Web Browser Warfare: European Facts

Remember some 10 years ago, when the web browser market was stagnating? Thankfully, those days seem to be long gone now, thanks to a rather intensive competition fostering innovation. A real bliss for the end users, now facing a relatively wide offer of (all free) browsers – the five most popular being: Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome and Opera.

Yet, the market shares of those are tremendously different:

The September 2009 trends from AT Internet Institute (taken from 23 European countries – see above), show that Microsoft Internet Explorer, albeit still predominant, is losing some market shares despite the release in March of version 8. Meanwhile, Mozilla is nibbling some shares, slowly but surely (version 3.6 is planned to be released at the end of the year), and is even the leader in East European countries like Slovakia and Hungary.

Beyond those two giants, gobbling an aggregate 90.4% of browser market shares, Safari may owe its third place to the latest version (4.0) being available on Microsoft Windows, and also to the good sales of Apple. But how long it is going to resist to the seemingly ineluctable Google Chrome ascension is almost a rhetorical question. Indeed, Google’s offspring (now already at its version 3.0) has simply doubled its market shares since Mars 2009. And the near release of ChromeOS, Google’s “Cloud-oriented” operating system with Chrome at its very core is probably not going to curve down that spike.

Down the roster, Opera shares remain stable; our personal – hence subjective – feeling here in the lab is that it’s somehow a shame that this software is not more widely adopted (which has some “good” side effects, however – see below), as we feel it has always been top-tier material in terms of innovation and speed.

Now, how does this translate in terms of security? Are some browsers more secure than others?

This is a tough question to solve, for the answer widely depends on what one means by “secure.” Above all, we think that one must distinguish between intrinsic security, and effective security.

• Intrinsic security tells how a browser (or another piece of software) is secure from a programmer perspective, that is to say, how many programmatic and conceptual bugs leading to exploitable flaws exist in the browser. We can’t measure this: indeed, if all bugs were known a priori, programmers would fix them prior the release! The closest metrics we can think of to evaluate intrinsic security is perhaps the number of published exploitable flaws for each browsers (or the rate at which they are published, so as to not penalize older browsers). This is of course a very imperfect metric, since the vulnerability discovery rate also depends on the motivation of vulnerability researchers; for instance, there are more researchers interested in finding vulnerabilities in IE on MS Windows than in, say, Amaya on Solaris.

• Effective security tells how often a browser is likely to be targeted (and thus successfully exploited if, by any chance, not up-to-date with vendor patches) when navigating the interwebs. Indeed, cybercriminals only implement a portion of the vulnerability exploits mentioned above in their malicious web pages. As you may have guessed, they tend to do that mostly for popular browsers… For instance, let’s consider a recent exploit pack used by cybercriminals as ammunition for their malicious web servers (typically in a drive-by install scenario: the web-server silently installs malware on visitors’ systems via their vulnerable browsers). The pack is called Eleonore Exp and is sold for $700 in the underground; it contains the following exploits:

Our advice: keep your browsers up to date with vendor patches, and prefer good yet exotic browsers. We know of one. ;-)

Guillaume Lovet contributed to this post