For most people, their web browser is central to their interaction with the Internet, connecting to global web sites and helping them consume online services providing everything from booking flights to banking services to online shopping. This reality makes browsers a key tool when evaluating the security experience of users as the browser interprets Web content and programs delivered from around the world.
Over the past few years, there has been much discussion of the need for improvements in browser security, but few hard data studies performed to support assertions concerning the security of available browsers.
I've just finished up and posted for download a vulnerability analysis of Internet Explorer and Firefox, including fixed and unfixed vulnerabilities, that covers roughly the past three years since Firefox first released.
As usual for these, I want to post one chart as a teaser to get you to go look at the full report. In this case, I'm choosing one that looks at alternative upgrade paths. Let's say you deployed Firefox 1.0 and then Firefox 1.5 came out - did you upgrade immediately or did you wait until support for Firefox 1.0 was ending? (... or maybe you're still using 1.0... tsk tsk) Same question for 2.0. Take a look at this chart:
This chart looks at four cases starting back in the Autumn of 2004:
- Firefox 1.0 users that upgraded to 1.5 and 2.0 immediately
- Firefox 1.0 users that upgraded only when support ended
- IE 6 SP2 users that upgraded to IE 7 immediately
- IE 6 SP2 users that did not upgrade to IE 7