Installing the wrong extension could turn Firefox into a sitting duck. For security experts, version control -- and a watchful eye over whyat's on users' systems -- are just as important here as anyplace else.
As spyware, viruses and Trojan horses continue to find their way through Internet Explorer's overstressed defenses, many users inside and outside the corporate world have moved to Mozilla's Firefox Web browser. But Firefox fans got a dose of reality last month when some serious security flaws were found in the alternative browser, as well as in a popular add-in.
The add-in, called Greasemonkey, is designed to let users customize the way Web sites behave when viewed. It wasn't designed to let malicious Web developers see and read the contents of a user's disk--but that's exactly what the flaw permitted. To their credit, Greasemonkey developers published a partial fix for the flaw just a little more than a week after its disclosure, a more adroit response than the ones that typically come out of Redmond.
Of course, any software extension can be an avenue for security vulnerabilities, and Firefox extensions are no exception. Recently, a defect was uncovered in a rather innocuous Firefox function for setting an image as wallpaper on the user's system. With a properly crafted image file, a malicious Web developer could exploit the flaw to run any type of code, just by getting the user to set that image as wallpaper with the proper context menu. Mozilla has updated the software to fix this particular flaw.
Firefox's flaws by nature are serious, especially in a corporate environment, where the biggest threat to data security remains a lack of user caution. Both of the recently exposed vulnerabilities can allow an intrusion by exploiting the simple desire of most users to "make it mine," personalizing the way their systems look and act.
Internet Explorer, by virtue of its immense installed base, remains the preferred target of black hats. And Microsoft, thanks to its slow adoption of some security fixes, hasn't done the best job of addressing users' and administrators' fears. But network administrators operate at their own peril if they let users stampede to alternatives such as Firefox with the mistaken impression that those are magically "safe."
If you're deploying Firefox--or any user-extensible software, for that matter--in your network, you must maintain version control and a watchful eye over the application of updates and patches. If you're the security expert, you should know more about what's on your user's systems than the hackers.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.