,500. Interestingly, there were few classified at either end of the criticality spectrum, leaving the vast majority as either highly, moderately or less critical. This is good news, because to be classified as extremely critical a vulnerability would be remotely exploitable and capable of leading to system compromise without any user interaction, while the vulnerability itself is already being actively exploited. Thankfully there were only 24 that deserved the worse rating, compared to 2152 moderate, 1511 less critical and 1191 highly critical ones.
All of which means that choosing your web browser client based upon its inherent security strength is actually rather a good idea, and luckily Secunia can help here by monitoring and graphing every client on just this basis. You can see, at a glance, how many vulnerabilities there are and their criticality, the number of problems remaining unpatched, and a breakdown of the system impact of any vulnerabilities. It really should be a regular must read for anyone serious about their system security. So what does it tell us in answer to that question I have adapted in typical pantomime form: mirror mirror on the wall, which is the safest browser of all?
Well, based upon the number and nature of advisories coupled with the current solution/patch status there appears to be a clear winner. Although some might argue that a not critical vulnerability that remains unpatched makes for a more secure client than one which has suffered highly critical vulnerabilities even if they have been patched, I am not amongst that camp. If a problem is fixed it is fixed and the product more secure as a result. Which means, if you want to use Secunia as a metric for measuring browser client safety, the losers are:
4th Microsoft Internet Explorer 7 (3 advisories, 100% unpatched)
3rd Apple Safari (5 advisories, 60% unpatched)
2nd Mozilla Firefox (2 advisories, 50% unpatched)
And the winner is:
Opera 9 (2 advisories, 100% patched)
Oh yes it is!