backtop

Print E-mail del.icio.us 101 comment(s) - last by walk2k.. on Dec 19 at 11:11 PM
The good old FF browser gets little love when it comes to security

Firefox has its plate full when it comes to security.  It has grown a substantial enough market share to place it in a strong second after Microsoft.  This gives it a high profile and leaves it a desirable target to be exploited by hackers and malware writers.  Worse yet, it has less money to fund security efforts that Microsoft, and according to some experts, less focus as well.

While small market share browsers like Opera and Chrome have built a reputation on their security (with Safari, being a noticeable exception, have a reputation for insecurity), Firefox continues to plod along in a day to day fight, trying to remain a secure platform while dealing with the challenges of browser celebrity.

Perhaps for this reason, Bit9, an application whitelisting firm that helps employers block employee access to certain apps, placed Firefox on the top its list of most vulnerable apps.  The remaining spots on the list were filled out with more familiar names, with two through twelve respectively being: Adobe Flash & Acrobat; EMC VMware Player, Workstation, and other products; Sun Java Runtime Environment; Apple QuickTime, Safari, and iTunes; Symantec Norton products; Trend Micro OfficeScan; Citrix products; Aurigma and Lycos image uploaders; Skype; Yahoo Assistant; and Microsoft Windows Live Messenger.

The Bit9 study looked at several factors in ranking vulnerability.  One factor was how popular the applications were.  Another factor was how many known vulnerabilities existed, and how severe they were.  Lastly, it looked at how hard patching was for the particular application.

In order to make the list, programs hand to run in Windows and not be centrally updatable via services such as Microsoft SMS and WSUS.  Many say that the survey was unfair to Apple products because it kept easier patched Microsoft applications off the list.

In some ways, though Bit9's list is a useful benchmark.  It aptly points out that many networks have Firefox installations running on machines, without the system administrator being fully aware of the instance of these installs.  Thus, despite the fact that most of the vulnerabilities looked at have been patched, the installs may not receive these patches immediately, until the employee upgrades to the next edition of the browser.

The study's conclusions only marginally apply to the consumer market.  However, when it comes to the business market, the study argues that picking or allowing employees to run Firefox, even with its security plug-ins, is a ticket to the IT danger zone as malware increasingly targets application layer targets such as Firefox.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
vulnerabilities
By Screwballl on 12/12/2008 4:08:02 PM , Rating: 4
So they look at FF2 based security problems and automatically associate them with FF3... this is why I take these type of stories with a grain of salt.

It is not the application that is the problem, it is the uneducated users going places with these applications that they shouldn't...

Dumb 0xiD10T error codes




RE: vulnerabilities
By LumbergTech on 12/12/2008 4:20:28 PM , Rating: 4
adblock plus, noscript

/end story


RE: vulnerabilities
By Webreviews on 12/12/2008 4:28:14 PM , Rating: 1
Couldn't agree more.

ABP, NS, FTW!


RE: vulnerabilities
By japlha on 12/12/2008 4:51:38 PM , Rating: 3
I'd add flashblock to the list too.


RE: vulnerabilities
By Etsp on 12/13/2008 1:24:08 AM , Rating: 3
What does flashblock do that NoScript doesn't? By default, noscript blocks flash...does flashblock have more functionality in this regard?


RE: vulnerabilities
By omnicronx on 12/13/2008 1:29:59 AM , Rating: 2
I dont think they work the same way, flashblock you just blocks each individual piece of flash content until you press the play button in the middle of the corresponding flash file, doesnt NoScript just block out an entire page completely until you allow the entire site?


RE: vulnerabilities
By AnnihilatorX on 12/14/2008 3:33:45 PM , Rating: 3
No, NoScript has superseded flash block since they included the support for blocking flash contents. To play flash, you just click where the flash is, works the same way as flash block.


RE: vulnerabilities
By Nihility on 12/13/2008 4:53:10 AM , Rating: 4
NoScript blocks flash, only as long as the site is prevented from using scripts. However, if you needed to use a form on the site that requires scripts and you allowed that site to use scripts it would no longer block flash.
That would then subject you to the flash menus and flash advertisements that run from within the sites URL and you would then be vulnerable to flash exploits (not to mention the massive CPU usage of all that flash with 20 tabs open).
So I find a combination of flashblock and no script works exceptionally well both from a security standpoint and a usability standpoint.


RE: vulnerabilities
By Xenoterranos on 12/14/2008 1:37:17 AM , Rating: 1
Or you could just add "*.swf" to it's blocking rules.


RE: vulnerabilities
By yacoub on 12/15/2008 7:59:30 AM , Rating: 3
Yes - NoScript is domain-wide, FlashBlock is element-specific.
Flashblock allows you to select which specific Flash elements on a page you wish to allow, so it works well in COMBINATION WITH NoScript (and ABP).

You run all three (ABP, FB, and NS), and when you get to a new site, you first allow Scripts from that site's domain if the site doesn't work properly without allowing them. Then FlashBlock allows you to select WHICH Flash elements on the page you want to allow, one at a time. That way you never have to deal with stupid crap like Flash-animated ads.


RE: vulnerabilities
By quiksilvr on 12/12/08, Rating: -1
RE: vulnerabilities
By joex444 on 12/12/2008 6:18:08 PM , Rating: 5
It is safer for a company to have everyone running updated versions of IE than it is to allow employees run old, unpatched versions of Firefox.


RE: vulnerabilities
By Gzus666 on 12/12/08, Rating: -1
RE: vulnerabilities
By CZroe on 12/12/2008 9:22:04 PM , Rating: 5
Auto-update is exactly what they DON'T want in a controlled IT environment. They need to roll out the patcches from their own update server for proper documentation and control. What if an update breaks their business app and patches something that has nothing to do with their usage scenario and it gets rolled out to 300+ workstations? Testing must be done first. If an update is needed, they have no guarantee that all network computers have installed it without being forced and documented by an IT update server.


RE: vulnerabilities
By sprockkets on 12/13/08, Rating: -1
RE: vulnerabilities
By CZroe on 12/13/2008 8:30:16 AM , Rating: 3
Have some imagination: Web apps (NCR's QuickLook for example), web forms, etc.


RE: vulnerabilities
By CZroe on 12/14/2008 10:36:50 AM , Rating: 2
Also, off-line software can't update itself but can still be an entry point for an unauthorized user. Contrary to the assumed usage scenario, not all browsers can reach their maker's update servers so they must support a centralized, approved, and managed distribution point.


RE: vulnerabilities
By sprockkets on 12/14/08, Rating: -1
RE: vulnerabilities
By ninus3d on 12/15/2008 7:48:27 AM , Rating: 1
What the...
I'm sorry, what on earth caused that outburst?


RE: vulnerabilities
By Culexus on 12/13/2008 4:08:19 PM , Rating: 2
So what you're saying is that Mozilla(or some other crafty people) should come up with a configurable update server for Firefox that the IT departments in companies can use to distribute updates for Firefox. That with such a system in place, administrators would jump right on it and purge Internet Explorer usage on their networks in favor of Firefox?

Sounds like a good idea,certainly sounds doable, now where would one go to suggest such an idea?


RE: vulnerabilities
By Solandri on 12/13/2008 7:33:28 PM , Rating: 3
Yeah, the last couple IT shops I've worked at specifically banned IE because of its vulnerabilities and had everyone use Firefox. But a centralized means to manage Firefox updates would be sweet.


RE: vulnerabilities
By aapocketz on 12/15/2008 10:26:06 AM , Rating: 2
A friend of mine works at a company where many have installed firefox and they have really poor bandwidth. Apparently firefox by default downloads updates when released, and this kill the bandwidth for a bit after that happens because all the browsers are downloading the updates at once. They should release an "enterprise" version of firefox that allows IT orgs to manage and distribute patches and perhaps even regulate what plugins/extensions are used, because that has to be a security hole.

I don't have any issues though, I like firefox as it is, mostly. I wish it had the tab separation that opera and chrome do, and run tabs in separate processes perhaps. That would make it easier to "tear off" a tab to a separate window. It may also help security, help manage memory, and take more advantage of multiprocessor resources. Tabs logically should run as different processes in my opinion because they are very "orthogonal," they do not need to share memory or anything between tabs. Just a theory though.


RE: vulnerabilities
By Hoser McMoose on 12/15/2008 7:58:35 PM , Rating: 2
That's almost it, except that IT departments aren't going to want to run a separate server JUST to update Firefox.

What the Mozilla folks should do is to get WSUS and Microsoft Update to update Firefox automatically. Of course Microsoft isn't going to want to play nice here so this could be difficult if not impossible.


RE: vulnerabilities
By Alexstarfire on 12/13/2008 5:24:39 PM , Rating: 1
I don't understand. First off, it's not literally auto-update, it asks first. Secondly, you act like Mozilla doesn't have documentation on what is in each update.

I don't work in business by any means, but your logic seems flawed to me.


RE: vulnerabilities
By Bryf50 on 12/13/2008 10:21:06 PM , Rating: 2
O come on. You have several hundred people in an office, even if you write it in big letters and set it as their desktop half of them are gonna end up updating it anyway.


RE: vulnerabilities
By Headfoot on 12/13/2008 1:08:54 AM , Rating: 2
-1'd for ridiculous and baseless accusations


RE: vulnerabilities
By boogle on 12/13/2008 3:58:26 PM , Rating: 2
Corporate environments can use a central update server (WSUS: http://technet.microsoft.com/en-us/wsus/default.as... to ease network congestion. Basically if every workstation downloaded the latest Firefox patch as it came out, or in the morning when they turned on the PCs; the network congestion would be massive.

I remember when the servers all had windows update enabled automatically one month without WSUS and that alone brought Internet access across the board down to a snails pace, and knocked out access to user profiles etc. That was just the servers updating with Windows updates - what if all the workstations did the same?


RE: vulnerabilities
By Culexus on 12/13/2008 4:12:15 PM , Rating: 2
Speaking of WSUS, I seem to remember the ability to delegate arbitrary software updates to some degree. If that was only signed .msi files, I don't remember. Would it be possible to have new versions of Firefox distributed with WSUS?


RE: vulnerabilities
By VaultDweller on 12/13/2008 7:07:09 PM , Rating: 2
Firefox can't update itself in any real world business scenarios, as businesses (or at least ones that have thought of security for any 5 second interval since their founding) don't give their users admin privileges.

Besides, auto updates are bad.

We have Firefox deployed to some users at work (probably less than 20), and so every time there's a Firefox patch an SMS package has to be pushed out to update those installations. It's costly overhead.


RE: vulnerabilities
By SiliconAddict on 12/13/2008 5:03:34 AM , Rating: 2
The problem is that companies AREN'T running updated versions of IE because newer versions break websites. I've lost count the number of clients that are still running IE 6. Secure my ass.


RE: vulnerabilities
By Hoser McMoose on 12/15/2008 8:02:26 PM , Rating: 2
There are a lot of companies still running Windows 2000 as well and IE6 is the latest and greatest available for Win2K. It causes my company some degree of headaches because we're supposed to still support Win2K/IE6 with our web apps and it's GARBAGE! We have more problems with IE6 than with all other browsers combined.


RE: vulnerabilities
By HrilL on 12/12/2008 6:23:32 PM , Rating: 2
Actually yeah they really do. I work at a bank. Won't say which one since I don't think that would be a good idea. We still use IE 6 on every computer and we are not allowed to install anything. Although everyone seems to be a local administrator on their computers so you could install what ever you want if you did want to even though you agreed not to. Then again you are not really supposed to be going to any web sites outside of the banks intranet anyway.

Firefox does have an auto updater pretty much updates the same day updates come out. So I think that is by far better than the windows update option that comes out about once a month.


RE: vulnerabilities
By kontorotsui on 12/13/2008 4:55:44 AM , Rating: 1
quote:
Seriously, do these businesses think IE is more secure than Firefox?


All those paid by Microsoft do.


RE: vulnerabilities
By jonmcc33 on 12/13/2008 3:56:26 PM , Rating: 2
It's more compatible with in house developed applications, yes. Companies should use something like Websense to control websites that their employees go to.

On a side note, the list Bit9 developed is pointless. It basically states the truth. If you connect your computer to the internet then you aren't secure. It listed all well known web browsers and plug-in apps for them.


RE: vulnerabilities
By Golgatha on 12/12/2008 6:07:39 PM , Rating: 2
Don't forget flashblock and quickjava.


RE: vulnerabilities
By walk2k on 12/14/2008 1:59:19 PM , Rating: 1
So you're saying if you turn off half the features therby gimping the majority of every website Firfox is just as safe as IE? Yeah that's great, here's another idea just NEVER OPEN ANY WEB SITES EVER then it's perfectly safe! Great idea!

Nice try.


RE: vulnerabilities
By Googer on 12/17/2008 3:43:02 PM , Rating: 2
NoScript is easily hacked. Watch this how to video:

http://www.youtube.com/watch?v=65I0HNvTDH4


RE: vulnerabilities
By five40 on 12/12/2008 4:23:45 PM , Rating: 3
It's just that FF is finally getting big. Everyone likes to pick on MS and their security, but most of the time people fail to realize that almost all malware/virus's target MS software because they have by far the largest user base. Once any piece of software goes super mainstream it will instantly become the target of attacks and people will find holes no matter what. FF3, Chrome, OS X, etc... aren't more secure, they just don't have tons of people looking for security holes (yet). Why try and exploit 1,000 people when you can exploit 10,000,000.


RE: vulnerabilities
By foolsgambit11 on 12/12/2008 7:14:19 PM , Rating: 2
I won't tell you which browser I'm using - I don't want any more people using it, since market share would only increase attempted exploits.

If only everybody here followed that policy (I haven't, I'll admit), we'd be rid of a quarter of the pointless comments, "Opera FTW!" "FF ABP NS r0xx0rz" "Chrome = Solid as Iraq, er, a rock"


RE: vulnerabilities
By PrinceGaz on 12/12/2008 8:52:43 PM , Rating: 2
I won't tell you which browser I'm using as I don't want too many more people using it on the PC Windows platform as they don't make any money from it, it would be more likely to be targeted by malware, and more users plus more updates would cost them a helluva lot more money in server internet-traffic (as "updates" are currently distributed as full new version downloads which are simply installed on top of the existing version- a rather bandwidth wasteful policy, but one which ensures nobody is unsure about which updates they have installed). The company in question only makes money from selling its browser to mobile or other niche platforms.

So I recommend everyone reading this to install FF, or Chrome, or maybe to stick with IE if running Windows and you like it, or if you have are a bit insane choose Safari.


RE: vulnerabilities
By walk2k on 12/12/08, Rating: 0
RE: vulnerabilities
By Goty on 12/12/2008 6:37:57 PM , Rating: 2
How about, "So much for reading the article,"? IE isn't on the list at all because it is patchable by a network admin.


RE: vulnerabilities
By walk2k on 12/14/08, Rating: 0
RE: vulnerabilities
By Targon on 12/15/2008 5:07:02 AM , Rating: 2
So, IE updates itself? Wrong! Windows has an auto-update feature that provides updates for IE, but IE does NOT update itself.


RE: vulnerabilities
By Johnmcl7 on 12/15/2008 6:12:43 AM , Rating: 2
No, the article states that a program that can be patched centrally by sms or similar does not go on the list - IE can be patched centrally by sms, hence it's not there.

John


RE: vulnerabilities
By walk2k on 12/19/2008 10:55:44 PM , Rating: 2
WRONG.

Truth hurts eh?


RE: vulnerabilities
By Goty on 12/15/2008 8:10:45 AM , Rating: 3
Wow, I guess I've been mislead all these years! I've believed that those little prompts in FF with version numbers that say "please restart firefox to update" were really updates!

Gosh, you've really opened my eyes!


RE: vulnerabilities
By UNHchabo on 12/12/2008 4:42:28 PM , Rating: 5
If there's an FF2 issue, then they say it's still an issue, not because they claim it's still in FF3, but because quite a few people are still running FF2, and Firefox doesn't force an upgrade. Last I checked, if you're running 2.0.0.11, it'll prompt you to upgrade to 2.0.0.18, not 3.0.4.


RE: vulnerabilities
By Solandri on 12/13/2008 11:39:31 AM , Rating: 2
I have FF2 running on one of my secondary systems. It bugs me to update to FF3 even when I click the "never bother me about this again" button. What it doesn't do is offer an auto-update like from 2.0.0.17 to 2.0.0.18


RE: vulnerabilities
By MattCoz on 12/16/2008 12:03:35 AM , Rating: 2
That won't be happening for long, Firefox 2 has just about reached its EOL.


RE: vulnerabilities
By Kenenniah on 12/12/2008 4:54:28 PM , Rating: 2
quote:
It is not the application that is the problem, it is the uneducated users going places with these applications that they shouldn't...


I would argue that if users are getting to places they shouldn't, it is the IT deparment's fault. All it takes is a well set up proxy server.

Now if you are refering to home users, well that's not what this article is about.


RE: vulnerabilities
By Chadder007 on 12/13/2008 1:57:17 PM , Rating: 1
New Study Paid for by Microsoft???


RE: vulnerabilities
By Spectator on 12/14/2008 8:53:05 AM , Rating: 2
This is the whole point/advantage to cloud computing; im guessing.

At the very least we will start with a small Virtual net surfing app. then we be safe from any local agro yes?

Perhaps thats a business idea for someone. a totally secure single exe that links us to a screen grab surfing server hosted by someone else.

Obviously this does not sit well with ISP's current bandwidth logic. 29x16 res surfing image updates :(.. outch

But that is the direction its all heading it seems.


methodology
By meatless on 12/12/2008 4:32:08 PM , Rating: 5
So let me see if I can recreate the methodology:

-Rank apps by popularity in business environments and # of known exploits
-Remove those with centralized updating (Microsoft products)
-Publish results

Boy, I couldn't drive a semi through the holes in that approach, no sir.




RE: methodology
By TSS on 12/12/2008 4:48:56 PM , Rating: 2
even if we leave out internet explorer i am in no way gonna believe a study that finds firefox more dangerous then windows messenger.

i've been to a whole lot of sites where i knew there was a virus on there but as long as you turn of javascript in firefox, it'll be fine.

on the otherhand i'm getting spammed to hell via IM (atleast 20 messeages a day these days, it never happened with MSN but it does happen in windows live) each of which contains a link that i'm pretty sure of, contains virusses/trojans/alot of bad stuff.

even so, with firefox and javascript turned off i would dare open those links. but windows live opens it with internet explorer, while firefox is set as my default browser and every other program uses it as such save windows live.

nope, this study i don't trust. however they where right on the symantec norton stuff though. i've had less problems removing virusses then i have removing norton anti-virus.


RE: methodology
By Kenenniah on 12/12/2008 4:58:15 PM , Rating: 5
My favorite Norton product.....
http://www.symantec.com/norton/antivirus-gaming/we...
Ok they make a special edition for "Gamers" that uses less memory and CPU time. My question is why? If you can optimize your code for a "Gamer's Edition", why not just make ALL your versions run better? Of course then they wouldn't have a new gimmicky sales pitch.


RE: methodology
By majorpain on 12/12/2008 6:30:09 PM , Rating: 2
Bitdefender AV has "Game Mode" for atleast 2 years now...


RE: methodology
By Kenenniah on 12/12/2008 7:27:08 PM , Rating: 2
Yep, although all even without that Bitdefender is still fairly light on system resource use. The same with Nod32 that I currently use. I will never understand why Norton was such a resource hog or why they felt the need to constantly harass their users with popups. There should never be a need for a game edition or a game mode. Just make your program simple and efficient, and give us the option to easily turn off real time scanning when we want to. Whether I'm playing games or not, I NEVER want my AV program to be using up more resources than necessary.


RE: methodology
By DjiSaSie on 12/13/2008 7:03:34 AM , Rating: 2
Because Symantec makes people pays for that, that's why Norton is not a cheap product compare to its rivals. Without such resource hog thing, They couldn't sell it at the highest price.


RE: methodology
By exanimas on 12/12/2008 9:08:43 PM , Rating: 5
My favorite Norton product - http://www.symantec.com/autotools - first download on the page. =D


RE: methodology
By drebo on 12/13/2008 11:01:46 AM , Rating: 2
No business is using Symantec's Norton products. If they are, they're too small to notice.

The business in this scenario are large corporations that will have centrally managed antivirus applications, of which Symantec's Endpoint Protection is by far the best.


RE: methodology
By brshoemak on 12/13/2008 12:01:52 PM , Rating: 2
quote:
of which Symantec's Endpoint Protection is by far the best.


I actually LOL'd when I read that. Endpoint Protection is junk in my opionion. Centrally managed? Yes. Best(or even good): Not even close.

Fresh install of SEP on a server per Symantec's best practices and we couldn't share files any more. Nothing in the logs about it blocking anything but we could transfer 95% of a file and then the connection would just drop off. Plus another site had 5 users and the database that it uses as its backend swelled to 30GB in 8 months even with limited logging, hundreds of times what it should be and well beyond the scope of storage during initial server planning. Symantec support was less than helpful in each case.

Just relaying my opinion from personal experience. Your opinion differs - but that's what the internet is for.


RE: methodology
By docinct on 12/12/2008 5:43:15 PM , Rating: 2
Centralized updating works only if your IT dept actually keeps it up-to-date and then applies the patches.
FireFox can be centrally updated via 3rd party products such as PatchLink.
IE 6/7 have none of the solid add-on for security that can be applied and used with FireFox.
Also, Mozilla notifies users that a new version is available.

PS Somewhere I read that 80% of users don't update with MS patches.


RE: methodology
By omnicronx on 12/13/2008 1:21:52 AM , Rating: 2
quote:
Centralized updating works only if your IT dept actually keeps it up-to-date and then applies the patches.
If your computer is on a domain, it should be updated automatically with windows security updates via domain policies, if it is not, you need a new admin.

I do have to agree that IE7 is more secure than firefox in a business environment. IE7 can be controlled, firefox cannot and has to be updated by the user (although you can update automatically, unfortunately leaving it up to the end user is never a good idea).
quote:
PS Somewhere I read that 80% of users don't update with MS patches.
This report is based on business use, not home use where that stat would not surprise me one bit.


RE: methodology
By Kenenniah on 12/13/2008 1:30:03 PM , Rating: 2
quote:
If your computer is on a domain, it should be updated automatically with windows security updates via domain policies, if it is not, you need a new admin.


Not entirely true. In many bunsiness you can't just allow automatic updating, due to custom applications etc. There have been times when a security fix from Microsoft has broken some essential applications. Therefore on the ball admins test hotfixes first, then deploy them through the domain.


RE: methodology
By Titanius on 12/14/2008 5:18:40 PM , Rating: 2
quote:
I do have to agree that IE7 is more secure than firefox in a business environment. IE7 can be controlled, firefox cannot and has to be updated by the user (although you can update automatically, unfortunately leaving it up to the end user is never a good idea).


I agree and disagree with you on that. IE7 is good, but most big businesses use IE6 which is bad. Yes Firefox is setup right now on Windows machines to ask the user to update; but on Linux, you cannot auto-update Firefox that way most of the times, you usually have to update using the built-in update tool of your Linux distro (which is setup BY DEFAULT to only download updates that have been tested by the distro's development team, if regressions occur, the update isn't released until it is fixed). When in a network, IT can administer Linux updates in a similar way to Windows networks.

So my point in all this is, why not make it that Firefox can also be updated that way on Windows? But the big problem with businesses in general is that they are cheap, and they feel comfortable with IE6 which as been around since before Windows XP (anyone remember Millenium Edition? LOL!). So obviously, they don't want to upgrade to a more advanced browser because it will cost them more money. The advantage of going the IE7 route is because it is the easiest and also the cheapest way to go. Anyone who says otherwise has been brainwashed by their IT department, Microsoft or idiots that think they know what they are talking about and sell it very well.

IE6 is good (yes it is not the most up-to-date browser, but patches keep it current [as much as possible] and it has been around so long that all industries have made their intranet applications run on it and it does that job very well.

IE7 is better (it is up-to-date, has tabbed browsing, has improved security features like Phishing filters, etc. It is also backwards compatible to IE6 so MOST of the times applications built to use IE6 will work in IE7 (notice I said most of the times, I have seen some times where IE7 breaks the app and so a downgrade to IE6 is needed to be able to use it [or a more costly alternative is to make the app compatible with IE7])

Firefox is the best (it is up-to-date, open source, free, has very good security features and if you are not satisfied with that, there are addons which improved that security even more at the tune of Adblock Plus, NoScript, and others. Patches can be built fairly easier for it than IE and it is standards compliant. The reason they call it standards is because they are standards which everyone should use, only when everyone uses the same thing can there be no more broken functionality problems by using a different browser.)

IE8 is coming and it will be a standards browser, so to businesses I say, make the switch to using standards compliant applications because in the future, that is what will determine if it works or if it doesn't. If not, then stay in your dinosaur age with legacy systems that you will have to get maintained by your very own development team [oh, and those developers don't work for free!]).


RE: methodology
By majorpain on 12/12/2008 6:30:54 PM , Rating: 2
Couldnt agree more...
Cheers!

FF3 FTW!!


RE: methodology
By Gzus666 on 12/12/2008 8:49:32 PM , Rating: 2
quote:
Boy, I couldn't drive a semi through the holes in that approach, no sir.


Thank you, I needed a good sarcasm laugh, ha.


RE: methodology
By walk2k on 12/19/2008 11:11:33 PM , Rating: 2
Talk about Unclear on the Concept.


Good GOD check your grammar.
By cbmeeks on 12/12/2008 6:03:48 PM , Rating: 5
Did you not proofread this article before you posted it?




RE: Good GOD check your grammar.
By neothe0ne on 12/12/2008 6:54:09 PM , Rating: 5
I thought it was common knowledge that DailyTech articles aren't proofread, given that we've been screaming at them for literally years now.


Security Misconception
By mfed3 on 12/12/2008 6:25:59 PM , Rating: 1
Just because Mozilla advertises FireFox to be secure doesnt mean it actually is. You have to realize that in a corporate environment, that is, in a managed domain environment, users' systems are automatically patched for them, with activex and internet/intranet security settings managed by their IT pros.

Firefox has no means of being managed by group policies, which is why it is MUCH more insecure for companies. You cant just listen to every company's advertisements and think that because they have an untarnished name that their product is perfect.




RE: Security Misconception
By randomlinh on 12/12/2008 7:36:00 PM , Rating: 2
This is my main concern. With IE, I can manage just about everything via group policy. No such luck w/ FF.

However, even if I could just lock down some basics, the one thing is extensions. While it's rare, there isn't much to keep you from installing whatever. it's a security risk IMO.

I really would like to deploy FF and chrome to be honest, they take longer to load, but run better on our systems (to an extent).


RE: Security Misconception
By SilthDraeth on 12/12/2008 7:46:07 PM , Rating: 3
Frontmotion releases a prepackaged Firefox that you can lock down and config via GPOs. We use it at our school district.


RE: Security Misconception
By TomZ on 12/12/2008 8:22:31 PM , Rating: 2
quote:
You cant just listen to every company's advertisements and think that because they have an untarnished name that their product is perfect.

Oh, you mean like Google's own pronouncements about how secure Chrome is? I had a good laugh at that.

You're right - if it is not centrally managed and popular, then it is a vulnerability.

I know of a company whose "security policy" was to configure the proxy server to block all Internet access by IE. So instead, all the users are encouraged to download and install their favorite version of their favorite browser (mostly various versions of Firefox). Smart policy, right?


RE: Security Misconception
By Gzus666 on 12/12/2008 8:54:20 PM , Rating: 2
quote:
I know of a company whose "security policy" was to configure the proxy server to block all Internet access by IE.


Then they are the dumbest ass IT department in the world. You don't block traffic based on a browser, you block sites or protocols you don't want through with a firewall or access lists. Sounds like the employees were smarter than the IT folks to me.


seriously?
By omnicronx on 12/13/2008 1:04:58 AM , Rating: 2
Really who cares what bit9 thinks, how is the Sun Java Runtime Environment a security risk?




RE: seriously?
By Bluestealth on 12/13/2008 3:14:25 AM , Rating: 2
Some people are still running Java 1.4.2 (or older) and MS Java due to terrible vendors. Although some might also be doing it because they are stupid.

โ€ข The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS. <--- their major complaint, yes their complaint is that these applications don't work with Windows Update Services... bah...


RE: seriously?
By Bluestealth on 12/13/2008 3:16:06 AM , Rating: 2
BTW I know SMS handles more than pushing out patches... but that comment just rubbed me the wrong way.


Chrome is secure?
By lagitup on 12/13/2008 1:59:49 AM , Rating: 2
A google search for chrome security flaw seems to suggest otherwise...

http://www.google.com/search?q=chrome+security+fla...




RE: Chrome is secure?
By Hieyeck on 12/13/2008 4:27:48 AM , Rating: 2
How ironic.


RE: Chrome is secure?
By icanhascpu on 12/13/2008 5:45:58 AM , Rating: 2
In other new Windows 95 will have a cool "taskbar" feature.

Oh wait looks like i can't read the dates on links either.


Companies can't prevent Firefox installation.
By BernardP on 12/13/2008 11:35:05 AM , Rating: 2
I have installed Firefox on my locked-down office computer. All I had to do is go to http://portableapps.com and download a self-contained version of Firefox that can be installed in the My Documents folder.

Why did I do it? My company is still using IE6 and there are more and more web sites that don't work correctly with IE6. Firefox gives me a workaround without having to wait for the IT bureaucracy to solve my problems.




By Kenenniah on 12/13/2008 1:35:17 PM , Rating: 2
Wanna bet? I could easily lock down a computer to not allow your self-contained version to run. Or simply set up the proxy server correctly to not let you get to websites where you can download the file. Or block downloading files completely. You could download it at home and bring it on a cd or USB stick to work, but I can block cd access and USB devices with DeviceLock and so on.

Not to mention, you violate security policy in my company, you are terminated. End of story.


By DatabaseMX on 12/16/2008 4:31:12 PM , Rating: 2
"Why did I do it?"
Apparently ... because you do not care about your job! No doubt a violation of your IT Dept's policies ... no doubt resulting in possible termination!

What company do you work for?


I bet they didnt expect this today
By carl0ski on 12/14/2008 4:41:27 PM , Rating: 2
Microsoft has confirmed that it is not just Internet Explorer (IE) 7 that is vulnerable to a new zero day attack, but older versions of the browser too.

http://www.itnews.com.au/News/NewsStory.aspx?story...




By Smilin on 12/17/2008 4:34:21 PM , Rating: 2
Yep and as mentioned in this article MS has already patched it. Vulnerability gone.

There may be others found of course but the window on exploiting this one is slamming shut.


Published or Unpublished
By amcguire on 12/15/2008 5:27:25 PM , Rating: 2
Are the published or unpublished vulnerabilities? It was not too long ago when IE was listed as being more secure than Firefox because the security companies publishing the data only got vulnerabilities that we published by the vendor. Any vulnerability is immediately published by Mozilla however great it is while Microsoft has several times suppressed major vulnerabilities causing much trouble in the corporate world where the IT guys did not know about the problems and could not put up the appropriate defence to avoid the attack through the vulnerability known to MS and a large portion of hackers.




RE: Published or Unpublished
By Smilin on 12/17/2008 4:30:46 PM , Rating: 2
This is an outright lie.

MS encourages and supports responsible disclosure. As any company would they will ask for reasonable time to fix vulnerabilities before details are released. If there are mitigating actions that can be taken in the meantime they will disclose those. Even the most die hard anti-MS zealots will acknowledge this.

You need to come out of the closet and start spelling MS Windows as M$ windoze. You're not fooling anyone.


Study's motive smells fishy...
By tleigh on 12/12/2008 5:52:09 PM , Rating: 2
Not only is the methodology terrible but it makes you wonder if it's simply because all of those apps (save one) don't play well with Bit9's "patented solutions". Those apps aren't on board with Microsoft's Orwellian control of your desktop and as a result don't give Bit9 the same degree of control.

I have to ask: why did the federal government give Bit9 $2M so they can develop and patent software that solely benefits them and their venture capitalists? Two million and in return a private monopoly on the resulting "innovation". Now there's gov't money well spent...




irony
By lucyfek on 12/12/2008 6:27:25 PM , Rating: 2
is IE missing off the list because of the just uncovered 0-day exploit?
I also like Symantec Norton products; Trend Micro OfficeScan being mentioned here - just save yourself some cash and live av software free, fully agree with this.




Altiris
By Adul on 12/15/2008 8:38:47 AM , Rating: 2
Altiris is a great way to centrally manage applications and update them on a regular basis. This is done at my job for everything from flash, quicktime, and to the virusscanner itself. Good security policies of use of tools such as Altiris help keep the network safe.




Bit9
By karielash on 12/15/2008 9:06:29 AM , Rating: 2

and just because a bunch of self proclaimed security experts say something does not mean it's true.




It's complete nonsense
By gstrickler on 12/15/2008 3:20:56 PM , Rating: 2
I'm a computer consultant, and I've got most of my clients set up to centrally administer and distribute updates to most of those applications. I (or another admin) get to choose which updates get pushed, when they get pushed, and whether they get pushed to a select group of "test" users or to all users. It's not complicated or time consuming to setup or administer and it doesn't require much bandwidth (e.g. the update is downloaded once to the server and pushed to the clients from there).

The user machines are locked down so the user can't install or remove software or updates, and the users do not run as administrators, but they get updates automatically.

It's not anything special I'm doing and it doesn't require any specialized knowledge, you can find instructions for at least half a dozen ways of doing it with simple google search.

The people who wrote this either don't have a clue what they're talking about, or they're deliberately trying to mislead.




IE vs Firefox ...
By DatabaseMX on 12/15/2008 4:33:16 PM , Rating: 2
Certainly ... this article is NOT implying that IE is more secure than Firefox ???




By DatabaseMX on 12/15/2008 5:08:41 PM , Rating: 2
Yeah ... it updates itself about every week with new security risk patches. What this implies is ... billions of yet unpatched security risks still exist in IE!!

So, what were you saying about 'safer' ?




IE
By nirolf on 12/16/2008 3:01:22 AM , Rating: 2
http://news.bbc.co.uk/2/hi/technology/7784908.stm
quote:
Users of the world's most common web browser have been advised to switch to another browser until a serious security flaw has been fixed.




Bit9 who?!?!?
By majorpain on 12/12/2008 6:38:38 PM , Rating: 1
With such F#ยจ%#cked up patterns, even Linux is risky...




CPU?
By iondragonfly on 12/14/2008 12:27:18 PM , Rating: 1
With the rules they're using for what could be vulnerable, why not just declare the CPU the most dangerous thing in the computer? Perhaps we should declare car engines the root cause of accidents? Luddites.




"I f***ing cannot play Halo 2 multiplayer. I cannot do it." -- Bungie Technical Lead Chris Butcher

DailyTech Poll
Which web browser do you use on your primary personal machine? 






44 Comments









botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki