September 23, 2005

Reported vulnerabilities and real security favor Firefox

Author: Jay Lyman

A report released Monday by Symantec said that there were more vulnerabilities for Mozilla browsers than for Internet Explorer. Symantec's "Internet Security Threat Report" covers security trends from January 2005 through June 2005. During that time, according to Symantec, Firefox had 25 vendor-confirmed vulnerabilities while Microsoft's Internet Explorer only had 13.

Browser vulnerabilities make up a small part of Symantec's 106 page report, but the news that Firefox suffered more vulnerabilities than IE has made headlines in the tech press.

While Firefox may have more reported vulnerabilities, actual exploits are hard to come by. The Mozilla project's head of products, Chris Beard, said that the organization is not aware of any actual attacks for Firefox vulnerabilities in the wild.

Ken Dunham, a senior engineer with Verisign iDefense, says there is only one known exploit that takes advantage of a Firefox vulnerability, ever.

"Here is what I have on Firefox, and as I remembered, only one code in the wild to date for that and it was a low level code, prevalence-wise," Dunham wrote in an email.

That code, the BoroBot.F variant of the BoroBot worm family, used "a Michael Jackson social engineering issue" last June to try and exploit a medium-level vulnerability in Firefox, according to iDefense.

Symantec's report also acknowledges that "no widespread exploitation of any browser except Microsoft Internet Explorer has occurred. However, Symantec expects this to change as alternative browsers become increasingly widely deployed."

Raw numbers

Beard questioned assumptions about the inherent security of Firefox or any other software based on Symantec's "raw numbers."

"Probably, a lot more meaningful measure would be looking at the number of unpatched vulnerabilities and the time-to-fix of vulnerabilities," he said in an interview. "These are potentially much more meaningful for end users when it comes to keeping safe."

Referring to the latest Firefox security and stability update, version 1.0.7, Beard credited open source transparency and collaboration among researchers for faster Firefox fixes.

"We effectively publish our engineering results," he said.

Beard added that Firefox has a legacy as a more secure architecture. "The fact that we do not support Active X is a significant advantage to us when it comes to keeping users safe," he said, referring to one of Explorer's biggest weaknesses.

Dunham also said that the browser's separation from the operating system -- whether it's Linux, Windows, or others -- is a security advantage.

"That's one of the big advantages Firefox has," he said. "It's not a browser that is integrated with the core operating system or office packages. Internet Explorer is, and as a result, it's much more difficult to isolate an issue."

Vendor self-assessment

Another problem with judging security by the number of vulnerabilities is that Symantec's report is based on vendor-confirmed vulnerabilities. Symantec's Dean Turner, executive editor of the report, said that "the problem with vendor-confirmed vulnerabilities is, they can change."

"A prime example of that is Microsoft," he added. "They may not acknowledge the vulnerability in that time period."

While he added it was "reasonable to assume that as more vulnerabilities appear, there will be more exploits," Turner said open source options such as Firefox still retain their lower risk advantage.

"What's more important is distribution, and Internet Explorer is the most widely distributed," he said. "When we look at technologies, as they become more popular, they present a target. They've been focusing on Microsoft for years. I think it has less to do with closed versus open source and more to do with visibility."

Safety with speed

Few doubt that open source organizations respond more quickly to vulnerabilities. Dunham said because Firefox is not bound to the operating system or other applications, the amount of code developers must cover for correction gives open source an advantage.

"With Mozilla Firefox, the perception I have is they can find these holes a lot faster," he said. "They have a lot less code to wade through."

Symantec's Turner agreed that open source browsers get their fixes quicker.

"There is a tendency for open source browsers to patch quicker," he said referring to a Firefox patch within 24 hours of a reported vulnerability last week. "That doesn't happen with Internet Explorer."

Mozilla's Beard doubted that more users will equate to more attacks on Firefox.

"At this point, there's no evidence that's true," he said. "At the same time, I believe we have a running start with Firefox to continue to push the security and stability of the browser, and we're looking to keep up with demand."


  • Security
Click Here!