Symantec.com > Enterprise > Security Response > Internet Security Threat Report > View the Report > Vulnerability Trends

Vulnerability Trends

Vulnerability Trends | Total Number of Vulnerabilities | Zero-Day Vulnerabilities | Notable Zero-day Attacks | Web Browser Vulnerabilities | Web Browser Plug-in Vulnerabilities | Web Attack Toolkits | SCADA Vulnerabilities

Web Browser Vulnerabilities

Background

Web browsers are now ubiquitous components for computing for both enterprise and individual users. Moreover, one study estimates that users typically spend more than 60 hours a month online, with most of that interaction occurring via a browser.1 Web browser vulnerabilities are a serious security concern due to their role in online fraud and in the propagation of malicious code, spyware, and adware. In addition, Web browsers are exposed to a greater amount of potentially untrusted or hostile content than most other applications and are particularly targeted by multi-exploit attack kits.2

Web-based attacks can originate from malicious websites as well as from legitimate websites that have been compromised to serve malicious content. Some content, such as media files, documents, or presentation formats, are often presented in browsers via browser plug-in technologies. While browser functionality is often extended by the inclusion of various plug-ins, the addition of plug-in component also results in a wider potential attack surface for client-side attacks. For more on vulnerabilities specific to plug-ins, see the “Web Browser Plug-in Vulnerabilities” discussion in this report.

Methodology

Browser vulnerabilities are a sub-set of the total number of vulnerabilities cataloged by Symantec throughout the year. To determine the number of vulnerabilities affecting browsers, Symantec considers all vulnerabilities that have been publicly reported, regardless of whether they have been confirmed by the vendor. While vendors do confirm the majority of browser vulnerabilities that are published, not all vulnerabilities may have been confirmed at the time of writing. Vulnerabilities that are not confirmed by a vendor may still pose a threat to browser users and are therefore included in this study. This metric examines the total number of vulnerabilities affecting the following Web browsers:
  • Apple Safari
  • Google Chrome
  • Microsoft Internet Explorer
  • Mozilla Firefox3
  • Opera

Data

Browser vulnerabilities, 2009-2010
Source: Symantec Corporation


Commentary

Chrome vulnerabilities rise significantly: During 2010, there were 150 more vulnerabilities documented in Chrome than in 2009. One reason for this is that 2010 was a year of rapid development for Chrome, with nearly 20 stable versions of the browser released.4 Many security researchers (both internal to Google and external) have contributed to this development. This is, in part, due to Google’s bug bounty program, in which researchers receive cash payments for responsibly disclosing security vulnerabilities.5 This follows the same approach used by Mozilla, which first began offering a bug bounty in 2004 to encourage security research into its browser engine.

Safari totals driven up by Google’s bug bounty: Safari was affected by 119 vulnerabilities in 2010—up from 94 in 2009. Safari may have indirectly been affected by the Google bug bounty program because the underlying browser engine, WebKit, is used by both Chrome and Safari. Apple released nine versions of the Safari browser with security-related updates in 2010, an increase from four in 2009.

Firefox vulnerabilities drop off dramatically: There were 100 vulnerabilities documented in Firefox in 2010—a decrease from 169 in 2009. While Mozilla offers bounties to researchers for responsibly disclosed vulnerabilities, it appears as though Firefox has not been subject to the same scrutiny from researchers as in previous years. Symantec believes that this is due in part to the relative maturity and stability of the Mozilla engine and, as a result, that researchers may be focusing their efforts on easier-to-find vulnerabilities elsewhere.