Software security researcher, Secunia, published recently its 2007 Report, a summary on the status of software security during the past year. However, the report is as usual with security firms, inconclusive.

According to statistics reported in the web browser section, Firefox had the most reported vulnerabilities with 64, followed by Internet Explorer with 43, and Opera and Safari with 14 each.

For a more complete view Secunia also reported that Firefox remains with 3 unpatched out of 8 already disclosed security bugs, while Internet Explorer is in the wild with 7 unpatched out of 10 disclosed vulnerabilities. On time of exposure, disclosed IE vulnerabilities remained unpatched for an average of 173 days, while Firefox’s for 88, nothing to be too proud of but an important advantage.

Then there’s the severity factor or how bad would it be for a user if a particular vulnerability was exploited. To try to set a metric of current attack risk I arbitrarily assigned 1, 2, 4 and 16 “severity points” to each severity level Secunia used in its report: none, less, moderately and highly critical). Then multiplied them by the number of days the bugs went unpatched to get an idea on how vulnerable each browser really was during 2007.

In this experiment, Firefox gets 876 risk points, far lower that Internet Explorer’s 2,684. Is this an accurate measure of each browser’s risk? Hardly, because I decided a Highly critical bug puts you in a risk four times higher that a moderately critical does which is of course arbitrary. I wish security firms like Secunia who are in a better position to assess the risk would be able to lead an industry effort to quantify it and set a standard software risk index.

Regarding vulnerabilities related to browser plugins, ActiveX (Internet Explorer only) led by far with 339 vulnerabilities, followed by QuickTime with 35, Java 21, Flash 12, extensions (Firefox only) 6 and Widget (I guess this is Opera-only) 3.

According to the report, the number of ActiveX exploits may have spiked due to Month of ActiveX Bug, a web blog that aimed to raise awareness on ActiveX insecurity that released at least a vulnerability a day for a full month.

For complete details, read the full Secunia 2007 Report.