Vulnerability Trends

Vulnerability Trends | Total Number of Vulnerabilities | Zero-Day Vulnerabilities | Notable Zero-day Attacks | Web Browser Vulnerabilities | Web Browser Plug-in Vulnerabilities | Web Attack Toolkits | SCADA Vulnerabilities

Web Browser Vulnerabilities

Background

Web browsers are nowadays ever-present components for computing for both enterprise and individual users on desktop and on mobile devices. Web browser vulnerabilities are a serious security concern due to their role in online fraud and in the propagation of malicious code, spyware, and adware. In addition, Web browsers are exposed to a greater amount of potentially untrusted or hostile content than most other applications and are particularly targeted by multi-exploit attack kits.
Web-based attacks can originate from malicious websites as well as from legitimate websites that have been compromised to serve malicious content. Some content, such as media files or documents are often presented in browsers via browser plug-in technologies. While browser functionality is often extended by the inclusion of various plug-ins, the addition of plug-in component also results in a wider potential attack surface for client-side attacks.

Methodology

Browser vulnerabilities are a sub-set of the total number of vulnerabilities cataloged by Symantec throughout the year. To determine the number of vulnerabilities affecting browsers, Symantec considers all vulnerabilities that have been publicly reported, regardless of whether they have been confirmed by the vendor. While vendors do confirm the majority of browser vulnerabilities that are published, not all vulnerabilities may have been confirmed at the time of writing. Vulnerabilities that are not confirmed by a vendor may still pose a threat to browser users and are therefore included in this study.

Data

This metric examines the total number of vulnerabilities affecting the following Web browsers:
  • Apple Safari
  • Google Chrome
  • Microsoft Internet Explorer
  • Mozilla Firefox
  • Opera
Figure D.10: Browser vulnerabilities in 2010 and 2011. Source: Symantec

Commentary

  • Chrome vulnerabilities dropped off dramatically in 2011. After a spike in 2010 (191), the documented vulnerabilities for Chrome browser dropped to 62 for 2011, which is a similar level as in previous years. A reason for the 2010 spike might have been the introduced bug bounty program and the rapid development of the browser in 2010.
  • For Firefox, Internet Explorer, Safari and Opera the number of reported vulnerabilities decreased marginally in 2011.
  • These five browsers combined had 351 reported vulnerabilities in total in 2011, which is a strong decrease from 500 in 2010. This decline can be attributed to the decrease of Chrome browser vulnerabilities. However, a decline in the number of reported vulnerabilities does not necessarily imply that risk levels have diminished; many Web-based attack kits will continue to exploit existing vulnerabilities and rapidly incorporate exploits for new vulnerabilities.