backtop


Print 101 comment(s) - last by walk2k.. on Dec 19 at 11:11 PM

The good old FF browser gets little love when it comes to security

Firefox has its plate full when it comes to security.  It has grown a substantial enough market share to place it in a strong second after Microsoft.  This gives it a high profile and leaves it a desirable target to be exploited by hackers and malware writers.  Worse yet, it has less money to fund security efforts that Microsoft, and according to some experts, less focus as well.

While small market share browsers like Opera and Chrome have built a reputation on their security (with Safari, being a noticeable exception, have a reputation for insecurity), Firefox continues to plod along in a day to day fight, trying to remain a secure platform while dealing with the challenges of browser celebrity.

Perhaps for this reason, Bit9, an application whitelisting firm that helps employers block employee access to certain apps, placed Firefox on the top its list of most vulnerable apps.  The remaining spots on the list were filled out with more familiar names, with two through twelve respectively being: Adobe Flash & Acrobat; EMC VMware Player, Workstation, and other products; Sun Java Runtime Environment; Apple QuickTime, Safari, and iTunes; Symantec Norton products; Trend Micro OfficeScan; Citrix products; Aurigma and Lycos image uploaders; Skype; Yahoo Assistant; and Microsoft Windows Live Messenger.

The Bit9 study looked at several factors in ranking vulnerability.  One factor was how popular the applications were.  Another factor was how many known vulnerabilities existed, and how severe they were.  Lastly, it looked at how hard patching was for the particular application.

In order to make the list, programs hand to run in Windows and not be centrally updatable via services such as Microsoft SMS and WSUS.  Many say that the survey was unfair to Apple products because it kept easier patched Microsoft applications off the list.

In some ways, though Bit9's list is a useful benchmark.  It aptly points out that many networks have Firefox installations running on machines, without the system administrator being fully aware of the instance of these installs.  Thus, despite the fact that most of the vulnerabilities looked at have been patched, the installs may not receive these patches immediately, until the employee upgrades to the next edition of the browser.

The study's conclusions only marginally apply to the consumer market.  However, when it comes to the business market, the study argues that picking or allowing employees to run Firefox, even with its security plug-ins, is a ticket to the IT danger zone as malware increasingly targets application layer targets such as Firefox.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: vulnerabilities
By Etsp on 12/13/2008 1:24:08 AM , Rating: 3
What does flashblock do that NoScript doesn't? By default, noscript blocks flash...does flashblock have more functionality in this regard?


RE: vulnerabilities
By omnicronx on 12/13/2008 1:29:59 AM , Rating: 2
I dont think they work the same way, flashblock you just blocks each individual piece of flash content until you press the play button in the middle of the corresponding flash file, doesnt NoScript just block out an entire page completely until you allow the entire site?


RE: vulnerabilities
By AnnihilatorX on 12/14/2008 3:33:45 PM , Rating: 3
No, NoScript has superseded flash block since they included the support for blocking flash contents. To play flash, you just click where the flash is, works the same way as flash block.


RE: vulnerabilities
By Nihility on 12/13/2008 4:53:10 AM , Rating: 4
NoScript blocks flash, only as long as the site is prevented from using scripts. However, if you needed to use a form on the site that requires scripts and you allowed that site to use scripts it would no longer block flash.
That would then subject you to the flash menus and flash advertisements that run from within the sites URL and you would then be vulnerable to flash exploits (not to mention the massive CPU usage of all that flash with 20 tabs open).
So I find a combination of flashblock and no script works exceptionally well both from a security standpoint and a usability standpoint.


RE: vulnerabilities
By on 12/13/08, Rating: -1
RE: vulnerabilities
By rudolphna on 12/14/08, Rating: -1
RE: vulnerabilities
By Xenoterranos on 12/14/2008 1:37:17 AM , Rating: 1
Or you could just add "*.swf" to it's blocking rules.


RE: vulnerabilities
By yacoub on 12/15/2008 7:59:30 AM , Rating: 3
Yes - NoScript is domain-wide, FlashBlock is element-specific.
Flashblock allows you to select which specific Flash elements on a page you wish to allow, so it works well in COMBINATION WITH NoScript (and ABP).

You run all three (ABP, FB, and NS), and when you get to a new site, you first allow Scripts from that site's domain if the site doesn't work properly without allowing them. Then FlashBlock allows you to select WHICH Flash elements on the page you want to allow, one at a time. That way you never have to deal with stupid crap like Flash-animated ads.


"And boy have we patented it!" -- Steve Jobs, Macworld 2007

Related Articles
Opera Releases 9.6 Browser
October 8, 2008, 3:31 PM
Apple's Safari Security Woes
March 31, 2008, 12:22 PM
IE vs Firefox: The Trash Talking Heats Up
December 3, 2007, 3:00 PM













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki