Print 101 comment(s) - last by walk2k.. on Dec 19 at 11:11 PM

The good old FF browser gets little love when it comes to security

Firefox has its plate full when it comes to security.  It has grown a substantial enough market share to place it in a strong second after Microsoft.  This gives it a high profile and leaves it a desirable target to be exploited by hackers and malware writers.  Worse yet, it has less money to fund security efforts that Microsoft, and according to some experts, less focus as well.

While small market share browsers like Opera and Chrome have built a reputation on their security (with Safari, being a noticeable exception, have a reputation for insecurity), Firefox continues to plod along in a day to day fight, trying to remain a secure platform while dealing with the challenges of browser celebrity.

Perhaps for this reason, Bit9, an application whitelisting firm that helps employers block employee access to certain apps, placed Firefox on the top its list of most vulnerable apps.  The remaining spots on the list were filled out with more familiar names, with two through twelve respectively being: Adobe Flash & Acrobat; EMC VMware Player, Workstation, and other products; Sun Java Runtime Environment; Apple QuickTime, Safari, and iTunes; Symantec Norton products; Trend Micro OfficeScan; Citrix products; Aurigma and Lycos image uploaders; Skype; Yahoo Assistant; and Microsoft Windows Live Messenger.

The Bit9 study looked at several factors in ranking vulnerability.  One factor was how popular the applications were.  Another factor was how many known vulnerabilities existed, and how severe they were.  Lastly, it looked at how hard patching was for the particular application.

In order to make the list, programs hand to run in Windows and not be centrally updatable via services such as Microsoft SMS and WSUS.  Many say that the survey was unfair to Apple products because it kept easier patched Microsoft applications off the list.

In some ways, though Bit9's list is a useful benchmark.  It aptly points out that many networks have Firefox installations running on machines, without the system administrator being fully aware of the instance of these installs.  Thus, despite the fact that most of the vulnerabilities looked at have been patched, the installs may not receive these patches immediately, until the employee upgrades to the next edition of the browser.

The study's conclusions only marginally apply to the consumer market.  However, when it comes to the business market, the study argues that picking or allowing employees to run Firefox, even with its security plug-ins, is a ticket to the IT danger zone as malware increasingly targets application layer targets such as Firefox.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Security Misconception
By mfed3 on 12/12/2008 6:25:59 PM , Rating: 1
Just because Mozilla advertises FireFox to be secure doesnt mean it actually is. You have to realize that in a corporate environment, that is, in a managed domain environment, users' systems are automatically patched for them, with activex and internet/intranet security settings managed by their IT pros.

Firefox has no means of being managed by group policies, which is why it is MUCH more insecure for companies. You cant just listen to every company's advertisements and think that because they have an untarnished name that their product is perfect.

RE: Security Misconception
By randomlinh on 12/12/2008 7:36:00 PM , Rating: 2
This is my main concern. With IE, I can manage just about everything via group policy. No such luck w/ FF.

However, even if I could just lock down some basics, the one thing is extensions. While it's rare, there isn't much to keep you from installing whatever. it's a security risk IMO.

I really would like to deploy FF and chrome to be honest, they take longer to load, but run better on our systems (to an extent).

RE: Security Misconception
By SilthDraeth on 12/12/2008 7:46:07 PM , Rating: 3
Frontmotion releases a prepackaged Firefox that you can lock down and config via GPOs. We use it at our school district.

RE: Security Misconception
By TomZ on 12/12/2008 8:22:31 PM , Rating: 2
You cant just listen to every company's advertisements and think that because they have an untarnished name that their product is perfect.

Oh, you mean like Google's own pronouncements about how secure Chrome is? I had a good laugh at that.

You're right - if it is not centrally managed and popular, then it is a vulnerability.

I know of a company whose "security policy" was to configure the proxy server to block all Internet access by IE. So instead, all the users are encouraged to download and install their favorite version of their favorite browser (mostly various versions of Firefox). Smart policy, right?

RE: Security Misconception
By Gzus666 on 12/12/2008 8:54:20 PM , Rating: 2
I know of a company whose "security policy" was to configure the proxy server to block all Internet access by IE.

Then they are the dumbest ass IT department in the world. You don't block traffic based on a browser, you block sites or protocols you don't want through with a firewall or access lists. Sounds like the employees were smarter than the IT folks to me.

"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation
Related Articles
Opera Releases 9.6 Browser
October 8, 2008, 3:31 PM
Apple's Safari Security Woes
March 31, 2008, 12:22 PM
IE vs Firefox: The Trash Talking Heats Up
December 3, 2007, 3:00 PM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki