backtop


Print 24 comment(s) - last by toyotabedzrock.. on Dec 21 at 3:10 AM

Experts are taking issue to a recent study which warned users of potential risk of using Firefox

A recent security study from Bit9 argued that Mozilla's Firefox was the most vulnerable application and thus a major threat to businesses.  One of the chief reasons it gave was the lack of a large-network patching system.  For this reason, despite recent security flaws, it did not consider Microsoft's Internet Explorer software, as it assumed that such a patching system dramatically lowered vulnerability.

Bit9 went as far as to suggest that enterprises block their employees from having access to Firefox and delete it from work computers.

Some firms, including Mozilla, were quick to take issue with Bit9's alarming comments.  Representatives from Mozilla's security branch, Human Shield contacted DailyTech with remarks on the topic.  The company's Johnathan Nightingale states, "While we're always happy to see stories that focus on educating our users about security, there are some problems with Bit9's methodology that hinder its ability to draw any meaningful conclusions."

According to Mr. Nightingale, by raising the "risk" of companies which disclose critical vulnerabilities, Bit9's study punishes openness, a critical key to security.  It rewards companies that keep their vulnerabilities secret, he argues.

He also criticizes Bit9's stance on patching, stating that the firm's claims fall short of reality.  He states, "Bit9 seems to understand (the need for smarter metrics) in its focus on application support for updates, but again it fails to account for the real world experience. Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90% adoption within six days of a new update being released."

He concludes, "The Firefox vulnerabilities Bit9 discusses are long-since fixed, with the majority of these fixes coming within days of it being announced. That is the real measure of application security: are known vulnerabilities fixed promptly, tested carefully, and deployed thoroughly? Bug counting is unfortunately common because it's easy, but it should not be a substitute for real security measurement."

Similar sentiments were also echoed by various readers on DailyTech as well as several sources in the security business.  While the Bit9 study certainly takes a controversial and interesting position, according to many its claims are overly broad and flawed.  Whether this is the case is largely a matter of opinion, but one thing's for sure -- whether you're on Firefox, Opera, Chrome, or Internet Explorer, security is largely in the hands of the user.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Define "real world"
By farsawoos on 12/18/2008 10:26:19 AM , Rating: 2
There are a couple of points here:

First, Firefox is a fantastic browser, no matter how you slice it. It's hardly perfect, and is susceptible to security flaws and exploits just like any other browser. What I appreciate about FF over IE, however, is the speed (and general openness) with which the Mozilla team responds to these threats. While Microsoft's Zero-Day response team is probably one of the best in the world out of necessity, I tip my hat to FF for being a much smaller shop while offering equal - if not better - response.

Second, while I shower FF with all my praise and best wishes, I do have a complaint about their argument regarding "real world experience":

quote:
"Bit9 seems to understand (the need for smarter metrics) in its focus on application support for updates, but again it fails to account for the real world experience. Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90% adoption within six days of a new update being released."


While I can see some merit in the HS team's response, they ignore the fact that a lot of organizations would rather keep that kind of traffic internal to their network to avoid saturating their users' and sites' WAN and web connections. They also ignore the fact that every new patch introduces new, under-the-hood changes to the browser that could possibly affect FF's interoperability with in-house or more closed-tech browsers. Let's face it: a lot of web-enabled, browser-based, enterprise-level "solutions" (*ahem*, riiiiiight) are built for IE, and *any* level of usability on FF is considered a huge blessing. To introduce patches to that and potentially upset that already precariously balanced apple cart is not an attractive proposition by anyone's reckoning.

That's unfortunate, but *that* is "real world" according to everything I've ever experienced. I would love nothing more than to pitch Firefox as a serious platform contender within my current enterprise. However, lack of central patching is a problem, because we have so many satellite offices, and its incompatibility with all these lazily constructed "solutions" (Altiris, TouchWorks EMR, CODA Financial, etc.) that only work on IE6 is a big, big negative. :(




“And I don't know why [Apple is] acting like it’s superior. I don't even get it. What are they trying to say?” -- Bill Gates on the Mac ads














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki