backtop


Print 24 comment(s) - last by toyotabedzrock.. on Dec 21 at 3:10 AM

Experts are taking issue to a recent study which warned users of potential risk of using Firefox

A recent security study from Bit9 argued that Mozilla's Firefox was the most vulnerable application and thus a major threat to businesses.  One of the chief reasons it gave was the lack of a large-network patching system.  For this reason, despite recent security flaws, it did not consider Microsoft's Internet Explorer software, as it assumed that such a patching system dramatically lowered vulnerability.

Bit9 went as far as to suggest that enterprises block their employees from having access to Firefox and delete it from work computers.

Some firms, including Mozilla, were quick to take issue with Bit9's alarming comments.  Representatives from Mozilla's security branch, Human Shield contacted DailyTech with remarks on the topic.  The company's Johnathan Nightingale states, "While we're always happy to see stories that focus on educating our users about security, there are some problems with Bit9's methodology that hinder its ability to draw any meaningful conclusions."

According to Mr. Nightingale, by raising the "risk" of companies which disclose critical vulnerabilities, Bit9's study punishes openness, a critical key to security.  It rewards companies that keep their vulnerabilities secret, he argues.

He also criticizes Bit9's stance on patching, stating that the firm's claims fall short of reality.  He states, "Bit9 seems to understand (the need for smarter metrics) in its focus on application support for updates, but again it fails to account for the real world experience. Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90% adoption within six days of a new update being released."

He concludes, "The Firefox vulnerabilities Bit9 discusses are long-since fixed, with the majority of these fixes coming within days of it being announced. That is the real measure of application security: are known vulnerabilities fixed promptly, tested carefully, and deployed thoroughly? Bug counting is unfortunately common because it's easy, but it should not be a substitute for real security measurement."

Similar sentiments were also echoed by various readers on DailyTech as well as several sources in the security business.  While the Bit9 study certainly takes a controversial and interesting position, according to many its claims are overly broad and flawed.  Whether this is the case is largely a matter of opinion, but one thing's for sure -- whether you're on Firefox, Opera, Chrome, or Internet Explorer, security is largely in the hands of the user.




Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By theapparition on 12/18/2008 8:58:07 AM , Rating: 1
quote:
This type of rollout management is great - for certain applications. Not a frickin' web browser.

And what of companies that use web browsers to run business critical applications? The situation is far more complex than you make it out, and the centralized updates on FireFox can be a bad thing in these instances.

The real issue is the IT department. If they think there are no issues, than they shouldn't block users computers from auto-updating. If there may be a problem, than they should test it before implementing it.

Stop with the thinking that what works for you will also work for the other 99% of the world.


RE: Yeah, as the IE exploit raged wild for a few days ...
By on 12/18/08, Rating: -1
By gmyx on 12/18/2008 9:55:32 AM , Rating: 3
I feel like feeding the trolls ;)

So... do you want dos 1.0 support as well?
Or maybe the old IBM Mainframe should be supported... Or an abacus (I've seen it referred to as an ancient computer)...

Nah... FF should drop support for all stupid people and just support running on smart, intelligent people's brains.

Ok... that was fun... back to reality.


By GlennAl on 12/18/2008 12:48:09 PM , Rating: 3
Well, as Big Al said, "Eat it... eat it...".

It's kind of pointless to reference non-GUI systems like DOS and MVS (of course, all new IBM "mainframes" run Unix as well as MVS, so it's hardly relevant to mention them at all, plus mainframes are all about processing data--not about providing browser support... you might as well take a tractor-trailer to Indianapolis or Sebring). The real point is that Bit9 is, well, kind of stupid.


By omnicronx on 12/18/2008 1:11:29 PM , Rating: 1
It took me a few seconds to figure out if he was joking.. then I looked at the poster and everything made sense..

PCDOS never supported IE.. Netscape.. or any other mainstream browser..

The best it has to offer is Arachne
http://en.wikipedia.org/wiki/Arachne_(web_browser)


By Goty on 12/18/2008 11:02:46 AM , Rating: 2
Then maybe those companies should do the semi-intelligent thing and 1) install firefox by default on all office PCs and Laptops and 2) TURN OFF AUTOMATIC UPDATES.

Goodness, you'd think this was rocket science. Whatever happened to common sense?


By TomZ on 12/18/2008 12:37:06 PM , Rating: 1
quote:
TURN OFF AUTOMATIC UPDATES.

AFAIK, FF lacks the ability for IT groups to centrally change a setting like that, right?


By gstrickler on 12/18/2008 3:02:05 PM , Rating: 2
quote:
AFAIK, FF lacks the ability for IT groups to centrally change a setting like that, right?

Yes, and no. FF doesn't have anything built-in to centrally manage it, but it's easy enough to push such settings to a client. Likewise for FF updates. Since the updates can be pushed from a central server, they can run as administrator so the user does not need any administrative access.

Then, there is this customized version of FF that allows management via AD.
http://www.frontmotion.com/FMFirefoxCE/index.htm

FF and most/all the other apps mentioned in the Bit9 list can easily be managed centrally, all you have to do is spend a few minutes on google to find how how.

The Bit9 "analysis" is completely meaningless.


By misuspita on 12/18/2008 4:03:23 PM , Rating: 2
I still don't understand why companies don't use FF as their preferred browser. Except for those that do have IE6 apps. Other than that is sheer stupidity, IMHO


“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith













botimage
Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki