Mozilla and Firefox Are Vulnerable, Not Just IE

by Preston Gralla

Internet Explorer has constantly come under fire for its numerous security vulnerabilities, so much so that the U.S. Computer Emergency Readiness Team (CERT) issued an advisory that recommends that people consider using a different browser. (For more details, see my weblog about it.)


That recommendation brought a gleam to the eyes of some Mozilla and Firefox users who have a holier-than-thou attitude when it comes to Internet Explorer. They gloated that once again, the world's most popular browser has been shown to have the world's biggest security holes.


But they should gloat no more. All browsers, Mozilla and Firefox among them, are bedeviled by security holes. Just recently, for example, it was discovered that a security bug makes Mozilla and Firefox vulnerable to phishing attacks. That's certainly not the first security bug, and it will be far from the last.


Now, it's true that Mozilla and Firefox are inherently more secure than IE, in large part because they're more isolated from the operating system. And the Mozilla Foundation has been more willing than Microsoft to confront the problem head-on, even announcing a $500 bounty for every critical security bug anyone can find. But the browsers are also more secure because they lack some of IE's functionality, such as the ability to run ActiveX controls. I'm a big fan of Firefox, but for me, that's still one of the browser's biggest drawbacks.


As Mozilla and Firefox slowly gain popularity because of Internet Explorer's security flaws, expect them to be increasingly targeted. Expect more attacks, more flaws uncovered, and less security. It's going to be the price of success.


What do you think about security bugs in IE, Mozilla, and Firefox? Let me know.


21 Comments

aristotle
2004-08-04 07:38:33
Yeah, so?
All programs have bugs. News at 11.


I don't think it has ever taken the Mozilla Foundation or Opera six months to even react to a hole.


On another note, I don't understand how anyone could want ActiveX support either — there is no security model besides whether the control is signed or not, ie whether its author promises(!) that it won't do any harm. Any ActiveX control runs with the user's full permissions. Even security aside, what about the potential for "benign" bugs that might take your system apart?

dscotson
2004-08-04 07:43:37
One man's meat...
"the browsers ... lack some of IE's functionality ... the ability to run ActiveX controls ... one of the browser's biggest drawbacks."


Some, myself included, would say that is one of the mozilla browsers' many benefits.


And why do MSFT apologists take the fatalistic 'popularity == exploits' line as if there was no such thing as good or bad security design? It is a very poor yet irrefutable argument.


However, as John Gruber has pointed out in relation to Mac vs. Windows experiences of viruses etc. (http://daringfireball.net/2004/06/broken_windows) by taking this line you are claiming one of two things, either:


a) Mozilla will take a substantial share, say 40% of the browser market,


*or*


b) that Mozilla based browsers will always be more secure than Internet Explorer.


Either way we mozilla users win.

TimmMurray
2004-08-04 09:55:34
Stupid Security Decisions

It isn't just popularity, or even functionality. It's doing astoundingly stupid things that makes Microsoft products generally problematic.


A few weeks ago, I installed the .NET package for WinXP. What I didn't know was that this gave a new configuration option to IE which, by default, sets IE to run all signed and unsigned .NET applications off the Internet. That this is the default setting proves to me that Microsoft's recent efforts about "getting serious about security" are hot air. I got a boat load of spyware on my system before I realized this setting existed.


Microsoft's problem is that they treat security as a marketting problem, not as an end to itself. If all competetors, big or small, for the OS and browser space disappeared, would Microsoft care about security anymore? Their track record does not indicate a positive response to that question. In essance, Microsoft needs competitors for them to care about security at all.


Free Software, OTOH, knows that security is important in its own right, and would care about it even if all other competition ceased.

flursn
2004-08-04 14:53:13
Stupid Security Decisions
So did I understand you correctly that you had spyware on your system since you installed the .NET runtime?


Because, funny thing is that all unsigned .NET applications you download run in a sandbox with the same credentials as the source, i.e. none.


But don't let this minor fact distract you from your agenda.

flursn
2004-08-04 14:59:27
One man's meat...
I wonder why you've chosen the term "we" in "we mozilla users", instead of simply stating "all mozilla users win".


No, that was a lie. I do not wonder why. You've chosen it exactly because it feels so much better (a) to be on the right side of [insert favorite cause here], (b) to know that your side is so much smaller than the other side, and both combined to (c) will make your victory all the more glorious. In your imagination.

dscotson
2004-08-04 15:41:22
One man's meat...
Of my entire post you could only respond to a two-letter pronoun?
flursn
2004-08-04 16:22:56
One man's meat...
Sorry, I could not detect any more substance than was present in your final sentence. But feel free to elaborate on your "other" points.
miggins
2004-08-04 16:52:40
Market share is not the reason
Microsoft had to rewrite IIS for version 6 because version 5 and below just let bad guys walk all over your server. This despite the fact that it has much lower market share than Apache httpd.


I belive Microsoft will have to rewrite IE in the same way, if they care enough to keep browser market share.

zero11
2004-08-04 17:38:37
Active Cracks
Yes lets use the same scripting language we use to script our OS to allow untrusted users to script your browser, and let's provide it the same access privileges as the user running the browser. That's MS's Original security model for Active X and IE. Every update since then has been a response to somebody using that functionality.


You simply can't plug holes in a model with that foundation. It's like painting over a cardboard house.

chase
2004-08-04 20:46:44
IE, the netscape 4.x of the new millenium.
Security is just one of many reasons people switch from Moz*bird. And when they do, they like what they find. Yes, there will always be some who don't like browserx because browserx doesn't work exactly like IE, but even if it did they would have to find another *problem*.


Even if Moz*bird's security issues were on par with IE, it would still be a vastly superior browser.


The Mozilla folks work stands on it's own against IE. Security issues are just helping more people see the light.


My name is Dan. I've been IE free for 754 days.


jwenting
2004-08-04 22:12:09
One man's meat...
that's probably the only word he could understand.
jwenting
2004-08-04 22:18:19
Stupid Security Decisions
1) free software knows NOTHING except "we're not Microsoft THUS we're better".
2) .NET applications by default can do nothing at all, just as can Java applets. Your spyware you installed yourself and just forgot you did (or maybe even installed it deliberately in order to shout foul about Microsoft).
3)it is popularity above all. There is no economic incentive to create worms and trojans for something that's used by a small number of people, most of whom don't have a penny to spend because they're all sitting in their ivory towers proclaiming how good and holy they are for using and creating "free" software while never earning a living.
Once a product like Firefox (or Linux) becomes mainstream the exploits will start in earnest and the availability of the source to the criminals will only make it easier for them (or else they just submit a few seemingly unrelated "fixes" to the sources that taken in isolation do nothing but together leave a gaping hole, which is an exploit that won't be caught by code review.
uche
2004-08-04 23:30:34
Yawn. More of the dubious commonplace.
Pretty much every syllable in this article was said weeks ago by pundits from (American) National Public Radio commentators through the blogger set.


Sure, the most popular software makes the juciest target for hackers, but I've yet to hear from any of the commentators why this point is in any way relevant to the browser choice of a user who is under black hat bombardment today (and who has been for the past few years).


Most tellingly, I haven't heard anyone deny that Mozilla is more secure than IE fundamentally. This is a knockout blow in any reasonable argument, and not some odd point to be waved off with a smarmy "yeah, yeah, I know..."

guet2
2004-08-04 23:50:42
One man's meat...
err, Active-X as a security hole, not a 'feature'.
simon_hibbs
2004-08-05 03:15:56
So, to summarize
FREE SOFTWARE HAS BUGS


Footnote: But so does IE, and they're worse, and there are more exploits from them, and the culture of the developers means this is likely to remain true. But ActiveX is neat *Ahemm*but totaly unsecure*Ahemm...*.



Simon Hibbs

teejay
2004-08-05 05:04:21
I keep on hearing this and it hasn't got any truer
Yes, all software has bugs. But all bugs are not equal and neither is all software.


Note, that of the recent security problems mozilla and firefax have had recently most if not all have been down to holes in the underlying windows operating system - hence the same bug appearing in Internet Explorer.


The myth that as software gets popular it suffers more security problems is unfounded. Apache, Exim, MySQL, perl and linux run a large proportion of the internet, with more users, more deployments and more important work done that their rivals - this would certainly make them popular yet they don't seem to be full of security holes or require being re-engineered from scratch (as IIS 6 was).


The truth is that commercial monopolies represent a lack of competition which leads to a lack of innovation and lower standards. If you pretend that isn't true then it might appear that the bright light of popularity shows any software to be insecure or buggy.


Internet Explorer has 2 huge flaws :
* it is 'integrated' into the windows operating system (but strangely worked just as well on solaris and mac OS without this 'integration') making any security problem more dangerous.
* it was designed and built to encourage people to implement dodgy vb style applications on top of it using activeX, COM and all kinds of other hacks. Any ammount of security and rational architecture went out the window so that secretaries could build 'applications' on it after a weeks course on 'programming'.


I have never seen an ActiveX application that couldn't be done better and/or quicker by using either DHTML, etc or old-fashioned client/server. And the longterm costs and problems inherent in any badly knocked together access/vb/activeX application are huge - I have supported, replaced and seen them in action, and never has it been worth the hassle.


Of course if you ever think ActiveX is a good idea, you should remember that it only came about because Microsoft didn't want to fall behind Java but could not accept or encourage Java because it was not a microsoft-only language and would allow developers to build applications accross browser and platforms.

TimmMurray
2004-08-05 05:51:49
Stupid Security Decisions

.NET applications by default can do nothing at all, just as can Java applets. Your spyware you installed yourself and just forgot you did (or maybe even installed it deliberately in order to shout foul about Microsoft).


I don't have to do anything to my own system when Microsoft does the job just fine. Allow me to go through what I did:



  1. Install .NET update to run a game that needs it (Allegiance, a free multiplayer space combat sim made by Microsoft Research).

  2. A few weeks later, start up IE (I normally use Firefox). Browse a few sites, click a few links, and then get a sudden deluge of popups.

  3. Go through IE configuration. Notice .NET is enabled to run by default, and is thus the likely source of the problem (I already have ActiveX explicitly shut off).

  4. Reboot system. Undeniabiliy find startup processes and tray items that were not there on the last reboot.

  5. Start clearing out system.


I don't have to invent anything, because the above is exactly what happend. I'm willing to consider that it's not .NET at fault, but I can be pretty sure that it's a bit of Microsoft code that allowed this to happen. This is simply because of the fact that I don't generally install third-party extentions to Windows or IE (because that's just asking for more problems).


it is popularity above all


Then why isn't Apache targetted more than IIS? It has more market share than IIS.

aristotle
2004-08-05 06:07:35
Stupid Security Decisions

or else they just submit a few seemingly unrelated "fixes" to the sources that taken in isolation do nothing but together leave a gaping hole, which is an exploit that won't be caught by code review

Funny how everyone is going on about this, yet it has not worked on the Linux kernel (which is arguably a more than juicy target today).

Is there any case that proves this scenario's viability, or does it all remain just speculation?

Also, do you think that once the exploits start in earnest, the Mozilla Foundation will become so apathetic as to not even acknowledge a hole's existence for six months straight, let alone produce a fix for it, as MSFT have repeatedly done?

dscotson
2004-08-05 06:36:10
One man's meat...
Now that I can believe.


My other point, which has been echoed by others, was that saying Mozilla-based browsers (or Mac OS X) will become insecure in the future when they are as popular as IE (or Windows) is of little consequence until the point when (if?) these alternatives become overwhelmingly popular.


It also admits that right now IE (or Windows) is the obviously less safe option since it so popular (especially amongst malware writers).


joaquin
2004-11-15 12:50:15
Myth vs. Facts
I keep hearing this generalized myth that more popular software equals more security flaws. But the truth is more complex. Since the NS4 and IE4 diverged on different paths, the key feature from MS was to allow it to write files to the hard drive, a practice abhorrent to many.


Now that Firefox has, let's count them, >>> one <<< security risk, MS lovers are having a field day. What makes matters worse is that I think that this problem is related to a bug in some Microsoft system DLL, that MS chose not to fix, but rather fix it in the browser IE, so that all other programs, like browsers, that use the system DLL would have this security vulnerability.

joaquin
2004-11-15 13:11:56
Stupid Security Decisions
No.


(1) Free software is made by individuals with selfish interests, one of which includes security. Security is in every user's interest. Many commercial companies only consider security if it jeopardizes their profits, such as MS after the recommendations to use Apache and not use IIS4 and IIS5 in lieu of the slew of worms/viruses that cost the industry untold billions.


(2) It's not popularity when the base feature like "ActiveScripting" allows for writing files to hard drives and accessing COM APIs freely to do malicious things. This engine is embedded into IIS, WSH, and IE HTML engine. IE HTML engine is bundled into MSN Messenger, WMP, Outlook, and IE. All of these products have gross obvious security holes and exploits, and to this date, this is a cardinal feature of IE and related products.


Other products that were once dominant never had the notoriety of infamous worms, viruses, hacks, exploits, etc. Apache for instance has had its share of security exploits. But they don’t force flawed insecure features down people’s throats and band-aid the broken flawed features.


Microsoft's priority is profit, many times at the expense of user base's interests. Open Source's priority is based on selfish interests, which includes security. The social structure and impetus behind open source and collaborative projects leads to better security generally than single vendor closed room secret development.