New Firefox Version Heightens Debate Over Browser Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:21 PM

New Firefox Version Heightens Debate Over Browser Security

The Mozilla Foundation pushes out a new version of Firefox to patch three vulnerabilities, renewing debate over the alternative browser's security.

The Mozilla Foundation on Wednesday pushed out a new version of Firefox to patch three vulnerabilities, just days after a major security firm said the open-source browser had 60 percent more vulnerabilities in the last half of 2004 than Microsoft's Internet Explorer.

The group released Firefox 1.0.2 on its site to fix three flaws, including one inherited from Netscape in processing .gif image files. That bug was discovered by Internet Security Systems (ISS), and if hackers were able to get users to visit sites or view e-mail messages with specially-crafted .gif files, they could take control of their PCs.

A patch was produced before ISS alerted the public, said Chris Hofmann, chief of engineering at Mozilla, so no harm, no foul. "The bug patched in this update has no known real world exploits, and we were able to provide a quick response."

This is the second security-related update of Firefox in the last month. In late February, the non-profit foundation released v. 1.0.1, which patched 17 vulnerabilities.

The spate of vulnerabilities and the updates bring into question the assumption by many that Firefox is more secure than Microsoft's Internet Explorer, one of the reasons many experts and analysts have given for Firefox's rapid climb from 0 to about 6 percent of the usage share in the United States.

To add fuel to that argument, Symantec this week said in its Internet Security Threat Report that during the last six months of 2004, it counted 21 vulnerabilities for Firefox, but only 13 for IE.

Although IE's count was dramatically up over the first half's mere 3, it was down from the 17 found in the last six months of 2003.

"This is likely due to two factors: the effort that Microsoft has undertaken to secure Internet Explorer and patch latent vulnerabilities, and the shift of vulnerability researcher interest towards alternative browsers that are being marketed or promoted as secure," Symantec's researchers concluded.

The surge in Firefox vulnerabilities, said Symantec, was directly tied to "the increased popularity and deployment of the browser, which is itself a reaction to the widespread abuse of several high-profile vulnerabilities in Internet Explorer."

Mozilla's Hofmann countered. "Rather than get hung up on the specific numbers, it's better to look at the trends. The bottom line in just about all the independent studies I've seen is that the severity of exploits discovered in IE is greater, and Microsoft takes longer to fix the problems."

Symantec's numbers backed up Hofmann.

By Symantec's classification, IE still had a higher percentage of "high severity" vulnerabilities in the second half of the year than did Firefox. Nine out of the 13 IE vuls, or 69 percent, were tagged as "high," while 11 of the 21 Firefox vulnerabilities, or 52 percent, were so marked.

And, Symantec said, the Mozilla Foundation fixes flaws much faster than does Microsoft.

"They patch faster, simple as that," said Alfred Huger, vice president of engineering for Symantec's security response team. "The average time between when a vulnerability is publicly announced and when a patch comes out is 43 days for Internet Explorer, only 26 days for Firefox."

"It's amazing the kind of rapid turn-around we see on some bugs when they get reported," said Hofmann in explaining Firefox's advantage. "All the code is available and the [open-source] community can help us to find and fix security problems faster than closed-source commercial software efforts."

And IE still leads Firefox -- leads every Windows application, in fact -- in the total number of vulnerabilities to-date. Symantec's count has IE as having "just north of 300 known vulnerabilities," said Huger. "That's the most vulnerabilities in any [Windows] application that we're aware of. The next in line is IIS [Internet Information Services) with 116."

Mozilla's code line, which goes back as far as Netscape, which preceded IE, has "under 100," said Huger.

Mozilla's Hofmann said that future updates to Firefox -- and its other products, which include the Mozilla suite and the Thunderbird e-mail client -- will be released "on an ongoing basis andas warranted."

"We must stay ahead of the curve in patching potential vulnerabilities," he said.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll