backtop


Print 101 comment(s) - last by walk2k.. on Dec 19 at 11:11 PM

The good old FF browser gets little love when it comes to security

Firefox has its plate full when it comes to security.  It has grown a substantial enough market share to place it in a strong second after Microsoft.  This gives it a high profile and leaves it a desirable target to be exploited by hackers and malware writers.  Worse yet, it has less money to fund security efforts that Microsoft, and according to some experts, less focus as well.

While small market share browsers like Opera and Chrome have built a reputation on their security (with Safari, being a noticeable exception, have a reputation for insecurity), Firefox continues to plod along in a day to day fight, trying to remain a secure platform while dealing with the challenges of browser celebrity.

Perhaps for this reason, Bit9, an application whitelisting firm that helps employers block employee access to certain apps, placed Firefox on the top its list of most vulnerable apps.  The remaining spots on the list were filled out with more familiar names, with two through twelve respectively being: Adobe Flash & Acrobat; EMC VMware Player, Workstation, and other products; Sun Java Runtime Environment; Apple QuickTime, Safari, and iTunes; Symantec Norton products; Trend Micro OfficeScan; Citrix products; Aurigma and Lycos image uploaders; Skype; Yahoo Assistant; and Microsoft Windows Live Messenger.

The Bit9 study looked at several factors in ranking vulnerability.  One factor was how popular the applications were.  Another factor was how many known vulnerabilities existed, and how severe they were.  Lastly, it looked at how hard patching was for the particular application.

In order to make the list, programs hand to run in Windows and not be centrally updatable via services such as Microsoft SMS and WSUS.  Many say that the survey was unfair to Apple products because it kept easier patched Microsoft applications off the list.

In some ways, though Bit9's list is a useful benchmark.  It aptly points out that many networks have Firefox installations running on machines, without the system administrator being fully aware of the instance of these installs.  Thus, despite the fact that most of the vulnerabilities looked at have been patched, the installs may not receive these patches immediately, until the employee upgrades to the next edition of the browser.

The study's conclusions only marginally apply to the consumer market.  However, when it comes to the business market, the study argues that picking or allowing employees to run Firefox, even with its security plug-ins, is a ticket to the IT danger zone as malware increasingly targets application layer targets such as Firefox.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: methodology
By Titanius on 12/14/2008 5:18:40 PM , Rating: 2
quote:
I do have to agree that IE7 is more secure than firefox in a business environment. IE7 can be controlled, firefox cannot and has to be updated by the user (although you can update automatically, unfortunately leaving it up to the end user is never a good idea).


I agree and disagree with you on that. IE7 is good, but most big businesses use IE6 which is bad. Yes Firefox is setup right now on Windows machines to ask the user to update; but on Linux, you cannot auto-update Firefox that way most of the times, you usually have to update using the built-in update tool of your Linux distro (which is setup BY DEFAULT to only download updates that have been tested by the distro's development team, if regressions occur, the update isn't released until it is fixed). When in a network, IT can administer Linux updates in a similar way to Windows networks.

So my point in all this is, why not make it that Firefox can also be updated that way on Windows? But the big problem with businesses in general is that they are cheap, and they feel comfortable with IE6 which as been around since before Windows XP (anyone remember Millenium Edition? LOL!). So obviously, they don't want to upgrade to a more advanced browser because it will cost them more money. The advantage of going the IE7 route is because it is the easiest and also the cheapest way to go. Anyone who says otherwise has been brainwashed by their IT department, Microsoft or idiots that think they know what they are talking about and sell it very well.

IE6 is good (yes it is not the most up-to-date browser, but patches keep it current [as much as possible] and it has been around so long that all industries have made their intranet applications run on it and it does that job very well.

IE7 is better (it is up-to-date, has tabbed browsing, has improved security features like Phishing filters, etc. It is also backwards compatible to IE6 so MOST of the times applications built to use IE6 will work in IE7 (notice I said most of the times, I have seen some times where IE7 breaks the app and so a downgrade to IE6 is needed to be able to use it [or a more costly alternative is to make the app compatible with IE7])

Firefox is the best (it is up-to-date, open source, free, has very good security features and if you are not satisfied with that, there are addons which improved that security even more at the tune of Adblock Plus, NoScript, and others. Patches can be built fairly easier for it than IE and it is standards compliant. The reason they call it standards is because they are standards which everyone should use, only when everyone uses the same thing can there be no more broken functionality problems by using a different browser.)

IE8 is coming and it will be a standards browser, so to businesses I say, make the switch to using standards compliant applications because in the future, that is what will determine if it works or if it doesn't. If not, then stay in your dinosaur age with legacy systems that you will have to get maintained by your very own development team [oh, and those developers don't work for free!]).


"Nowadays you can buy a CPU cheaper than the CPU fan." -- Unnamed AMD executive

Related Articles
Opera Releases 9.6 Browser
October 8, 2008, 3:31 PM
Apple's Safari Security Woes
March 31, 2008, 12:22 PM
IE vs Firefox: The Trash Talking Heats Up
December 3, 2007, 3:00 PM













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki