Surge in browser bugs this year, says Symantec

Hackers are hitting paydirt in their search for browser bugs.

According to Symantec Corp.’s twice-yearly Internet Security Threat Report, hackers found 47 bugs in Mozilla Corp.’s open-source browsers and 38 bugs in Internet Explorer (IE) during the first six months of this year. That’s up significantly from the 17 Mozilla and 25 IE bugs found in the previous six months.

Even Apple’s Safari browser saw its bugs double, jumping from six in the last half of 2005 to 12 in the first half of 2006. Opera was the only browser tracked by Symantec that saw the number of vulnerabilities decline, but not by much. Opera bugs dropped from nine to seven during the period.

And while Internet Explorer remained the most popular choice of attackers, no one is invulnerable. According to the report, 31 percent of attacks during the period targeted more than one browser, and 20 percent took aim at Mozilla’s Firefox.

“There is no safe browser,” said Vincent Weafer, senior director with Symantec Security Response. “If you’ve got a browser, make sure you’re configuring it correctly,” he added. “That’s a far better strategy than running some browser just because you haven’t heard of it.”

Part of the rise is due to the growing market for vulnerabilities, Weafer said. Legitimate companies such as 3Com Corp.’s Tipping Point and Verisign Inc.’ s iDefense pay for this information, and there is also a growing black market for exploits. “People are encouraged and getting money for finding vulnerabilities, so now you have more people looking,” said Weafer.

Browser bugs are also relatively easy to find and exploit, said Marc Maiffret, chief technology officer with eEye Digital Security Inc. “Everyone has realized that targeting the applications on the desktop is a better way to break into businesses and consumers and steal things than server flaws,” he said via instant message.

Businesses and consumers may both be targets, but home users are the victims in about 86 percent of all attacks, according to Symantec.

And the U.S. is the biggest source of online attacks, thanks to its large number of compromised machines with broadband connections, Weafer said. About 37 percent of all online attacks originate in the U.S., he said.

While there may have been more bugs in Mozilla than in IE, Symantec gave the open-source project high marks for its bug-fixing. On average, it patched bugs within one day of their public disclosure — the fastest turn-around of all measured browsers. Opera came in second, averaging two days. Safari was next, with a five-day window, followed by Microsoft, which averaged nine days per patch.

Microsoft may lag as a browser patcher, but when it comes to operating systems, the company leads the pack, according to Symantec. The slowest? Sun Microsystems Inc.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now