backtop


Print 24 comment(s) - last by toyotabedzrock.. on Dec 21 at 3:10 AM

Experts are taking issue to a recent study which warned users of potential risk of using Firefox

A recent security study from Bit9 argued that Mozilla's Firefox was the most vulnerable application and thus a major threat to businesses.  One of the chief reasons it gave was the lack of a large-network patching system.  For this reason, despite recent security flaws, it did not consider Microsoft's Internet Explorer software, as it assumed that such a patching system dramatically lowered vulnerability.

Bit9 went as far as to suggest that enterprises block their employees from having access to Firefox and delete it from work computers.

Some firms, including Mozilla, were quick to take issue with Bit9's alarming comments.  Representatives from Mozilla's security branch, Human Shield contacted DailyTech with remarks on the topic.  The company's Johnathan Nightingale states, "While we're always happy to see stories that focus on educating our users about security, there are some problems with Bit9's methodology that hinder its ability to draw any meaningful conclusions."

According to Mr. Nightingale, by raising the "risk" of companies which disclose critical vulnerabilities, Bit9's study punishes openness, a critical key to security.  It rewards companies that keep their vulnerabilities secret, he argues.

He also criticizes Bit9's stance on patching, stating that the firm's claims fall short of reality.  He states, "Bit9 seems to understand (the need for smarter metrics) in its focus on application support for updates, but again it fails to account for the real world experience. Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90% adoption within six days of a new update being released."

He concludes, "The Firefox vulnerabilities Bit9 discusses are long-since fixed, with the majority of these fixes coming within days of it being announced. That is the real measure of application security: are known vulnerabilities fixed promptly, tested carefully, and deployed thoroughly? Bug counting is unfortunately common because it's easy, but it should not be a substitute for real security measurement."

Similar sentiments were also echoed by various readers on DailyTech as well as several sources in the security business.  While the Bit9 study certainly takes a controversial and interesting position, according to many its claims are overly broad and flawed.  Whether this is the case is largely a matter of opinion, but one thing's for sure -- whether you're on Firefox, Opera, Chrome, or Internet Explorer, security is largely in the hands of the user.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By psychobriggsy on 12/18/2008 8:50:58 AM , Rating: 5
You gotta admit, Bit9's timing couldn't have been worse! Zero day IE exploit that took days for Microsoft to patch, and presumably is still unpatched in many companies *because* of the ability for business to enforce the roll-out at their end instead of Firefox's centralised means. This type of rollout management is great - for certain applications. Not a frickin' web browser. And I don't care that retards wrote IE6 only web apps; they're not web apps, they're IE6apps. You reap what you sow.

Still getting Windows "Restart Now/Later" for this patch. It's a WEB BROWSER for the love of God, why should I have to reboot. Sheesh. Okay, it might be being used by other apps because it's also a UI component, but maybe they could work on a way to unload and reload the component without a reboot.




By theapparition on 12/18/2008 8:58:07 AM , Rating: 1
quote:
This type of rollout management is great - for certain applications. Not a frickin' web browser.

And what of companies that use web browsers to run business critical applications? The situation is far more complex than you make it out, and the centralized updates on FireFox can be a bad thing in these instances.

The real issue is the IT department. If they think there are no issues, than they shouldn't block users computers from auto-updating. If there may be a problem, than they should test it before implementing it.

Stop with the thinking that what works for you will also work for the other 99% of the world.


RE: Yeah, as the IE exploit raged wild for a few days ...
By on 12/18/08, Rating: -1
By gmyx on 12/18/2008 9:55:32 AM , Rating: 3
I feel like feeding the trolls ;)

So... do you want dos 1.0 support as well?
Or maybe the old IBM Mainframe should be supported... Or an abacus (I've seen it referred to as an ancient computer)...

Nah... FF should drop support for all stupid people and just support running on smart, intelligent people's brains.

Ok... that was fun... back to reality.


By GlennAl on 12/18/2008 12:48:09 PM , Rating: 3
Well, as Big Al said, "Eat it... eat it...".

It's kind of pointless to reference non-GUI systems like DOS and MVS (of course, all new IBM "mainframes" run Unix as well as MVS, so it's hardly relevant to mention them at all, plus mainframes are all about processing data--not about providing browser support... you might as well take a tractor-trailer to Indianapolis or Sebring). The real point is that Bit9 is, well, kind of stupid.


By omnicronx on 12/18/2008 1:11:29 PM , Rating: 1
It took me a few seconds to figure out if he was joking.. then I looked at the poster and everything made sense..

PCDOS never supported IE.. Netscape.. or any other mainstream browser..

The best it has to offer is Arachne
http://en.wikipedia.org/wiki/Arachne_(web_browser)


By Goty on 12/18/2008 11:02:46 AM , Rating: 2
Then maybe those companies should do the semi-intelligent thing and 1) install firefox by default on all office PCs and Laptops and 2) TURN OFF AUTOMATIC UPDATES.

Goodness, you'd think this was rocket science. Whatever happened to common sense?


By TomZ on 12/18/2008 12:37:06 PM , Rating: 1
quote:
TURN OFF AUTOMATIC UPDATES.

AFAIK, FF lacks the ability for IT groups to centrally change a setting like that, right?


By gstrickler on 12/18/2008 3:02:05 PM , Rating: 2
quote:
AFAIK, FF lacks the ability for IT groups to centrally change a setting like that, right?

Yes, and no. FF doesn't have anything built-in to centrally manage it, but it's easy enough to push such settings to a client. Likewise for FF updates. Since the updates can be pushed from a central server, they can run as administrator so the user does not need any administrative access.

Then, there is this customized version of FF that allows management via AD.
http://www.frontmotion.com/FMFirefoxCE/index.htm

FF and most/all the other apps mentioned in the Bit9 list can easily be managed centrally, all you have to do is spend a few minutes on google to find how how.

The Bit9 "analysis" is completely meaningless.


By misuspita on 12/18/2008 4:03:23 PM , Rating: 2
I still don't understand why companies don't use FF as their preferred browser. Except for those that do have IE6 apps. Other than that is sheer stupidity, IMHO


By gmyx on 12/18/2008 9:47:23 AM , Rating: 2
This is what my department is doing.

1. They are actively updating the firewall to block the bad sites.
2. The IE patch is being rolled out via SMS after testing.
3. The AV is being updated as soon as an update is available.
4. Monitoring for the signature on the network.
5. And more that I'm not aware of.

All this happens within 30 days of the patch being released. It looks like a big window, bit there is a lot of testing required.

They are even considering using FireFox in the not too distant future. The main concern is that 'Out of the box' FireFox does not support central updating - our internal network uses a distributed file system that reduces the overhead of distribution. All downloads are local to the user. Imagine 30k+ Firefox installations asking a single Internet connection to download the same file 30K+ times and you can see the problem.

The other concern is how to limit FF's ability to install add-ons. They want to manage and validate the add-ons before allowing them on the network, just like any other application.


By omnicronx on 12/18/2008 1:04:14 PM , Rating: 3
quote:
The main concern is that 'Out of the box' FireFox does not support central updating - our internal network uses a distributed file system that reduces the overhead of distribution.
http://www.frontmotion.com/products.htm
(FrontMotion Firefox Community Edition)

Not sure if you can use this to manage updates, but it gives the ability to control Firefox via Active Directory. They also make a special Firefox Deployment program that lets you configure Firefox with certain extensions, addons and settings for easy installation across your entire network.


By leexgx on 12/18/2008 2:42:23 PM , Rating: 2
if you use an caching proxy that should not be an problem

with any large network if your using an caching proxy if alot of users do access the same page even if its thorough the day it can save lots of bandwidth

well add-on just block the addon server

there should be an add-on for group polices tho


By Kornfeld on 12/18/2008 10:13:19 AM , Rating: 5
Based on what I'm reading the Firefox's built-in update mechanism requires the browser to be running in administrator context.

This whole discussion appeared to aimed at enterprise use and management of browsers. Even Mozilla's response seemed to be geared towards this based on their reference to WSUS.

So... how does it make any sense for a representative of Mozilla to argue that their patching is superior when it relies on the browser running in admin context? That's simply assinine.

I thought the original article they were replying to was pretty weak, but that kind of response is even more pathetic to me.

Regarding your comments. I suspect you have no experience with enterprise desktop maintenance. The patches under security bulletin MS08-078 could easily be deployed to systems within hours using Microsoft's tools like WSUS. You provide no information at all to support your assertion that these deployment tools actually slow down deployments of these patches. In a large enterprise, the limiting factor is typically not the pace at which this can be deployed, but the change controll processes, communications, agreed testing window for internal applications, etc.


By bodar on 12/18/2008 6:12:32 PM , Rating: 2
It should only require Admin if it was installed someplace the user does not have rights to, like say Program Files. We've had users who install FF themselves despite being 'limited' users, simply by changing the install point to their My Docs folder (XP SP2). I'm not certain, but I assume this would mean that updates function this way as well?


By omnicronx on 12/18/2008 12:57:58 PM , Rating: 2
The patch released yesterday, and every computer at my workplace was patched by the morning.. I even came in to see that my computer had been restarted for me.

Apparently firefox, chrome and safari also all released patches yesterday, which makes one wonder if it was only IE7 that was affected.

quote:
Still getting Windows "Restart Now/Later" for this patch.
Internet Explorer components are used in Windows Explorer, which is probably the reason it is asking you to restart. Chances are you don't have to restart you computer completely, but merely logoff and log back in to restart the windows explorer shell.


NoScript
By AnnihilatorX on 12/18/2008 9:47:02 AM , Rating: 5
NoScript is the best security measure there for Firefox.
Does anyone know if other browsers have same or similar third party plugins? If not, I would reign FF as the most secure browser solely because of this excellent 3rd party plugin.




Usage in a business enviornment
By snikt on 12/18/2008 11:17:02 AM , Rating: 2
I'm actually curious how many businesses with 100+ users actually use FF with any regularity?




RE: Usage in a business enviornment
By TomZ on 12/18/2008 12:32:15 PM , Rating: 2
I'm sure there are a number of organizations that wrongly perceive security as an IE-only thing, and so they deploy FF for that reason. Such organizations might also still believe in security through obscurity.


Define "real world"
By farsawoos on 12/18/2008 10:26:19 AM , Rating: 2
There are a couple of points here:

First, Firefox is a fantastic browser, no matter how you slice it. It's hardly perfect, and is susceptible to security flaws and exploits just like any other browser. What I appreciate about FF over IE, however, is the speed (and general openness) with which the Mozilla team responds to these threats. While Microsoft's Zero-Day response team is probably one of the best in the world out of necessity, I tip my hat to FF for being a much smaller shop while offering equal - if not better - response.

Second, while I shower FF with all my praise and best wishes, I do have a complaint about their argument regarding "real world experience":

quote:
"Bit9 seems to understand (the need for smarter metrics) in its focus on application support for updates, but again it fails to account for the real world experience. Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90% adoption within six days of a new update being released."


While I can see some merit in the HS team's response, they ignore the fact that a lot of organizations would rather keep that kind of traffic internal to their network to avoid saturating their users' and sites' WAN and web connections. They also ignore the fact that every new patch introduces new, under-the-hood changes to the browser that could possibly affect FF's interoperability with in-house or more closed-tech browsers. Let's face it: a lot of web-enabled, browser-based, enterprise-level "solutions" (*ahem*, riiiiiight) are built for IE, and *any* level of usability on FF is considered a huge blessing. To introduce patches to that and potentially upset that already precariously balanced apple cart is not an attractive proposition by anyone's reckoning.

That's unfortunate, but *that* is "real world" according to everything I've ever experienced. I would love nothing more than to pitch Firefox as a serious platform contender within my current enterprise. However, lack of central patching is a problem, because we have so many satellite offices, and its incompatibility with all these lazily constructed "solutions" (Altiris, TouchWorks EMR, CODA Financial, etc.) that only work on IE6 is a big, big negative. :(




hahaha
By sprockkets on 12/18/2008 3:33:21 PM , Rating: 2
Want an easy, centralized way of preventing FF from auto updating, and be able to control when the updates go in?

Run it on Linux.

Oh well, that won't work for 90% of the people here, but it just shows you there is not a problem with management by design to begin with on a Linux platform.

Btw, for the others who posted this, a plain user can install firefox to a folder on the desktop, and this is not even the portable version.




Where does the money come from?
By stimudent on 12/18/2008 5:54:37 PM , Rating: 2
Does Bit9 get funding or others perks from Microsoft in some way?
We could be looking at a smear article being presented as a legitimate, objective news article.
It has been documented over the last year or two or so that Microsoft attempted to scare manufacturers and distributors away from Linux. If I remember correctly, MS tried to use the courts to make it look like the plug could be pulled on that OS at any time leaving users in the dark because of patent infringements. Something along those lines anyway.
It's also hard to take some of the articles on Anandtech seriously when it comes to Intel. As anyone can see, Anandtech is heavily sponsored by Intel. The latest blog on about SAP and i7 seems to confirm this and Intel are in bed with each other.
When you see reports like this, think where the money is coming from for these reporters and their organizations. Something to consider, that's all.




Bit 9 is right
By toyotabedzrock on 12/21/2008 3:10:26 AM , Rating: 2
If a user doesn't have admin rights they cannot update firefox, so Bit9 is right. However this can be solved with a simple script, if everyone is on a domain. But the admin has to write and test the script and then download any new version and run the script.




"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki