Q&A Does more browser code = more potential exploits?

wat0114

Level 7
Thread author
Verified
Well-known
Apr 5, 2021
303
I'm curious how people feel about this. On Linux MX-21 I find total file sizes under two main directories for three browsers: Edge-beta, Google-chrome, & Firefox.
There are two main directories for each browser:
  1. Edge-beta: /opt/microsoft/ + /home/user/.config/microsoft-edge-beta/ = 377.5 MiB + 133.2 MiB=510.7 MiB total
  2. Google-chrome-stable: /opt/google/ + /home/user/.config/google-chrome-stable/ = 270.3 MiB + 145.4 MiB = 415.7 MiB total
  3. Firefox: /opt/firefox/ + /home/user/.mozilla/ = 222.6 MiB + 55.7 MiB = 278.3 MiB total
Sorry to post Linux browser footprints, but this is the O/S I've been primarily using of late, although I'm sure the footprint differences between the browsers are most likely comparable on Windows. Anyway, you can see Edge beta is way out in front, google-chrome-stable not far behind, and Firefox way behind. Honestly, I'm quite alarmed at how humangous(sic) Edge-beta is.

Question: Do you feel a larger footprint - more code - results in more potential browser exploits? Does the "less is more" adage count in this case?
 
Last edited:
F

ForgottenSeer 92963

@wat0114

Yes the average number of bugs is 20-30 per 1000 lines of code (kilo lines of code, short KLOC). The industry range is said to be between 5 and 50 per KLOC. The range is determined by the professionalism of development and testing teams, used methods and support (testing/debugging) tools and by the size of the workforce working on an application and development platform and programming language used. The only way you can really measure it is, by looking at the reported vulnerabilities (but not all bugs are vulnerabilities and not all vulnerabilities can be exploited).

Google really has set the standard for using (automated) tools and embedding their methodology in their company culture (e.g. Google has gone so far as to promote their software design principles to corporate vision).

It is hard to tell something about the real world risk of larger code footprint. Chrome with its bug bounty program and large user base is under more attack than for instance Mozilla. When you take the user base and number of people working on Chrome versus Firefox, one has to conclude that Chrome does really well. So looking at number of vulnerabilities/bug-fixes which are published does not tell every thing, but on average (I have outdated data from before my retirement):
  • Chrome has 0.06/KLOC (reported) vulnerabilities
  • Firefox has 0.05/KLOC (reported) vulnerabilities
I think Firefox should do better now, because around 10% is programmed in Rust (which has better memory integrity protection than C++). It is a pity Firefox fired the people who were converting C++ to Rust. Microsoft despite of its reputation does also reasonable well (their CRM has less reported bugs than Salesforce, Oracle and Sap) and I have often posted on Windows Operating system, Edge has 5 security advantages over Chrome.

Although I use Firefox on my phone (I don't do banking or buying on my phone), before switching to Firefox I would read this first: Firefox and Chromium | Madaidan's Insecurities
/K
 
Last edited by a moderator:

silversurfer

Level 84
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,579
Firefox and Chromium | Madaidan's Insecurities Probably a few details changed since the latest update (June 18th, 2021) of this blog post ;)
Important to consider, some of those people with accounts on github are just self-proclaimed experts... Of course, I meant none of software developers!

I agree for disadvantages like technology of sandboxing on mobile versions of Firefox on Android and for limitations of Firefox on Linux, but it's another story on Windows. On Windows makes a difference what AV offers browser protection against exploits and Behavior Guard or BB to monitor suspicious files activity, so even Firefox users can be safe if focusing more to choose a very good AV/AM.
However, it's a real fact that Edge became even more secure compared to Chrome, so a valid ranking in terms of security for browsers: 1. Edge, 2.Chrome, 3. Firefox
 

Moonhorse

Level 32
Verified
Top poster
Content Creator
Well-known
May 29, 2018
2,186
Firefox is usually preinstalled wich makes me use it more than other browsers

Firefox on windows gets those small patches like currently its sitting at 96.0.2...but in linux youre always at 96.0.0 , 97 , 98 ? wich is endpoints

I would not be worried about exploit on linux, as long as youre using the newest version of browser available
 
F

ForgottenSeer 92963

@silversurfer

Agree, as I mentioned in this post Firefox also is less under attack and has less code and has a slightly better exploit to KLOC ratio and Firefox scores better on privacy features than Chrome and Edge and it is a browser which can be configured in a minimalistic manner (that is why I use it on my mobile phone, it gives me the best user experience for my needs). So a pure technical comparison is unfavorable for Firefox (I think it will do better in real world usage). As @Moonhorse mentione, when my Xeon desktop still works in October 2025, I will be using Firefox on Manjaro. :)

I am disliking the bing-bling-bloat of Edge more and more (but still using it on Windows)
 
Last edited by a moderator:

ticklemefeet

Level 26
Jan 31, 2018
1,547
@silversurfer

Agree, as I mentioned in this post Firefox also is less under attack and has less code and has a slightly better exploit to KLOC ratio and Firefox scores better on privacy features than Chrome and Edge and it is a browser which can be configured in a minimalistic manner (that is why I use it on my mobile phone, it gives me the best user experience for my needs). So a pure technical comparison is unfavorable for Firefox (I think it will do better in real world usage). As @Moonhorse mentione, when my Xeon desktop still works in October 2025, I will be using Firefox on Manjaro. :)

I am disliking the bing-bling-bloat of Edge more and more (but still using it on Windows)
Are these scores with Edge set to default settings Kees? Edge has some pretty strict setting for trackers, content and security that are very easy to choose.
 
F

ForgottenSeer 92963

Are these scores with Edge set to default settings Kees? Edge has some pretty strict setting for trackers, content and security that are very easy to choose.
Sorry a No and Yes answer

No, these stats are calculated per 1000 lines of programming code, so this applies to all code, no matter how a program is configured.

Yes, a vulnerability becomes a problem (an exploit) in the wild (real world) when it can be misused in a predictable and repeatable manner. Usually the default config is used for these staged attacks otherwise it would be to complex for a hacker/malware writer to accomplish an intrusion (browser sandbox escape and/or elevation to admin rights). So yes adding additional hardening could make a difference. As an example just read @Andy Ful posts to see how many ransomware would be stopped when using Simple Windows Hardening, Documents Hardening and Firewall hardening with any premium brand Antivirus (or Configure Defender set to high). My guess is that 99,9999999999999999999999% of the home users would not notice any functional limitation or false positive by adding Andy's tools. I think this also applies to Edge hardening.
 
Last edited by a moderator:

ticklemefeet

Level 26
Jan 31, 2018
1,547
Sorry a No and Yes answer

No, these stats are calculated per 1000 lines of programming code, so this applies to all code, no matter how a program is configured.

Yes, a vulnerability becomes a problem (an exploit) in the wild (real world) when it can be misused in a predictable and repeatable manner. Usually the default config is used for these staged attacks otherwise it would be to complex for a hacker/malware writer to accomplish an intrusion (browser sandbox escape and/or elevation to admin rights). So yes adding additional hardening could make a difference. As an example just read @Andy Ful posts to see how many ransomware would be stopped when using Simple Windows Hardening, Documents Hardening and Firewall hardening with any premium brand Antivirus (or Configure Defender set to high). My guess is that 99,9999999999999999999999% of the home users would not notice any functional limitation or false positive by adding Andy's tools. I think this also applies to Edge hardening.
I do understand what you are saying about lines of code. I have pretty much used all browsers at one time and like Edge for my reasons. As you know I do use other programs to help out. For instance, I have my Edge settings set to strict, When I am done with a Edge session, I completely close Edge because it is always running, I then Use CCleaner to finish up things. For everything else, I use Appguaed with most LOLBins blocked in userspace. I then use Voodooshield and An application firewall ( Tiny Wall ) It seems to work for me and I dont notice any kajor problems setting Edge settings to strict.
 

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
The main factors can be as follows:
number of exploited vulnerabilities ~ (language vulnerability) * popularity * (amount of code)/(patched BugBounties)