Is the Firefox honeymoon over?
[Updated: 9/16/2005 7:22PM] Now that Firefox has become the first viable contender to Microsoft Internet Explorer in years, its popularity has brought with it some unwanted attention. Last week's premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet. Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.
Update: A lot of people have complained that I didn't list the number of actual "in-the-wild" attacks against the two browser platforms. The problem with this theory is that they either didn't read the entire article or they don't understand what I meant by "published exploits" in the second chart in this blog. When I say published exploit, I mean a downloadable script or source code that can be used to attack real live browsers in the wild. These are not simple advisories that talk about certain theoretical exploits. Published exploits are basically freebies for professional hackers and script kiddies to use in the wild. Unpublished exploits have to be bought in the underground Internet and I don't list them here because I have no way of knowing how many there are. If anyone is wondering why I don't include any links to the exploit code, that isn't a mistake. It is our policy not to link to exploit code.
Here is a break down of recent vulnerabilities:
Month | Firefox 1.x Vulnerabilities | IE 6.x Vulnerabilities |
Sept 2005 | 1 | 0 |
Aug 2005 | 0 | 4 |
July 2005 | 10 | 1 |
June 2005 | 2 | 1 |
May 2005 | 3 | 1 |
Apr 2005 | 9 | 3 |
Mar 2005 | 15 | 0 |
Total | 40 | 10 |
Note that this is not a count of the number of advisories because advisories can contain multiple vulnerabilities. This is a count of the actual number of vulnerabilities.
Here is a break down of recent published exploits:
Month | Firefox Exploits | IE Exploits |
Sept 2005 | 1 | 0 |
Aug 2005 | 0 | 3 |
July 2005 | 4 | 1 |
June 2005 | 0 | 0 |
May 2005 | 4 | 0 |
April 2005 | 2 | 2 |
Total | 11 | 6 |
Note that I won't publish the links to these exploits here.
As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005. Since that time, new exploits are being released almost on a monthly basis.