Brian Krebs came across one of those websites throwing a battery of exploits at users and took a close look at its administration page. It lists seven exploits, the two most successful ones being for Adobe Reader and Java, followed by two Internet Explorer exploits. At the far end of the list two Firefox exploits can be found as well. From what I understand, only one Adobe Reader vulnerability was unpatched at that time, all other vulnerabilities have been fixed already. For example, the Java exploit targets a security hole that was closed in December 2008, the exploited Firefox vulnerabilities have been closed in Firefox 1.0.5 and 18.104.22.168 respectively.
So, were the bad guys successful exploiting these ancient vulnerabilities? Looks like it, the Java exploit and the exploit for a 2007 Internet Explorer issue caused quite a few infections. If we look at how the browsers “performed”, we see that roughly 17% of Internet Explorer users were infected. Not very surprising, the infection rate of Internet Explorer 6.0 users was almost twice as high as for Internet Explorer 7.0 users, the infection rate for Internet Explorer 8.0 was even lower then. Clearly, people still using IE6 are unlikely to keep up with patches.
What might be more surprising is the fact that other browsers aren’t that different. Chrome has an infection rate of 13%, Opera 21% (!), Safari 20%. None of these browsers was targeted directly by an exploit, each exploitation happened through plugins. While the numbers for Chrome and Safari aren’t statistically significant, Opera’s numbers are and seem to indicate that Opera users often consider themselves safe by using a minority browser and forget to update plugins. Side note: in a comment Brian links to a post indicating that an exploit targeting Opera is indeed part of this exploit pack. However, the vulnerability in question is so old that it apparently was never exploited which is why this exploit doesn’t show up in the list.
The numbers for Firefox are odd. According to the statistics, only 10 Firefox installations have been successfully exploited, four of those by using the ancient security vulnerabilities mentioned above (three Firefox 1.0 users and one Firefox 1.5 user). With the total number of Firefox visits way above 10,000 this gives an infection rate below 0.1% – makes no sense. While I would love to congratulate Firefox developers on a job well done, most infections happened through plugins and is somebody running Firefox 2.0 that likely to have up-to-date plugins installed? I discussed some possible explanations with Brian in the comments but the most likely still seems to be a programming error: either the exploit pack fails to run all exploits in Firefox or it fails to register a successful exploitation of a Mozilla-based browser. Anybody have a better explanation?
What’s the conclusion? If you ignore the strange Firefox numbers, it seems to make less difference these days which browser you run, browser vulnerabilities are no longer a top target. However, it is critical that you plugins are up-to-date. Firefox 3.6 helps here, Secunia’s Personal Software Inspector does as well. And going to Tools / Add-ons / Plugins and disabling all plugins that you don’t need keeps you even safer (I only have Mozilla Default Plugin and Flash enabled). Finally, sandboxing of plugins in the browser (out of process plugins) will hopefully eliminate a large part of the attack surface here (Chrome is already doing that, Firefox nightlies are testing that feature as well).