Codenomicon is a Finnish security company which is warning that all browsers are full of dangerous exploits.
Using something called "fuzzing," its software automatically sweeps and scans to find all potential exploits. It has high level government and corporate contracts.
Codenomicon has just released the results of "fuzzing" on the most popular web browsers available - and guess what - they're no good. Fanboys for Firefox, Opera, Safari and Chrome are being handed a white flag to stop their bickering in terms of security. They've all received a "bad" rating or worse.
In fact, Chrome performed the best in Codenomicon's fuzzing tests.
The HTTP, TLS and XML processing were all given robustness tests, though according to Codenomicon, TLS and XML are complex protocols and needed further work. It warns that in its robustness testing, there are absolutely no false positives: every exploit found should be treated as critical.
Of the browsers tested, none managed to pass all of the protocol tests. Codenomicon says this means there's serious room for improvement, no less in XML - where its fuzzers crashed three out of four browsers. Two also had HTTP vulnerabilities.
In the interest of browser security, the results are not individually named in the test.
Here's the whitepaper.
Codenomicon also tested Wireless Access Points, which you can find here.
Just a note to say we've requested updates and are waiting on a response.
"All web browsers suffer from terrible security"?
Really? They obviously didn't test all web browsers for this report, did they? Why, except in the case of Internet Explorer, they didn't even bother to test the most recent versions of the software they mentioned. Funny how you can make a report say anything you want? Isn't it?
Based on the title "All web browsers suffer from terrible security", I'd say that this report is at best, incompetently prepared, posted or, at worst, indented to deceive. Either way, the report is useless.
Below I'm listing the current versions of the software tested as of the date of this article. Please note that Mozilla just released a newer version of Firefox yesterday and I don't list it. The most current version of Firefox is now 3.6.14.
Chrome: (Tested 3.0.195.38) (Current: 9.0.597.107)
Opera: (Tested 10.10) (Current: 11.01)
IE 8: (Tested 8.0.7600.16385) (Current: Same)
Mozilla Firefox: (Tested 3.5.6) (Last: 3.6.13)
Apple Safari: (Tested 4.0.4) (Current: 5.0.4)
Unless you A: Have those old versions installed or B: Have not updated your operating system, this report has little value.
While the source for the below quote is Wikipedia, the information seems to jive with the company's own postings. Please let me know if it is not.
"Codenomicon is a private company founded in late 2001, and develops robustness testing tools (also called fuzzing tools) for manufacturers, service providers, government/defense and enterprise customers. The company has raised Venture money mid 2000's and and has been profitable since 2008, with more than 40% growth in sales each year.[1]"
I wonder, is there a correlation between these kinds of reports and Codenomicon's growth in revenues?
The moral of the story is, don't believe everything you read!
James Carey
MCP, MCP+I, MCSE, A+, Net+, Compaq APS
Actually, you should consider that (responsible) security specialists wont release bugs to the public until the vendors have had enough time to fix them. So, actually it is better that there isn't any news where something current is broken - especially how they were broken.
So, being a responsible person myself I wont confirm, or deny whether or not the current web browsers are still vulnerable. But the moral of the story is, it is a good idea to test your software regardless of the current version.
It is great that the report still raises interest, because I think browser security is an important issue in product security, as today almost all products come with some sort of web clients. Thanks TechEye and all of you readers for really good comments!
I recall we chose the browsers based on how popular they were. Many browsers were left out. We are also aware that the security of many of these browsers have improved since then. Although doing a re-test of browsers is definitely interesting, I think we at Codenomicon will probably focus on testing new categories of products instead. These studies are something we do "just for fun", because we are curious of the results ourselves even. Also product comparisons like this do not really exist anywhere.
On our website you can submit requests what products you want us to test next. You are most welcome to also contact us directly by email, facebook, twitter, or what ever means you prefer. ;)
Fuzzer efficiency is hard to measure with anything else except time to find a new zero-day vulnerabiltity. So what we did was use a standard PC with one parallel fuzzer stream, i.e. probably a single virtual machine running the browser with scripts to automate user actions. Things that affect test execution time are the number of tests, time per test case, and recovery times after failure. As our tests probably were done in "first blood" technique we probably just stopped testing after first denial of service situation.
We only looked for crash level issues, and did not do any further analysis on what can be done with that crash. Most of our users are testers and developers, not hackers, so they don't usually want to spend any extra time in exploit analysis if they can spend the same time in bug fixing.