Software with fewer bugs is not necessarily less risky to use, according to a recent study conducted by the Honeynet Project.
The study analyzed client-side attacks in the wild using a large list of 300,000 URLs gathered during two weeks in May 2007 by automated virtual machines. Older versions of the three major browsers for Windows -- Microsoft's Internet Explorer 6 SP2, Mozilla's Firefox 1.5.0, and Opera's Opera 8.0.0 -- were each used to browse the same subset, about 10 percent, of the sites. While researchers have disclosed about twice as many vulnerabilities for Firefox 1.5.0 as for Internet Explorer 6 SP2, the Honeynet Project found no attacks against the browser. Microsoft's Web software, however, was compromised nearly 200 times.
While Microsoft Internet Explorer 6 commands an overwhelmingly greater share of the market than Firefox 1.5 -- 45 percent versus less than 2 percent as of July 2007, according to Net Appplication's Market Share report -- the researchers focused on Mozilla's faster patching, as compared to Microsoft, as an explanation for the discrepancy.
"Firefox is truly a moving target," the five authors wrote. Opera's browser had the smallest number of flaws and, like Firefox, was not compromised.
The survey used a large list of 300,000 URLs belonging to about 150,000 hosts, finding that pornographic sites have the highest incidence -- about 0.6 percent -- of malicious sites, but that all categories included some sites that could lead to compromise. Using hidden iframes to redirect a visitor's Web browser to a malicious download site has become a popular way of infecting systems. The MPack infection kit has used the method to infect a large number of systems.
The study also discovered that, despite poor coverage -- only about 12 percent -- of malicious Web sites, blacklists managed to protect the browsers from exploitation because the lists blocked the key servers used to upload malicious code to victims' systems. The researchers also found that patching is a very effective way to secure systems. A fully-patched version of Internet Explorer 6 visited 2,289 malicious sites, none of which managed to compromise the system.
The latest versions of the browsers are Internet Explorer 7.0, Firefox 220.127.116.11, and Opera 9.23.
A nod to ZDNet's Zero Day blog.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos