Installing the wrong extension could turn Firefox into a sitting duck. For security experts, version control -- and a watchful eye over whyat's on users' systems -- are just as important here as anyplace else.
As spyware, viruses and Trojan horses continue to find their way through Internet Explorer's overstressed defenses, many users inside and outside the corporate world have moved to Mozilla's Firefox Web browser. But Firefox fans got a dose of reality last month when some serious security flaws were found in the alternative browser, as well as in a popular add-in.
The add-in, called Greasemonkey, is designed to let users customize the way Web sites behave when viewed. It wasn't designed to let malicious Web developers see and read the contents of a user's disk--but that's exactly what the flaw permitted. To their credit, Greasemonkey developers published a partial fix for the flaw just a little more than a week after its disclosure, a more adroit response than the ones that typically come out of Redmond.
Of course, any software extension can be an avenue for security vulnerabilities, and Firefox extensions are no exception. Recently, a defect was uncovered in a rather innocuous Firefox function for setting an image as wallpaper on the user's system. With a properly crafted image file, a malicious Web developer could exploit the flaw to run any type of code, just by getting the user to set that image as wallpaper with the proper context menu. Mozilla has updated the software to fix this particular flaw.
Firefox's flaws by nature are serious, especially in a corporate environment, where the biggest threat to data security remains a lack of user caution. Both of the recently exposed vulnerabilities can allow an intrusion by exploiting the simple desire of most users to "make it mine," personalizing the way their systems look and act.
Internet Explorer, by virtue of its immense installed base, remains the preferred target of black hats. And Microsoft, thanks to its slow adoption of some security fixes, hasn't done the best job of addressing users' and administrators' fears. But network administrators operate at their own peril if they let users stampede to alternatives such as Firefox with the mistaken impression that those are magically "safe."
If you're deploying Firefox--or any user-extensible software, for that matter--in your network, you must maintain version control and a watchful eye over the application of updates and patches. If you're the security expert, you should know more about what's on your user's systems than the hackers.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.