Print 101 comment(s) - last by walk2k.. on Dec 19 at 11:11 PM

The good old FF browser gets little love when it comes to security

Firefox has its plate full when it comes to security.  It has grown a substantial enough market share to place it in a strong second after Microsoft.  This gives it a high profile and leaves it a desirable target to be exploited by hackers and malware writers.  Worse yet, it has less money to fund security efforts that Microsoft, and according to some experts, less focus as well.

While small market share browsers like Opera and Chrome have built a reputation on their security (with Safari, being a noticeable exception, have a reputation for insecurity), Firefox continues to plod along in a day to day fight, trying to remain a secure platform while dealing with the challenges of browser celebrity.

Perhaps for this reason, Bit9, an application whitelisting firm that helps employers block employee access to certain apps, placed Firefox on the top its list of most vulnerable apps.  The remaining spots on the list were filled out with more familiar names, with two through twelve respectively being: Adobe Flash & Acrobat; EMC VMware Player, Workstation, and other products; Sun Java Runtime Environment; Apple QuickTime, Safari, and iTunes; Symantec Norton products; Trend Micro OfficeScan; Citrix products; Aurigma and Lycos image uploaders; Skype; Yahoo Assistant; and Microsoft Windows Live Messenger.

The Bit9 study looked at several factors in ranking vulnerability.  One factor was how popular the applications were.  Another factor was how many known vulnerabilities existed, and how severe they were.  Lastly, it looked at how hard patching was for the particular application.

In order to make the list, programs hand to run in Windows and not be centrally updatable via services such as Microsoft SMS and WSUS.  Many say that the survey was unfair to Apple products because it kept easier patched Microsoft applications off the list.

In some ways, though Bit9's list is a useful benchmark.  It aptly points out that many networks have Firefox installations running on machines, without the system administrator being fully aware of the instance of these installs.  Thus, despite the fact that most of the vulnerabilities looked at have been patched, the installs may not receive these patches immediately, until the employee upgrades to the next edition of the browser.

The study's conclusions only marginally apply to the consumer market.  However, when it comes to the business market, the study argues that picking or allowing employees to run Firefox, even with its security plug-ins, is a ticket to the IT danger zone as malware increasingly targets application layer targets such as Firefox.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: vulnerabilities
By Culexus on 12/13/2008 4:08:19 PM , Rating: 2
So what you're saying is that Mozilla(or some other crafty people) should come up with a configurable update server for Firefox that the IT departments in companies can use to distribute updates for Firefox. That with such a system in place, administrators would jump right on it and purge Internet Explorer usage on their networks in favor of Firefox?

Sounds like a good idea,certainly sounds doable, now where would one go to suggest such an idea?

RE: vulnerabilities
By Solandri on 12/13/2008 7:33:28 PM , Rating: 3
Yeah, the last couple IT shops I've worked at specifically banned IE because of its vulnerabilities and had everyone use Firefox. But a centralized means to manage Firefox updates would be sweet.

RE: vulnerabilities
By aapocketz on 12/15/2008 10:26:06 AM , Rating: 2
A friend of mine works at a company where many have installed firefox and they have really poor bandwidth. Apparently firefox by default downloads updates when released, and this kill the bandwidth for a bit after that happens because all the browsers are downloading the updates at once. They should release an "enterprise" version of firefox that allows IT orgs to manage and distribute patches and perhaps even regulate what plugins/extensions are used, because that has to be a security hole.

I don't have any issues though, I like firefox as it is, mostly. I wish it had the tab separation that opera and chrome do, and run tabs in separate processes perhaps. That would make it easier to "tear off" a tab to a separate window. It may also help security, help manage memory, and take more advantage of multiprocessor resources. Tabs logically should run as different processes in my opinion because they are very "orthogonal," they do not need to share memory or anything between tabs. Just a theory though.

RE: vulnerabilities
By Hoser McMoose on 12/15/2008 7:58:35 PM , Rating: 2
That's almost it, except that IT departments aren't going to want to run a separate server JUST to update Firefox.

What the Mozilla folks should do is to get WSUS and Microsoft Update to update Firefox automatically. Of course Microsoft isn't going to want to play nice here so this could be difficult if not impossible.

"I modded down, down, down, and the flames went higher." -- Sven Olsen
Related Articles
Opera Releases 9.6 Browser
October 8, 2008, 3:31 PM
Apple's Safari Security Woes
March 31, 2008, 12:22 PM
IE vs Firefox: The Trash Talking Heats Up
December 3, 2007, 3:00 PM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki