backtop


Print 101 comment(s) - last by walk2k.. on Dec 19 at 11:11 PM

The good old FF browser gets little love when it comes to security

Firefox has its plate full when it comes to security.  It has grown a substantial enough market share to place it in a strong second after Microsoft.  This gives it a high profile and leaves it a desirable target to be exploited by hackers and malware writers.  Worse yet, it has less money to fund security efforts that Microsoft, and according to some experts, less focus as well.

While small market share browsers like Opera and Chrome have built a reputation on their security (with Safari, being a noticeable exception, have a reputation for insecurity), Firefox continues to plod along in a day to day fight, trying to remain a secure platform while dealing with the challenges of browser celebrity.

Perhaps for this reason, Bit9, an application whitelisting firm that helps employers block employee access to certain apps, placed Firefox on the top its list of most vulnerable apps.  The remaining spots on the list were filled out with more familiar names, with two through twelve respectively being: Adobe Flash & Acrobat; EMC VMware Player, Workstation, and other products; Sun Java Runtime Environment; Apple QuickTime, Safari, and iTunes; Symantec Norton products; Trend Micro OfficeScan; Citrix products; Aurigma and Lycos image uploaders; Skype; Yahoo Assistant; and Microsoft Windows Live Messenger.

The Bit9 study looked at several factors in ranking vulnerability.  One factor was how popular the applications were.  Another factor was how many known vulnerabilities existed, and how severe they were.  Lastly, it looked at how hard patching was for the particular application.

In order to make the list, programs hand to run in Windows and not be centrally updatable via services such as Microsoft SMS and WSUS.  Many say that the survey was unfair to Apple products because it kept easier patched Microsoft applications off the list.

In some ways, though Bit9's list is a useful benchmark.  It aptly points out that many networks have Firefox installations running on machines, without the system administrator being fully aware of the instance of these installs.  Thus, despite the fact that most of the vulnerabilities looked at have been patched, the installs may not receive these patches immediately, until the employee upgrades to the next edition of the browser.

The study's conclusions only marginally apply to the consumer market.  However, when it comes to the business market, the study argues that picking or allowing employees to run Firefox, even with its security plug-ins, is a ticket to the IT danger zone as malware increasingly targets application layer targets such as Firefox.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: vulnerabilities
By LumbergTech on 12/12/2008 4:20:28 PM , Rating: 4
adblock plus, noscript

/end story


RE: vulnerabilities
By Webreviews on 12/12/2008 4:28:14 PM , Rating: 1
Couldn't agree more.

ABP, NS, FTW!


RE: vulnerabilities
By japlha on 12/12/2008 4:51:38 PM , Rating: 3
I'd add flashblock to the list too.


RE: vulnerabilities
By Etsp on 12/13/2008 1:24:08 AM , Rating: 3
What does flashblock do that NoScript doesn't? By default, noscript blocks flash...does flashblock have more functionality in this regard?


RE: vulnerabilities
By omnicronx on 12/13/2008 1:29:59 AM , Rating: 2
I dont think they work the same way, flashblock you just blocks each individual piece of flash content until you press the play button in the middle of the corresponding flash file, doesnt NoScript just block out an entire page completely until you allow the entire site?


RE: vulnerabilities
By AnnihilatorX on 12/14/2008 3:33:45 PM , Rating: 3
No, NoScript has superseded flash block since they included the support for blocking flash contents. To play flash, you just click where the flash is, works the same way as flash block.


RE: vulnerabilities
By Nihility on 12/13/2008 4:53:10 AM , Rating: 4
NoScript blocks flash, only as long as the site is prevented from using scripts. However, if you needed to use a form on the site that requires scripts and you allowed that site to use scripts it would no longer block flash.
That would then subject you to the flash menus and flash advertisements that run from within the sites URL and you would then be vulnerable to flash exploits (not to mention the massive CPU usage of all that flash with 20 tabs open).
So I find a combination of flashblock and no script works exceptionally well both from a security standpoint and a usability standpoint.


RE: vulnerabilities
By on 12/13/08, Rating: -1
RE: vulnerabilities
By rudolphna on 12/14/08, Rating: -1
RE: vulnerabilities
By Xenoterranos on 12/14/2008 1:37:17 AM , Rating: 1
Or you could just add "*.swf" to it's blocking rules.


RE: vulnerabilities
By yacoub on 12/15/2008 7:59:30 AM , Rating: 3
Yes - NoScript is domain-wide, FlashBlock is element-specific.
Flashblock allows you to select which specific Flash elements on a page you wish to allow, so it works well in COMBINATION WITH NoScript (and ABP).

You run all three (ABP, FB, and NS), and when you get to a new site, you first allow Scripts from that site's domain if the site doesn't work properly without allowing them. Then FlashBlock allows you to select WHICH Flash elements on the page you want to allow, one at a time. That way you never have to deal with stupid crap like Flash-animated ads.


RE: vulnerabilities
By quiksilvr on 12/12/08, Rating: -1
RE: vulnerabilities
By joex444 on 12/12/2008 6:18:08 PM , Rating: 5
It is safer for a company to have everyone running updated versions of IE than it is to allow employees run old, unpatched versions of Firefox.


RE: vulnerabilities
By Gzus666 on 12/12/08, Rating: -1
RE: vulnerabilities
By CZroe on 12/12/2008 9:22:04 PM , Rating: 5
Auto-update is exactly what they DON'T want in a controlled IT environment. They need to roll out the patcches from their own update server for proper documentation and control. What if an update breaks their business app and patches something that has nothing to do with their usage scenario and it gets rolled out to 300+ workstations? Testing must be done first. If an update is needed, they have no guarantee that all network computers have installed it without being forced and documented by an IT update server.


RE: vulnerabilities
By sprockkets on 12/13/08, Rating: -1
RE: vulnerabilities
By CZroe on 12/13/2008 8:30:16 AM , Rating: 3
Have some imagination: Web apps (NCR's QuickLook for example), web forms, etc.


RE: vulnerabilities
By CZroe on 12/14/2008 10:36:50 AM , Rating: 2
Also, off-line software can't update itself but can still be an entry point for an unauthorized user. Contrary to the assumed usage scenario, not all browsers can reach their maker's update servers so they must support a centralized, approved, and managed distribution point.


RE: vulnerabilities
By sprockkets on 12/14/08, Rating: -1
RE: vulnerabilities
By ninus3d on 12/15/2008 7:48:27 AM , Rating: 1
What the...
I'm sorry, what on earth caused that outburst?


RE: vulnerabilities
By Culexus on 12/13/2008 4:08:19 PM , Rating: 2
So what you're saying is that Mozilla(or some other crafty people) should come up with a configurable update server for Firefox that the IT departments in companies can use to distribute updates for Firefox. That with such a system in place, administrators would jump right on it and purge Internet Explorer usage on their networks in favor of Firefox?

Sounds like a good idea,certainly sounds doable, now where would one go to suggest such an idea?


RE: vulnerabilities
By Solandri on 12/13/2008 7:33:28 PM , Rating: 3
Yeah, the last couple IT shops I've worked at specifically banned IE because of its vulnerabilities and had everyone use Firefox. But a centralized means to manage Firefox updates would be sweet.


RE: vulnerabilities
By aapocketz on 12/15/2008 10:26:06 AM , Rating: 2
A friend of mine works at a company where many have installed firefox and they have really poor bandwidth. Apparently firefox by default downloads updates when released, and this kill the bandwidth for a bit after that happens because all the browsers are downloading the updates at once. They should release an "enterprise" version of firefox that allows IT orgs to manage and distribute patches and perhaps even regulate what plugins/extensions are used, because that has to be a security hole.

I don't have any issues though, I like firefox as it is, mostly. I wish it had the tab separation that opera and chrome do, and run tabs in separate processes perhaps. That would make it easier to "tear off" a tab to a separate window. It may also help security, help manage memory, and take more advantage of multiprocessor resources. Tabs logically should run as different processes in my opinion because they are very "orthogonal," they do not need to share memory or anything between tabs. Just a theory though.


RE: vulnerabilities
By Hoser McMoose on 12/15/2008 7:58:35 PM , Rating: 2
That's almost it, except that IT departments aren't going to want to run a separate server JUST to update Firefox.

What the Mozilla folks should do is to get WSUS and Microsoft Update to update Firefox automatically. Of course Microsoft isn't going to want to play nice here so this could be difficult if not impossible.


RE: vulnerabilities
By Alexstarfire on 12/13/2008 5:24:39 PM , Rating: 1
I don't understand. First off, it's not literally auto-update, it asks first. Secondly, you act like Mozilla doesn't have documentation on what is in each update.

I don't work in business by any means, but your logic seems flawed to me.


RE: vulnerabilities
By Bryf50 on 12/13/2008 10:21:06 PM , Rating: 2
O come on. You have several hundred people in an office, even if you write it in big letters and set it as their desktop half of them are gonna end up updating it anyway.


RE: vulnerabilities
By Headfoot on 12/13/2008 1:08:54 AM , Rating: 2
-1'd for ridiculous and baseless accusations


RE: vulnerabilities
By boogle on 12/13/2008 3:58:26 PM , Rating: 2
Corporate environments can use a central update server (WSUS: http://technet.microsoft.com/en-us/wsus/default.as... to ease network congestion. Basically if every workstation downloaded the latest Firefox patch as it came out, or in the morning when they turned on the PCs; the network congestion would be massive.

I remember when the servers all had windows update enabled automatically one month without WSUS and that alone brought Internet access across the board down to a snails pace, and knocked out access to user profiles etc. That was just the servers updating with Windows updates - what if all the workstations did the same?


RE: vulnerabilities
By Culexus on 12/13/2008 4:12:15 PM , Rating: 2
Speaking of WSUS, I seem to remember the ability to delegate arbitrary software updates to some degree. If that was only signed .msi files, I don't remember. Would it be possible to have new versions of Firefox distributed with WSUS?


RE: vulnerabilities
By VaultDweller on 12/13/2008 7:07:09 PM , Rating: 2
Firefox can't update itself in any real world business scenarios, as businesses (or at least ones that have thought of security for any 5 second interval since their founding) don't give their users admin privileges.

Besides, auto updates are bad.

We have Firefox deployed to some users at work (probably less than 20), and so every time there's a Firefox patch an SMS package has to be pushed out to update those installations. It's costly overhead.


RE: vulnerabilities
By SiliconAddict on 12/13/2008 5:03:34 AM , Rating: 2
The problem is that companies AREN'T running updated versions of IE because newer versions break websites. I've lost count the number of clients that are still running IE 6. Secure my ass.


RE: vulnerabilities
By Hoser McMoose on 12/15/2008 8:02:26 PM , Rating: 2
There are a lot of companies still running Windows 2000 as well and IE6 is the latest and greatest available for Win2K. It causes my company some degree of headaches because we're supposed to still support Win2K/IE6 with our web apps and it's GARBAGE! We have more problems with IE6 than with all other browsers combined.


RE: vulnerabilities
By HrilL on 12/12/2008 6:23:32 PM , Rating: 2
Actually yeah they really do. I work at a bank. Won't say which one since I don't think that would be a good idea. We still use IE 6 on every computer and we are not allowed to install anything. Although everyone seems to be a local administrator on their computers so you could install what ever you want if you did want to even though you agreed not to. Then again you are not really supposed to be going to any web sites outside of the banks intranet anyway.

Firefox does have an auto updater pretty much updates the same day updates come out. So I think that is by far better than the windows update option that comes out about once a month.


RE: vulnerabilities
By kontorotsui on 12/13/2008 4:55:44 AM , Rating: 1
quote:
Seriously, do these businesses think IE is more secure than Firefox?


All those paid by Microsoft do.


RE: vulnerabilities
By jonmcc33 on 12/13/2008 3:56:26 PM , Rating: 2
It's more compatible with in house developed applications, yes. Companies should use something like Websense to control websites that their employees go to.

On a side note, the list Bit9 developed is pointless. It basically states the truth. If you connect your computer to the internet then you aren't secure. It listed all well known web browsers and plug-in apps for them.


RE: vulnerabilities
By Golgatha on 12/12/2008 6:07:39 PM , Rating: 2
Don't forget flashblock and quickjava.


RE: vulnerabilities
By walk2k on 12/14/2008 1:59:19 PM , Rating: 1
So you're saying if you turn off half the features therby gimping the majority of every website Firfox is just as safe as IE? Yeah that's great, here's another idea just NEVER OPEN ANY WEB SITES EVER then it's perfectly safe! Great idea!

Nice try.


RE: vulnerabilities
By Googer on 12/17/2008 3:43:02 PM , Rating: 2
NoScript is easily hacked. Watch this how to video:

http://www.youtube.com/watch?v=65I0HNvTDH4


"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay

Related Articles
Opera Releases 9.6 Browser
October 8, 2008, 3:31 PM
Apple's Safari Security Woes
March 31, 2008, 12:22 PM
IE vs Firefox: The Trash Talking Heats Up
December 3, 2007, 3:00 PM













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki