$0.02 Regarding Firefox Security

[Katja]

I do think there's a valid point in the warning from Symantec. Think about it. In the past, Firefox was considered more secure. Yet it had quite a small marketshare and thus not too interesting for hackers. Not enough systems to attack. But Firefox has a bigger market-share now and that does mean it's security system will become more important too. If Firefox wants to increase it's marketshare then the security of Firefox must be improved a lot.
Then again, recently Opera became free and it seems to be an interesting alternative. And Netscape is still alive too. And I'm wondering if there are several more good alternatives. Of course, Firefox is pretty good but it's becoming a bigger target now it starts to gain a bigger marketshare.

[zencoder]

Originally posted here by !mitationRust
I just noticed something hilarious.....zencoder you claim to have a CISSP but you have a get firefox sig. lol

Did you come away with any knowledge about application level security and its value?


That's the second person with a CISSP to openly do this.

What are you talking about? Whats wrong with Firefox? Over IE? Or Opera? Or anything else?

What does my being a CISSP have to do with what software I think is acceptable for various reasons and needs? You make an observation without really explaining what you mean in depth. Let's hear it?

[WolfRune]

Ok, after all that's been said here, I'd like to try and bring the thread back to where it started, and maybe clarify where I was trying to go with it. BTW, I apologize for not being clear earlier.

My issue is not with Symantec stating that Firefox is less secure than IE. Based on their approach, they're absolutely correct. However, I don't think it was a fair/accurate comparison of the two browsers.

IE 6 was released in 2001. I don't know how many patches were released for it in the first year, but it would be interesting to see how many there were, and how many were critical, in comparison to the past year of Firefox. It might in fact turn out that Firefox has had a less secure first year of release (official release, not including betas & alphas) in comparison to IE 6. Instead of comparing the first full year of release, they are comparing a browser which has had the better part of 4 years to discover and work out issues to one which has had a full-version available for about a year.

Another point I unsuccessfully tried to make was that a comparison should have been done between the two browsers in relation to the average time from the discovery of an exploit, to the time a patch was officially released (and I don't consider 1.0.6 a proper patch because it disabled a feature - 1.0.7 was the PROPER patch for the issue).

All that being said, I do agree that Firefox HAD an advantage when its market share was tiny - good ol' Security Through Obscurity! Now, obviously not so much, though it still doesn't come close to matching the official deployment numbers of IE.

Now, if Symantec were to compare the browsers based on that criteria, I might be more inclined to believe that they were being impartial.

Obviously, there are users who felt that "more secure than IE" meant "there will never be any security issues." Its unfortunate that they chose to believe that, but as far as I know, nobody from Firefox has ever said that their product was completely impenetrable. My PERSONAL belief is that the native pop-up blocker, combined with the fact that at least some of the security issues were related to trying to help users avoid Phishing (something IE was slower to adpot), makes it an overal safER choice than IE. But ABSOLUTELY NOTHING will protect a user if they aren't educated in what to avoid.

BTW, if anyone finds the figures for these bits of historical info, I'd be very curious to know what the results are. I wasn't able to find the info I wanted, but maybe one of you industrious security gurus has sources I have yet to discover

[zencoder]

Originally posted here by !mitationRust
I just noticed something hilarious.....zencoder you claim to have a CISSP but you have a get firefox sig. lol

Did you come away with any knowledge about application level security and its value?


That's the second person with a CISSP to openly do this.

Hey, seriously! Tell us what you mean.

You can't toss a gauntlet on the floor like that and then not reply.

You seem to have a view that indicates Firefox is obviously a ridiculous choice of application to use, and you seem to think it is blatantly obvious. I'm sure I'm not the only person here who has no idea what the position behind your statement is, so please enlighten us.

I'm sorry, that statement needs elucidation.

[rubytuesday]

Originally posted here by Katja
I do think there's a valid point in the warning from Symantec. Think about it. In the past, Firefox was considered more secure. Yet it had quite a small marketshare and thus not too interesting for hackers. Not enough systems to attack. But Firefox has a bigger market-share now and that does mean it's security system will become more important too. If Firefox wants to increase it's marketshare then the security of Firefox must be improved .

I agree but I think more people should be helping out to debug and improve Firefox if they want increased security instead of complaining about it, please remember it's community driven open source software is not meant to be about mooching and never giving back even if someone isn't a programmer they can do other things to help out:

http://www.mozilla.org/developer/

[ash897]

As a firefox user myself I feel that with its open source nature (suprising how IE is suddenly becoming open source too, I might add....) and therefore constant development/modification by the way of add ons makes it preferable over IE - although I suppose this is a spin off of this topic.

I agree with most of the comments made, one shouldn't just rely on a piece of software to keep them safe, nothing is perfect. What the statistics don't take into account is the knowledge of the users. A computer novice is likely to use IE, likewise someone with a little knowledge can use it in relative safety, but as my experience goes, the people who tend to use Firefox are more advanced and therefore less likely to do something stupid. On the other hand because its open source its easier to write an exploit for it (in theory).

As a firm believer in security in layers, I really don't see the relevance of messing about over the strength of a browser. Security isn't guaranteed in one piece of software!! As long as your not surfing from a mission critical server (If you are you should be shot) then the real deciding factor should be personal preference and features.

[catch]

I agree but I think more people should be helping out to debug and improve Firefox if they want increased security

Fine let's fix all of Firefoxes security issue right now.

Run Firefox as a process that only has access to cache directory, which the current user lacks access to and no user has exec right to. Read access and exec access should be provided only to Firefox's actually bin and config files. Encrypted pages should not be cached.

In this case even if firefox is exploited, it cannot use the current desktop UID to make any changes... trojans cannot be downloaded, and if remote control is gained... wow the attacker can write to non-executable cache or read config files.

In this case, firefox being compromised will have no impact on the system's security since the rouge process is in capable of doing anything beyond normal use.

Perhaps firefox should ship with a security template that simplifies this configuration.

cheers,

catch

[BrainStop]

Hmm,

IE 6 was released in 2001. I don't know how many patches were released for it in the first year, but it would be interesting to see how many there were, and how many were critical, in comparison to the past year of Firefox.

Let's see:
IE, version 6.0.2800.1106, SP1 + 8 patches

That does sound like a lot of builds since 2001 to me ....

Cheers,

BrainStop

[Broomiebar]

If Symantec is really concerned about the security flaws in Mozilla Firefox, then they should at least update or configure their Online Security Check to alloW FIREFOX'S Users do the task, below is the message I got when I tried to do it with a Firefox browser, and here's the link too:

http://security.symantec.com/sscv6/d...z&venid=symnis

and that's the message:


An error has occurred

Symantec Security Check is not compatible with your Web browser because:

Error 003

To run Security Scan, you must be using at least Internet Explorer 5.0, Netscape 4.5 or Safari 1.0.

To run Virus Detection, you must be using at least Internet Explorer 5.0.
Spacer



Cheers,

B.B

[rapier57]

I think I may have mentioned this before, but there is nothing wrong with FireFox, or Netscape or Opera, or IE ... per se. The main problem is in how the software is implemented and managed.

I don't think the Symantec statement necessarily slams FireFox unfairly. FireFox is still at 1.something, so the road ahead is still a long one. It makes for a clean, responsive browser for individual users. From a managed network perspective, FireFox can be a very severe security problem.

IE can be maintained, updated and configured centrally on the network. There are numeous tools available to do this.

FireFox is currently for personal use and that is fine. When installed in a managed network, it cannot be configured, updated or maintained centrally (been there, tried that, got the coffee mug, moved on). The individual user must be trusted to perform the necessary actions to secure and maintain the application. If the user isn't diligent, then FireFox becomes a critical security issue. I had logs that showed where a user, using FireFox, infected a workstation and a server with a trojan/worm attack (on the day the vulnerability was announced), all before the installation could be updated/patched.

Things will get better and FireFox may become the golden child.