Application security vendor Cenzic released a report today highlighting Mozilla Firefox as the most vulnerable web browser based on vulnerability count. Problem is, counting vulnerabilities is pointless. In fact, its worse than pointless, it can lead us to draw false conclusions.
Sure, the report makes interesting reading, highlights of which are:
78 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX, which is a significant increase from last year.
Of Web browser vulnerabilities, Firefox had the largest percentage, at 44 percent. Safari vulnerabilities came in at 35 percent, significantly higher than even Internet Explorer.
Sun Java, PHP, and Apache continue to be among the Top 10 vendors having the most severe vulnerabilities for the first half of 2009.
Problem is, the information you get form a vulnerability count is next to pointless. Why? Because its a weak metric thrown around by people who put too much faith in numbers. Let me give you an example.
Let say I give you give me a gold coin to look after. Which would bother you more, the fact that I left your coin in an unlocked car on the side of the road, or unlocked in a secure compound surrounded by security cameras and attack dogs? In both these situations theres only big security vulnerability, but both situations are far from being equal.