Apple's Safari has more security vulnerabilities than Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer combined, according to a new report from Google's Project Zero.
Using an automated testing tool called Domato, Project Zero's Ivan Fratric analyzed the most popular desktop browsers and discovered two security vulnerabilities in Chrome, four in Firefox and Internet Explorer, six in Edge and 17 in Safari.
The bugs were discovered by subjecting the browsers to about 100,000,000 iterations using Domato. Fratric notes that it "requires fuzzing at scale, but it is still well within the pay range of a determined attacker." The cost would be around $1,000 using the Google Compute Engine, when keeping the necessary resources in check.
The test setup for the five browsers is not identical, however. Fratric does not definitively say whether this influences the results, but he does mention that, for instance, Safari was not tested on Apple hardware -- although the bugs were verified against a nightly build of ASAN WebKit on a Mac. What's more, all the browsers are available on Windows, which would have proved to be an equal testing ground, but instead a combination of operating systems and tools was chosen, like Linux, Windows Server 2012 R2, WebKitGTK+ and ClusterFuzz.
Explaining the results of this test, Fratric says that "Apple Safari is a clear outlier in the experiment with significantly higher number of bugs found. This is especially worrying given attackers’ interest in the platform as evidenced by the exploit prices and recent targeted attacks. It is also interesting to compare Safari’s results to Chrome’s, as until a couple of years ago, they were using the same DOM engine (WebKit). It appears that after the Blink/Webkit split either the number of bugs in Blink got significantly reduced or a significant number of bugs got introduced in the new WebKit code (or both)."
The security researcher goes on to stress the fact that this test focuses on a single component of the browsers, namely their DOM engine, and, as such, does not reflect how secure they are as a whole. Still, it is an interesting test, as, according to Fratric, "DOM engines have been one of the largest sources of web browser bugs."