Print 101 comment(s) - last by walk2k.. on Dec 19 at 11:11 PM

The good old FF browser gets little love when it comes to security

Firefox has its plate full when it comes to security.  It has grown a substantial enough market share to place it in a strong second after Microsoft.  This gives it a high profile and leaves it a desirable target to be exploited by hackers and malware writers.  Worse yet, it has less money to fund security efforts that Microsoft, and according to some experts, less focus as well.

While small market share browsers like Opera and Chrome have built a reputation on their security (with Safari, being a noticeable exception, have a reputation for insecurity), Firefox continues to plod along in a day to day fight, trying to remain a secure platform while dealing with the challenges of browser celebrity.

Perhaps for this reason, Bit9, an application whitelisting firm that helps employers block employee access to certain apps, placed Firefox on the top its list of most vulnerable apps.  The remaining spots on the list were filled out with more familiar names, with two through twelve respectively being: Adobe Flash & Acrobat; EMC VMware Player, Workstation, and other products; Sun Java Runtime Environment; Apple QuickTime, Safari, and iTunes; Symantec Norton products; Trend Micro OfficeScan; Citrix products; Aurigma and Lycos image uploaders; Skype; Yahoo Assistant; and Microsoft Windows Live Messenger.

The Bit9 study looked at several factors in ranking vulnerability.  One factor was how popular the applications were.  Another factor was how many known vulnerabilities existed, and how severe they were.  Lastly, it looked at how hard patching was for the particular application.

In order to make the list, programs hand to run in Windows and not be centrally updatable via services such as Microsoft SMS and WSUS.  Many say that the survey was unfair to Apple products because it kept easier patched Microsoft applications off the list.

In some ways, though Bit9's list is a useful benchmark.  It aptly points out that many networks have Firefox installations running on machines, without the system administrator being fully aware of the instance of these installs.  Thus, despite the fact that most of the vulnerabilities looked at have been patched, the installs may not receive these patches immediately, until the employee upgrades to the next edition of the browser.

The study's conclusions only marginally apply to the consumer market.  However, when it comes to the business market, the study argues that picking or allowing employees to run Firefox, even with its security plug-ins, is a ticket to the IT danger zone as malware increasingly targets application layer targets such as Firefox.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: methodology
By TSS on 12/12/2008 4:48:56 PM , Rating: 2
even if we leave out internet explorer i am in no way gonna believe a study that finds firefox more dangerous then windows messenger.

i've been to a whole lot of sites where i knew there was a virus on there but as long as you turn of javascript in firefox, it'll be fine.

on the otherhand i'm getting spammed to hell via IM (atleast 20 messeages a day these days, it never happened with MSN but it does happen in windows live) each of which contains a link that i'm pretty sure of, contains virusses/trojans/alot of bad stuff.

even so, with firefox and javascript turned off i would dare open those links. but windows live opens it with internet explorer, while firefox is set as my default browser and every other program uses it as such save windows live.

nope, this study i don't trust. however they where right on the symantec norton stuff though. i've had less problems removing virusses then i have removing norton anti-virus.

RE: methodology
By Kenenniah on 12/12/2008 4:58:15 PM , Rating: 5
My favorite Norton product.....
Ok they make a special edition for "Gamers" that uses less memory and CPU time. My question is why? If you can optimize your code for a "Gamer's Edition", why not just make ALL your versions run better? Of course then they wouldn't have a new gimmicky sales pitch.

RE: methodology
By majorpain on 12/12/2008 6:30:09 PM , Rating: 2
Bitdefender AV has "Game Mode" for atleast 2 years now...

RE: methodology
By Kenenniah on 12/12/2008 7:27:08 PM , Rating: 2
Yep, although all even without that Bitdefender is still fairly light on system resource use. The same with Nod32 that I currently use. I will never understand why Norton was such a resource hog or why they felt the need to constantly harass their users with popups. There should never be a need for a game edition or a game mode. Just make your program simple and efficient, and give us the option to easily turn off real time scanning when we want to. Whether I'm playing games or not, I NEVER want my AV program to be using up more resources than necessary.

RE: methodology
By DjiSaSie on 12/13/2008 7:03:34 AM , Rating: 2
Because Symantec makes people pays for that, that's why Norton is not a cheap product compare to its rivals. Without such resource hog thing, They couldn't sell it at the highest price.

RE: methodology
By exanimas on 12/12/2008 9:08:43 PM , Rating: 5
My favorite Norton product - - first download on the page. =D

RE: methodology
By drebo on 12/13/2008 11:01:46 AM , Rating: 2
No business is using Symantec's Norton products. If they are, they're too small to notice.

The business in this scenario are large corporations that will have centrally managed antivirus applications, of which Symantec's Endpoint Protection is by far the best.

RE: methodology
By brshoemak on 12/13/2008 12:01:52 PM , Rating: 2
of which Symantec's Endpoint Protection is by far the best.

I actually LOL'd when I read that. Endpoint Protection is junk in my opionion. Centrally managed? Yes. Best(or even good): Not even close.

Fresh install of SEP on a server per Symantec's best practices and we couldn't share files any more. Nothing in the logs about it blocking anything but we could transfer 95% of a file and then the connection would just drop off. Plus another site had 5 users and the database that it uses as its backend swelled to 30GB in 8 months even with limited logging, hundreds of times what it should be and well beyond the scope of storage during initial server planning. Symantec support was less than helpful in each case.

Just relaying my opinion from personal experience. Your opinion differs - but that's what the internet is for.

"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)
Related Articles
Opera Releases 9.6 Browser
October 8, 2008, 3:31 PM
Apple's Safari Security Woes
March 31, 2008, 12:22 PM
IE vs Firefox: The Trash Talking Heats Up
December 3, 2007, 3:00 PM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki