Langa Letter: The Pros And Cons Of Firefox - InformationWeek
Software // Enterprise Applications
09:35 PM
Fred Langa
Fred Langa

Langa Letter: The Pros And Cons Of Firefox

Firefox is a good browser but not the panacea its most ardent fans think it is. While Microsoft's IE gets most of the attention for its security vulnerabilities, the reality is that Firefox (like other open-source products) has security flaws of its own of that readers need to be aware of, Fred Langa notes.

Reality: Open-Source Security Flaws Abound
US-CERT (United States Computer Emergency Readiness Team), a partnership between the Department of Homeland Security and the public and private sectors, impartially tracks all manner of security issues in operating systems and major applications, such as browsers. US-CERT issues a bulletin every week, outlining the current crop of problem areas. You can access all past and current bulletins here; I urge you to take a moment, click on over to their site, open several bulletins at random, and scroll down the page. In most cases in the more recent issues, you'll see the list of IE's vulnerabilities is shorter than those for Firefox, Mozilla, and the other alternate browsers. Likewise, with the more recent bulletins, you'll also see the list of Windows' vulnerabilities is actually much shorter than that for the other operating systems, even though Windows is far more widely installed.

US-CERT's findings aren't unique. For example, the Symantec Internet Security Threat Report provides a six-month update of Internet threat activity. It gathers data from

"...over 20,000 sensors monitoring network activity in over 180 countries. Symantec also gathers malicious code data along with spyware and adware reports from over 120 million client, server, and gateway systems that have deployed Symantec's antivirus products. In addition, Symantec maintains one of the world's most comprehensive databases of security vulnerabilities, covering over 11,000 vulnerabilities affecting more than 20,000 technologies from over 2,000 vendors. Furthermore, Symantec operates BugTraq, one of the most popular forums for the disclosure and discussion of vulnerabilities on the Internet ... The Symantec Internet Security Threat Report is grounded principally on the expert analysis of this data. Based on Symantec's expertise and experience, this analysis yields a highly informed commentary on current Internet threat activity...."

The most recent Symantec Internet Security Threat Report, covering the last six months of 2004, states in part:

Historically, most of the exploits targeting Web browser vulnerabilities have been directed at Microsoft Internet Explorer, the most widely used Web browser. In response to this, many people in the Internet community have turned to browsers such as Mozilla, Mozilla Firefox, Opera, and Safari as more secure alternatives. However, as security-conscious users have migrated away from Internet Explorer, attackers have followed suit....

The discovery of vulnerabilities affecting browsers appears to be on the rise, with more Mozilla vulnerabilities documented in this period than those affecting Microsoft Internet Explorer. This runs contrary to a trend seen in previous periods where nearly all browser vulnerabilities affected Microsoft Internet Explorer exclusively.

Between July 1 and Dec. 31, 2004, Symantec documented 13 vulnerabilities affecting Microsoft Internet Explorer. This is notably lower than the 21 vulnerabilities affecting each of the Mozilla browsers that were documented during the same period. Six vulnerabilities were reported in Opera and none in Safari.

It should be no surprise that alternate browsers--or alternate operating systems, for that matter--contain flaws. All software is imperfect; anything built by human minds can be destroyed or compromised by other human minds. Alas, while that should not be a surprise, it is to many in the open-source community: Many users have developed an almost mystical belief in open-source software, as if it were a magical talisman against the problems that Microsoft has experienced. Or, conversely, that Microsoft software is somehow "evil" and prone to problems to which that open source software is immune.

Not so. All software is imperfect, and as more and more users come to employ any given piece of software, more flaws will come to light. At the same time, as more people come to use a given piece of software, that group will become an increasingly interesting target to miscreants, who will actively seek out the exploitable flaws.

Both these trends mean that we'll be hearing of more and more security problems in non-IE browsers and non-Microsoft operating systems in the future.

That doesn't mean there's no good reason to look at open-source products such as Firefox. In fact, there are several excellent reasons, including those we listed earlier: Firefox is free, open source, cross-platform, and multilingual; and it also brings some much-needed competition to the browser market. But it's not a panacea for browser security problems. In fact, changing to Firefox--or Mozilla, or any similar software--because "it's more secure" is a dangerous misconception; and demonstrably false.

3 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll