On 5/3/06, Marcus Meissner marcus@jet.franken.de wrote:
Number of konqueror affecting security problems in the last 2 years (by CVE entry): ca 10. Number of firefox security problems in the last 2 years (by CVE entry): ca 100.
(Just go to http://cve.mitre.org/cve/ and look for yourself.)
I wonder how much of that is due to the differences in popularity vs the differences in engineering? (a disturbing number of Firefox exploits are based on its platform features like XUL/XBL). Konq just isn't as interesting a target for security "researchers".
Safari has quite a lot of exploits available for it too and it's based on KHTML ....
One reason I hate Firefox.
I've just come to accept that web browsers are exploit-zones all round - their entire purpose in life is to download and manipulate extremely complex data structures and code from the net at high speeds. Pretty much a textbook case of where you'd expect to find security problems.
My dissertation is on splitting software into modules using a fast form of local RPC so they can be confined using AppArmor/SELinux .. the idea is you could try and split things like the renderer out of a web browser so it runs with no privileges (except perhaps minimal X server access). The architecture of Firefox, where the entire program basically runs inside the rendering engine, makes that rather tricky, but the same principles apply to things like image decoders.
thanks -mike