Why are there more browser vulnerabilities these days?

So far in calendar year 2014, Microsoft has fixed 215 vulnerabilities in Internet Explorer, with more coming out today. There have been security updates to Internet Explorer every month this year except for January.

Is this a bad thing? Is 215 a big number? That's really not clear, but it is clear that the number, frequency and severity of updates has increased. This may be the new normal. Here is some raw data and context:

The 147 of the 215 IE bugs this year (68.37 percent) were critical on IE 11 on Windows 8.x. One of the boilerplate lines in any good talk about security is that you should update to the most recent versions because they have fewer vulnerabilities than older ones and those they have are less severe. If that's true in 2014 it's a less impressive point than it used to be. In 2013 Internet Explorer was also updated frequently, but there were only 116 vulnerabilities fixed, 62 (53.45 percent) of which were rated critical on the most current browser/OS combination.

Update on 2:40pm ET: Today, Microsoft released another Cumulative Update for Internet Explorer addressing 17 vulnerabilities, six of which were critical on Internet Explorer on Windows 8.1.

You might ask what the situation is with other browsers. I didn't look at Firefox, as I don't consider them very important anymore. With Chrome the picture is quite murky. On the one hand, the Chrome Releases blog, so far this year, reports a total of 415 vulnerabilities fixed in the Stable Channel of Chrome, including 159 in the October 7 update to version 38.0.2125.101.

But Google's reporting is a mess compared to Microsoft's. You have to hand it to Microsoft for the structure and organization in their reporting. This is not just with respect to the published disclosures, but with the metadata that goes to WSUS and other patch management systems. You can tell a lot about those 215 Internet Explorer vulnerabilities, such as what versions they affect and what the severity is on different versions.

I can't tell you a whole lot about the vulnerabilities in Chrome. Google almost never publishes minor details or even meaningful ones like CVE numbers, unless there was a bug bounty on the vulnerability. In that case, they brag about it in the blog. The October 7 report is a good example of this: It lists 12 bounties paid for a total of $52,633.70. That's nice, and they include CVEs for those vulnerabilities, but that's still just 12 of the 159 vulnerabilities. The blog lists one more CVE for "[v]arious fixes from internal audits, fuzzing and other initiatives." Does this last CVE refer to more than one vulnerability? That's not clear. If you click the "159 security fixes" link in the blog, you get to a database of bug reports which are not very informative and don't include CVEs, at least not that I can find.

Incidentally, I contacted both Microsoft and Google about this story. Microsoft declined to comment and Google didn't respond.

Apple does give individual CVEs for each vulnerability and usually credits them, but they don't provide severity information. The numbers: In 2014, so far, Apple has fixed 82 vulnerabilities in Safari. In 2013 they fixed 59. So there's a general trend up there as well. I only looked at OS X for these numbers; Apple also haphazardly fixes the same Webkit bugs in iOS and other products on separate schedules.

And so it's unfair, but most of my research for this story focuses on Internet Explorer because I have a lot of data on it, less on Safari and very little on Chrome.

We've come to expect updates to Chrome every six weeks or so. These are automatic and not big news, so there is no obsessing over the number of vulnerabilities, particularly as Google doesn't necessarily say how many there were.

Another point worth making is that I believe there are cases where Google fixes something and so it's a Chrome fix, but Apple and Microsoft might call it an operating system fix. One example might be certificate management. Google gets some of these services from Windows when running on it, but has replaced some and supplemented them. To Microsoft fixes in Windows Crypto might be a Windows fix, not an IE fix. I don't think we're talking big numbers on this, but it's one of a few issues clouding the picture.

So why are the numbers up? Nobody's talking, but I think it reflects improvements in testing tools such as Google's MemorySanitizer (MSan), which detects uninitialized memory reads in C/C++ programs; recall Google's reference to "[v]arious fixes from internal audits, fuzzing and other initiatives." Microsoft, Google and third-party bug hunters also use tools like these for fun and profit.

And so yes, numbers are up and it's actually a good thing. All those bugs were always there; it's just that now testers are getting better at finding them. It might mean browsers will be harder to attack over time, but let's not get our hopes too high yet.