Symantec has released its latest Internet Security Threat Report that provides a fair amount of information on the status of Internet security.

According to the report, Mozilla-based browsers (including Firefox) account for the largest share of documented vulnerabilities, either acknowledged or not by the vendor, with a whooping 88 flaws (19 medium severity, 69 low), four times the number reported by Safari. Internet Explorer followed with 18 and Opera trails with only 12.

However, according to the Mozilla Foundation Known Vulnerabilities page, there were 22 security flaws addressed between Firefox 2.0.0.5 and 2.0.0.11, the updates released in the July – December 2007 time frame covered by the report. The exact same number is reported by Secunia (after expanding the Multiple Vulnerabilities advisories), so I don’t know about how Symantec gets from 22 to 88 as the report doesn’t explain the source.

One possible explanation is double counting. The report refers to Mozilla-based browsers and not Firefox alone so it could be counting vulnerabilities in Firefox along with the same vulnerabilities as they occur in also Gecko-based SeaMonkey, Flock and Camino. That would explain a lot but also means the report is stupidly misleading.

But vulnerabilities counting (or double counting) is just half of the story. Another important risk factor is for how long are users exposed to documented vulnerabilities. According to the report, Internet Explorer users were exposed to these vulnerabilities eleven days in average, while Mozilla-based products users only 3.

Here, Safari leads the pack with less than one day.

In the browser plugins front, ActiveX is responsible for 79% of all plugin related vulnerabilities, followed by QuickTime (8%), Java (5%) and Flash (5%). Interestingly, Mozilla extensions, with only one vulnerability, have disappeared as a significant source of security flaws. We should keep in mind that Firefox extensions usage is tiny compared to the ubiquitous Flash and Java.

Adobe Reader plugin has also been dismissed and Windows Media Player has entered with a fair 2%, something you may want to have in mind.

While Mozilla can’t redistribute the actual plugins due to license restrictions, I wish it could at least inform using its current AUS platform when a new plugin version is available.

In the meantime remember to keep your plugins (such as Flash) up to date.

The report concludes (page 36):

The growth in browser market-share for browsers such as Mozilla Firefox is a driving factor in the increased attention by security researchers. However,  this does not necessarily result in more attack activity in the wild. Although Internet Explorer was subject to fewer vulnerabilities that are inherent to the browser in comparison to Mozilla, exploit activity in the wild indicates that it is still the gateway for third-party vulnerabilities affecting ActiveX and other browser plug-in technologies.

Also,

The release of Internet Explorer 7 included security enhancements to limit the exploitation of ActiveX vulnerabilities; however, this has not appeared to have reduced the prevalence of ActiveX vulnerabilities. This may be a measure of the effectiveness of these security enhancements or it may indicate that many at-risks users have not upgraded to Internet Explorer 7.