Home > Desktop, Security > What percentage of known security bugs in browsers are actually fixed?

What percentage of known security bugs in browsers are actually fixed?

January 30, 2007

Well, if you’re using the Opera browser, then 100 percent of the reported security bugs/vulnerabilities were fixed. In fact, Opera is the only browser (among the big ones – Internet Explorer (IE), Firefox, and Safari) to have patched 100% of its known security bugs, according to Secunia, a site that tracks security vulnerabilities in various applications.

Ben Buchanan, on his blog, wrote about this a couple days ago. He compared the patch rate on security bugs in the four major browsers (IE, Opera, Firefox, and Safari).

Browser patches between Feb 2003 and Jan 2007:

  • IE6 – 67% patched (out of 110 reported bugs).
  • IE7 – 25% patched (out of 4 reported bugs).
  • Firefox 1 – 87% patched (out of 39 reported bugs).
  • Firefox 2 – 50% patched (out of 4 reported bugs).
  • Opera 8 – 100% patched (out of 15 reported bugs).
  • Opera 9 – 100% patched (out of 3 reported bugs).
  • Safari 1 – 93% patched (out of 15 reported bugs).
  • Safari 2 – 33% patched (out of 6 reported bugs).

Here are some snippets from the blog’s conclusion:

“Well, one clear thing is that Opera is the only vendor with a 100% patch record according to Secunia. Opera is also the only vendor that maintained its patch rate between versions – in fact you have to go back to Opera 6 to find an unpatched advisory (and there’s only one).”

“So at this time Opera wins the patch stakes. The argument can be made that Opera attracts fewer attacks due to small marketshare. That could be true – there’s no way to truly know, since malicious hackers aren’t polled – but when I’m doing my banking I don’t care if it’s true. I just care that my browser is secure; and Opera currently has the best record for fixing security issues.”

These results clearly show how Opera has its foot on security. The big question is, however, whether Opera users are updating their browsers with the newest security patches.

Most of the people who visit Opera Watch use the latest versions of Opera — some, like myself, even use the latest weekly builds of the browser. (If you haven’t noticed yet, you can see for yourself which browsers people use to comment on the blog posts here.) But obviously the Opera users who visit my blog don’t represent the typical Opera user. Most of the visitors here are tech savvy and stay updated with Opera news. What about the millions of other Opera users who don’t read Opera Watch? 🙂

Last year Opera added the functionality to the browser to alert the user of a newer available version (yes, Opera had it before Firefox did). This was a step in the right direction, but as I’ve mentioned many times before, there’s much more that needs to be done.

I would like to see an Update Manager in the browser (Read: Where is Opera’s Update Manager?), where it will automatically download and install (with the user’s consent) all updates, just like Microsoft does with Windows Update. Firefox already has this; I wish we would too.

It would make it much easier for non-savvy computer users to upgrade Opera. In addition to that, I bet many of you would have an easier time telling your non-techie friends to install Opera, if you knew the updates would be done automatically. This is something that has been bothering me for some time already.

Last year I installed Opera on my grandmother’s computer, she recently told me about the window that keeps on popping up every so often telling her an update to Opera is available. She always clicks “no” to the question of whether she should “manually” download the update. Had there been an option in Opera to auto-update, I would have done that for her – she wouldn’t even know that Opera is updating.

If you’re not using the latest version, what are you waiting for? Get the latest version of Opera. Now!

(Tip: To check whether you’re using the latest and greatest version of Opera, in the menu bar click on ‘Help’ and then click on “Check for updates”.)

Advertisements
Categories: Desktop, Security
  1. January 30, 2007 at 12:42 pm

    “Last year Opera added the functionality to the browser to alert the user of a newer available version (yes, Opera had it before Firefox did).”

    Just a correction: Firefox has had update notification since version 1.0, or possibly earlier. It would display an icon in the menu bar indicating that an update was available, and clicking on it would download the installer. So that goes back at least to November 2004. This was replaced with the automatic updater in Firefox 1.5 (November 2005).

    Looking at the Opera changelogs, I see update notification was added in version 8.0, released in April 2005.

  2. January 30, 2007 at 12:47 pm

    Kelson, thanks for the correction. I was always under the impression that Opera had it first. I didn’t know about the icon in FF 1.

  3. Nike
    January 30, 2007 at 12:57 pm

    Firefox’s updatede thingy just downloads the installer, and does a silent install with it. So its not a big thing.

  4. January 30, 2007 at 1:36 pm

    Daniel: You’re welcome!

    Nike: you’re thinking of the old update notification system (or else you only use Firefox once every four months or so). The updater in Firefox 1.5 and later downloads a binary patch, which is a lot smaller than the full installer, installs it, saves the current session and offers to restart the browser. It only grabs the full installer if you’ve skipped an update.

  5. January 30, 2007 at 1:43 pm

    Do you know that I’ve in the stats of my site a 10.5 version of Opera 😉 ?

    Surely someone (ab)using UA spoofing…

  6. January 30, 2007 at 1:52 pm

    Romain: here is an Opera employee using Opera 10.5 to comment on this blog. 🙂

  7. January 30, 2007 at 5:00 pm

    Just a bug in peregrine where the ua string has gone mad 🙂

  8. Alex Bishop
    January 30, 2007 at 5:15 pm

    Kelson said: “The updater in Firefox 1.5 and later downloads a binary patch, which is a lot smaller than the full installer, installs it, saves the current session and offers to restart the browser.”

    Actually, that’s not quite right. It downloads the binary patch (optionally prompting before it does this but by default it’s silent) in small chunks (to avoid interfering with browsing too much). Then it asks to restart. If the user accepts, it saves the current session, shuts down, starts up again, installs the update and then restores the session. If the user declines, the update will be installed when they next start Firefox. (It’s implemented so that Firefox checks if it has an update to apply whenever it starts.)

    “It only grabs the full installer if you’ve skipped an update.”

    There was a plan to keep a library of patches for several recent versions (so as well as, say, 1.5.0.3 to 1.5.0.4, there would also be 1.5.0.2 to 1.5.0.4 and 1.5.0.1 to 1.5.0.4) but that was never done.

    It will download the full installer if the patch update fails to apply (which, as I recall, is quite annoying as you have to sit there waiting for it to download before you can do anything else – better than leaving a broken install though).

  9. Darken
    January 30, 2007 at 5:44 pm

    @ Olli : Is it a bug? >> «Posted by Olli using Opera 9.20» 😀

  10. Dante
    January 30, 2007 at 9:42 pm

    If you’re not using the latest version, what are you waiting for? Get the latest version of Opera. Now!

    Stop shouting at your grandmother.

  11. January 30, 2007 at 10:29 pm

    Glad you liked the article 🙂

    I definitely think an update manager would make life easier for Opera users – especially for users like your grandmother, who just don’t want to be hassled with such things.

    I suspect there’s a certain level of overload – these days even my printer drivers ‘phone home’ for updates. It gets to the point where everything’s just another bit of work and people put it off even if they know they shouldn’t.

  12. January 31, 2007 at 12:03 am

    Dante, hehe 🙂

  13. Nathan
    January 31, 2007 at 2:36 am

    An update manager would be nice indeed… I always asked myself why opera didn’t have one…

    I’m happy that opera is the safest browser around, though… but people like any grandmother are nothing with the latest updated version, if they don’t have it, because they don’t can/want to do it manually!

  14. January 31, 2007 at 10:20 am

    I had an e-mail account with Oprea. When i logged in it was almost full of someone elses mail.
    I told them time after time there reply was are you sure its not yours. That is stupid i said go in look at the dates and compare to when i opened my account. And nothing against gay people but alot of it were from gay websites. Mine not in a million years.They just ignored my request for monthes. So i opened an account with a new password and it was fine no mail. The first password was so that there is no way we both had the same password so it had to be a bug just because we were both named Barry.

  15. Kc4
    February 1, 2007 at 6:36 pm

    :p Only a handful of bugs as well!

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: