Marketing BS or is Firefox more vulnerable

[kornphlake]

I got a message in my spam folder from ProSecure, since it made it past spam assassin I figured I'd take a look at it just in case it wasn't supposed to be spam. It was a marketing email for their products obviously, but it caught my attention with the following statement:

In this blog, Web Browser Vulnerability Report, ProSecure determined that the Firefox browser, based on open-source Mozilla, accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009!

Is this marketing BS or is FF really a vulnerability? I am guessing that the translation is it just to say that the #2 ranked browser accounts for 44 percent of vulnerabilities while the #1 ranked IE accounts for the remaining 56 percent. I'm not likely to switch my browser because I have good security in place already and I don't visit sites or download files likely to infect my computer, still the above statement made me wonder if FF is really that vulnerable of if it is just marketing hype to sell another flavor of security software.

Thoughts? Obviously open source software is going to be more vulnerable because the code is freely available, but isn't that a bigger incentive for developers to make sure and close any security holes?

 

[neutralizer]

In my opinion, really it's the wide use of a browser that makes it vulnerable. Besides, code is prone to faults and at least Firefox gets patched up so often to eliminate those vulnerabilities.

 

[Red Squirrel]

I do find FF is a bit more vulnerable then it used to be. For example last time I used the trend micro site I was surprised to see that it just let everything through. So if a virus scanner app can make it through and be executed by simply going to a web page, so can a virus.

 

[MStele]

In my opinion, really it's the wide use of a browser that makes it vulnerable. Besides, code is prone to faults and at least Firefox gets patched up so often to eliminate those vulnerabilities.

Agreed. The more popular it gets the more hackers will try to exploit it. Same goes for operating systems, which is why it was silly when competing systems claim they are more secure than the next guy. In truth they are all vulnerable to someone who knows what they are doing.

 

[sivart]

How vulnerable is my Firefox running under Ubuntu? Do that get covered in their 44% 😀

 

[teneriffa2005]

I think the Unix-Derivates are still not so vulnerable as the windows system.
As said above, the more the system is spreaded the more virus were produced

 

[MStele]

I think the Unix-Derivates are still not so vulnerable as the windows system.
As said above, the more the system is spreaded the more virus were produced

The problem is that what people define as vulnerable differs in so many different ways. Does vulnerable mean susceptible to viruses? Spyware? Brute force attacks? IMO any system that can be pinged and located from the outside is "vulnerable", regardless of platform. It's one of those "it either is or it isn't" situations. If we had to define vulnerability on a sliding scale of low to high, I would imagine that user stupidity has more affect on it than actual external danger, since in my experience most viruses and spyware can be easily avoided with a little awareness. 😛

 

[frostedflakes]

That study is a bit dubious IMO. Add-ons are one major security hole for Firefox, so it doesn't matter how secure the browser itself is, a poorly designed add-on could ruin that. Also, this is *known* vulnerabilities. MS developers could have discovered a plethora of vulnerabilities for IE in 2009, but we'd have no way of knowing because the software is closed source. Also, because of it's open source nature, Firefox vulnerabilities tend to get fixed pretty quickly.

If you're curious, Safari ranked 2nd in this study, not IE.

Firefox - 44%
Safari - 35%
IE - 15%
Opera - 6%

edit: Not to mention, Firefox has add-ons like NoScript and AdBlock that make it FAR more secure than other browsers.

 

[mechBgon]

edit: Not to mention, Firefox has add-ons like NoScript and AdBlock that make it FAR more secure than other browsers.

Actually, IE has had the approximate equivalent of NoScript (namely the four-zone security thingie) since around 1999-2000 when IE5.01 arrived with Win2000. If you're interested in how to use it: http://www.youtube.com/watch?v=kzj8_n8uMGg

All browsers have vulnerabilities. There'll always be more. Sometimes the bad guys will find them first. What you need is proactive containment and mitigation, not rolling the dice by changing the browser (unless it's Safari 😀). So my advice is that anyone who's concerned about browser security should focus primarily on three things:

1) don't run any browser with Admin-level privileges. On WinXP/2000, that means using a non-Admin account. On Vista/7, it means leaving UAC enabled and preferably using a Standard User account as well. If you use IE on Vista/7, leave Protected Mode enabled. If you for some reason must log on as an Admin on WinXP/2000, try a sandboxing app like Sandboxie or DropMyRights to put your browser in a "padded cell."

2) keep your add-ons up-to-date. Use the Secunia Personal Software Inspector to check. This is a huge one. People get all focused on browsers and totally forget that a vulnerable add-on (Flash, QuickTime, Adobe Reader, RealPlayer, etc) puts them right back at square one. At that point, IE's Protected Mode provides proactive containment on Vista/7. FireFox... sorry. Maybe someday.

3) harden your system. Fully enable Data Execution Prevention on XP, Vista or 7. If you have Vista or 7, also enable SEHOP.

My Windows security guide has info on how to do that stuff, for those who need a hand: http://www.mechbgon.com/security



Regarding the original post: as surprising as it may seem, Microsoft has come a long way on both browser security, and proactive mitigations like UAC and Protected Mode as additional lines of defense. Welcome to 2009 😉

Also, do not presume that you'll avoid danger by surfing "safe" sites, because the bad guys can and do (1) compromise "safe" sites, and (2) get "malvertising" sneaked onto safe sites (malvertisements are banner ads that contain an exploit and attack your system). I was at a "safe" site last night that attempted to launch an exploit targetting Adobe Reader, which Protected Mode stopped (and which was not detected by antivirus). Go prepared.

 

[frostedflakes]

Interesting, I didn't realize you could set up IE to disable JS on all sites except for trusted ones. Doesn't seem to be as easy to use or as customizable as NoScript, but it would definitely get the job done.

 

[0roo0roo]

edit: Not to mention, Firefox has add-ons like NoScript and AdBlock that make it FAR more secure than other browsers.

course pushing all the n00bs towards firefox telling them its so safe means idiots that don't patch or can't handle no script now make up a significant portion of the firefox population.

 

[synn_]

app.exe virus can infect almost any web browser so yes firefox is not safe as they promote it.

 

[peasant]

This seems a bit like another cut on the eternal browsers wars continuing never ending epic prevalent throughout most forums with even the slightest reference to IT.

It seems to me (only my take on it), that no browser is better OR worse than any other, my prime reasoning for this being, does the browser natively, without intereference, do what it was designed to do, and in all cases, the answer is yes. However, once you start messing with the original design, and start adding on things that weren't there to start with, you by have the very nature of using such addons altered the functionality of the original. This is true also of all browsers.

When one delves into the security of a browser, is one actually assessing the security of the browser itself, or it's ability to handle malformed or abused pages. And again, when one gets into saying that e.g, IE is more malware likely, is one actually judging the browser, when one should actually see the problem as being the malware itself, and IE being the portal. And that being said, has anyone solely using a browser other than IE been able to truthfully say that they too haven't been a victim of malware.

Maybe, it's time we should assess the problem in it's own interlinked by seperate categories. Does the browser do what it's supposed to do, does the addition of addons, truly ehhance the browser, or just create a problem that the browser wasn't originally designed for and is malware the fault of the browser, or is that a seperate issue altogether?

I'm sorry if that appears long winded, but I'm bored of seeing fault or in some cases blame, being laid at the wrong set of feet.

 

[Nothinman]

IMO any system that can be pinged and located from the outside is "vulnerable", regardless of platform. It's one of those "it either is or it isn't" situations.

Vulnerable in that "could be attacked by someone via the Internet", sure. But that's only method of attack and being able to ping a machine says very little about it's true vulnerability. The PIX 501 I have at my border is old and unsupported and I'm sure there's bugs in the code, but it's still safer to have it on the border than an XP machine running ICS.

It's not black or white at all, in fact it's pretty much just black. Everything is vulnerable to something, you just need to decide if the benefits outweigh the risk.

keep your add-ons up-to-date. Use the Secunia Personal Software Inspector to check. This is a huge one

And it's also a huge fault in Windows that you need a 3rd party software tool to automatically keep your software up to date.

 

[MStele]

Vulnerable in that "could be attacked by someone via the Internet", sure. But that's only method of attack and being able to ping a machine says very little about it's true vulnerability. The PIX 501 I have at my border is old and unsupported and I'm sure there's bugs in the code, but it's still safer to have it on the border than an XP machine running ICS.

It is possible to crash a server through excessive pinging. I was merely arguing that vulnerability is an explicit term and shouldn't be used to describe how susceptible a particular browser/server/etc... is to attack, since by definition being vulnerable merely states that you are susceptible, not how susceptible. Basically any system that has an access point to the outside is vulnerable. but how susceptible it is depends on many things. I'm just being critical as to the use of the word in general, especially in advertising. 😛

 

[Rangoric]

And it's also a huge fault in Windows that you need a 3rd party software tool to automatically keep your software up to date.

So it's a fault in windows that you need a 3rd party app to keep your add ons, that are not a part of windows, up to date.

Wow, I knew it. I was wondering what the reason for having to manually update a client's machine to the latest version of my code involved work. It's a fault in WINDOWS! Has nothing to do with me not making the software auto update.

 

[Nothinman]

It is possible to crash a server through excessive pinging

You can DoS a box that way if you've got enough bandwidth, but it shouldn't crash.

I was merely arguing that vulnerability is an explicit term and shouldn't be used to describe how susceptible a particular browser/server/etc... is to attack, since by definition being vulnerable merely states that you are susceptible, not how susceptible.

It's like the hacker/cracker differentiation, no matter how much you want it to change it's not likely to ever do so. "Security" companies are going to use the term vulnerable because it sounds scarier regardless of anything else. Just like how just about all of the statistics on things like Windows vs RHEL report on plain security releases and don't ever take into account the pure number of packages available for either platform. RHEL generally comes out looking worse because RH supports more packages.

So it's a fault in windows that you need a 3rd party app to keep your add ons, that are not a part of windows, up to date.

Yes. They already have the capability with Automatic Updates, it wouldn't be hard for them to extend it to let 3rd parties use it and get rid of the dozen individual updaters that things like Java, Flash, etc all install on their own.

 

[mechBgon]

Yes. They already have the capability with Automatic Updates, it wouldn't be hard for them to extend it to let 3rd parties use it and get rid of the dozen individual updaters that things like Java, Flash, etc all install on their own.

There was such an uproar about the Automatic Updates engine just keeping itself up-to-date, that I can only imagine the backlash if Microsoft channelled out a buggy iTunes update that deleted everyone's music libraries. I mean, we're talking about MUSIC here, this is serious stuff.

 

[lxskllr]

There was such an uproar about the Automatic Updates engine just keeping itself up-to-date, that I can only imagine the backlash if Microsoft channelled out a buggy iTunes update that deleted everyone's music libraries. I mean, we're talking about MUSIC here, this is serious stuff.

I get the feeling you're being sarcastic :^P

I'd judge a browser by how reactive, and proactive the developers involved are. If the devs are slacking on updates, then I'd consider that browser less secure. The actual placement security wise is generally nebulous, and the different browsers can change places at any time. All the current browsers do pretty well on security, but they still require vigilance on the parts of the users.

 

[Rangoric]

Yes. They already have the capability with Automatic Updates, it wouldn't be hard for them to extend it to let 3rd parties use it and get rid of the dozen individual updaters that things like Java, Flash, etc all install on their own.

No thank you. I don't need the hassle of some random software company deciding X-Toolbar is a REQUIRED update and sneaking it in an install of required or critical updates.

At least with only MS using it at the moment, I can be sure that if it is marked required or critical, I need it.

I keep an eye on what gets installed and updated, but just image the average user who would be nuked by this.

 

[Nothinman]

There was such an uproar about the Automatic Updates engine just keeping itself up-to-date, that I can only imagine the backlash if Microsoft channelled out a buggy iTunes update that deleted everyone's music libraries. I mean, we're talking about MUSIC here, this is serious stuff.

iTunes already does that with the craptastic updater Apple includs with it so it's a non-issue. Putting all product updates into a central location would be a win.

No thank you. I don't need the hassle of some random software company deciding X-Toolbar is a REQUIRED update and sneaking it in an install of required or critical updates.

If you don't look at the updates listed in AU before installing them that's your fault, not anyone else's. And random software already does that crap with their own updaters so I don't see your point.

At least with only MS using it at the moment, I can be sure that if it is marked required or critical, I need it.

Ah so you trust MS to label their patches properly but no one else? And what about the fact that Flash, Apple's crap, Java, etc already come with their own updaters? Wouldn't it be better to have them all in one location instead of having a dozen random background processes?

I keep an eye on what gets installed and updated, but just image the average user who would be nuked by this.

Nice hyperbole. Those users are getting nuked already by the various crap updaters that come with everything, all this would do is put everything into one central location to be managed properly.