There's going to be more and more of these as browsers fully accept and cement themselves into their role as operating systems and inevitably expose more bare metal functionality.<p>The only way to stop it is to not use a browser that thinks it's an OS. That means not being able to use websites that use new OS features like web components, webgl, etc. It means not using these features as web dev unless you're forced into it by getting paid. Browsers that treat the web as a document instead of an application will have far, far fewer remote exploits.
This website seems to be a great resource in finding exploited zero days for each browser, but using it for any kind of security comparison is likely not a good idea. Generally, "number of CVEs" is a flawed comparison metric for almost every kind of question you're going to ask, and CVSS is not particularly good at matching severity in the sense that most people might care about it.
This suffers from the same flaws as most CVE statistics. You take some data that you have, assume it's a representative sample and then make some claims based on it. The problem is: It's not a representative sample.<p>If I understand this correct this is looking at CVEs where exploitation has happened as announced by the vendor. It's bad statistics, because you cannot assume all vendors tread these things equally (one vendor may be very open about known exploitations while another may try to hide stuff as much as possible). Creating such statistics also creates an incentive for vendors to be more secretive if such things happen, so it's not just bad statistics, it's also bad for security.
Chrome: 6, Firefox: 5, IE: 4, Safari: 7<p>I suspect sample sizes are too small to really make strong claims about which browsers are least/most exploited.
IMO the most interesting metric these days is bug price.<p><a href="https://zerodium.com/program.html" rel="nofollow">https://zerodium.com/program.html</a><p>Chrome bugs are currently selling for $500k and Firefox/Edge bugs are selling for $100k. It's kind of shocking that we got to this point, but for comparison, a full Chrome exploit sells for the same amount as a full exploit for IIS or Apache. Firefox and Edge sell for the same price as a full exploit in Wordpress.
Given the market share:<p>> edge 5.83%, IE 2.15%<p>It's not unexpected that people don't spend lots of time on IE 0days. I mean, Links was the least exploited one with 0 cases.
Another one to bookmark for heap corruption, use-after-free and type confusion coding error examples that expert C and C++ developers hired by top multinationals, with their PhD level recruiting processes, never make.
Not sure if @hexatoms is reading this thread but some minor mistakes/typos:<p>- Many of the vendor advisory links are pointing to the wrong place (most of the Firefox ones and at least 2 of the IE ones to start).<p>- The starred note on Hardened IE says "4 out of the last 5" when it means "3 out of the last 4".
Wasn't CVE-2020-15999 a bug in Freetype, which Firefox also uses? Why isn't there a Firefox CVE on the list from the same time? Was the bug not exploitable in Firefox for some reason, or is this list just incomplete?<p>(Never mind that comparing counts of CVEs is a ridiculous way to compare security of products. CVE counts seem more indicative of the amount of research targeting the product than of the number of bugs in the product.)
Is there any reference that these are actually zero days, or are these just particular CVE's based on some other category? e.g. the sources/links do not indicate that these were actually used in the wild? There's no indication that these were not responsibly disclosed.
If anyone is thinking about remote browser isolation, please check out my open-source dual-licensed version at <a href="https://github.com/c9fe/ViewFinder" rel="nofollow">https://github.com/c9fe/ViewFinder</a>
"The most exploited web browser is Safari"<p>And considering Safari is not by a longshot the most popular browser, what does this say about Apple?