Security testing
Scanit offers penetration tests, vulnerability assessments and web application audits.
Learn ethical hacking.
Scanit offers 5-day training on ethical hacking.

A Year Of Bugs

Page 1 out of 5 Next page

Introduction

The Browser Security Test is an online automated check for multiple security vulnerabilities affecting Microsoft Internet Explorer, Mozilla, and Opera browsers. Currently it tests for 37 vulnerabilities. We have started the Browser Security Test in the beginning of 2003 an have been diligently collecting the statistics about the number of tests run, the vulnerabilities diagnosed and the browsers used. Now we decided to share it along with some observations on the browser vulnerabilities in general.

First of all we gladly notice that the Browser Security Test was steadily gaining popularity throughout 2004 as can be seen on the graph below. The big peak at the very end of the year is the result of the Browser Test being mentioned on Slashdot website.

Number of tests per day, year 2004

An interesting trend is the growing use of Mozilla browsers among the Browser Test visitors. Again the big green dip into Mozilla in the end of the year is due to visitors coming from Slashdot (who are notoriously Linux-minded, and hence more likely to use Mozilla).

Browser distribution chart

This might mean that Mozilla is becoming more and more popular. It may also mean that the Browser Test is becoming more known to people likely to use Mozilla, such as Linux users. On the other hand, as the graph below clearly shows, the majority of Mozilla users who visited the Browser Test run it on Windows, not on Linux or any other operating system.

The distribution of operating systems among Mozilla users

Since the goal of the Browser Test is to test for vulnerabilities, we can derive some idea of how safe or how vulnerable the browsers of our users generally are. This does not necessarily reflect the vulnerability levels of Internet population in general, because the Browser Test visitors are probably more likely to be security minded. The graph below illustrates the percentage of sessions that resulted in finding at least one high, medium or low risk vulnerability, or no vulnerabilities at all.

Vulnerability level distribution

The biggest dips into the red happen to coincide with unpatched vulnerabilities in Internet Explorer. Once a patch is available a sizeable portion of the users applies it immediately, while the rest proceed to patch in what looks approximately like a logarithmic curve. The last two dips correspond to bugs for which the patches were immediately available. Again we see a slow but steady patching rate. Still, about 20% of the user population remains unpatched no matter what.


Page 1 out of 5 Next page