X
Business

Is the Firefox honeymoon over?

Firefox mostly managed to stay under the radar from hackers before April of 2005. Since that time, new exploits are being released almost on a monthly basis.
Written by George Ou, Contributor

[Updated: 9/16/2005 7:22PM]  Now that Firefox has become the first viable contender to Microsoft Internet Explorer in years, its popularity has brought with it some unwanted attention.  Last week's premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet.  Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.

Update:  A lot of people have complained that I didn't list the number of actual "in-the-wild" attacks against the two browser platforms.  The problem with this theory is that they either didn't read the entire article or they don't understand what I meant by "published exploits" in the second chart in this blog.  When I say published exploit, I mean a downloadable script or source code that can be used to attack real live browsers in the wild.  These are not simple advisories that talk about certain theoretical exploits.  Published exploits are basically freebies for professional hackers and script kiddies to use in the wild.  Unpublished exploits have to be bought in the underground Internet and I don't list them here because I have no way of knowing how many there are.  If anyone is wondering why I don't include any links to the exploit code, that isn't a mistake.  It is our policy not to link to exploit code.

Here is a break down of recent vulnerabilities:

MonthFirefox 1.x VulnerabilitiesIE 6.x Vulnerabilities
Sept 200510
Aug 200504
July 2005101
June 200521
May 200531
Apr 200593
Mar 2005150
Total4010

Note that this is not a count of the number of advisories because advisories can contain multiple vulnerabilities.  This is a count of the actual number of vulnerabilities.

Here is a break down of recent published exploits: 

MonthFirefox ExploitsIE Exploits
Sept 200510
Aug 200503
July 200541
June 200500
May 200540
April 200522
Total116

Note that I won't publish the links to these exploits here.

As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading.  It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.  Firefox mostly managed to stay under the radar from hackers before April of 2005.  Since that time, new exploits are being released almost on a monthly basis.

Editorial standards