Security in Firefox

April 20, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

Perhaps even more than Linux, Firefox is rapidly becoming the poster child for open source. Many users who wouldn't even consider installing Linux on their desktop have happily installed Firefox, looking for features not found in Internet Explorer, and trusting in Firefox's reputation as a more secure alternative than IE.

This reputation has been a bit tattered in recent weeks, though perhaps unfairly. The Mozilla project has released three security updates since February, which has prompted some to call into question the respective security of Firefox in particular, and open source products in general.

Is this proof that Firefox or the Mozilla Suite suffer from as many serious security vulnerabilities as Internet Explorer? Maybe, but the evidence that's in so far suggests otherwise. We spoke to Chris Hofmann, Mozilla's director of engineering, about the recent security fixes and the Mozilla Foundation's security policies.

Hofmann said that Mozilla has built "a larger security community since the Firefox 1.0 release, with "some experts working with us to examine the code and identify potential problems." He also acknowledged that there will be vulnerabilities, but the project is committed to providing a secure browser and repairing problems as quickly as possible.

The latest update closed nine security vulnerabilities three tagged "critical," two rated "high" severity and four rated as "moderate" vulnerabilities. Some of the vulnerabilities have yet to be disclosed, despite the fact that the update is now available. Hofmann said that the project was respecting the wishes of the person reporting the bugs, and that the project tries to use "best judgement" about providing information about exploits. He also noted that it gives users ample time to install updates prior to releasing information that might be used to exploit vulnerabilities.

We also checked on the Mozilla Project's security policies to see what they had to say about disclosure:

The original reporter of a security bug may decide when that bug report will be made public; disclosure is done by clearing the bug's "Security-Sensitive" flag, after which the bug will revert to being an ordinary bug. We believe that investing this power in the bug reporter simply acknowledges reality: Nothing prevents the person reporting a security bug from publicizing information about the bug by posting it to channels outside the context of the Mozilla project. By not doing so, and by instead choosing to report bugs through the standard Bugzilla processes, the bug reporter is doing a positive service to the Mozilla project; thus it makes sense that the bug reporter should be able to decide when the relevant Bugzilla data should be made public.

Interested readers may also want to peruse the rest of the Mozilla project's security policies.

The 1.0.3 release went through several release candidates before it was finally officially released. We asked Hofmann about the length of time required to release a security fix, what was involved and why it took several weeks to push out a patch. Hofmann said that the Mozilla team was capable of putting out a release quickly, and noted the 24-hour turnaround with the shell exploit discovered last fall.

It mostly depends on the vulnerability that's discovered and time that we want to go through and evaluate that there's a comprehensive patch, and adequate testing for the change we're making... this time, changes did require more testing and feedback that the patch was comprehensive and at the right level.

Hofmann also pointed out that the Mozilla team has pushed out security updates in a matter of days or weeks, whereas Microsoft has been known to push out fixes for vulnerabilities that have been known for months rather than just a short time.

He also noted that the team needs to push out documentation updates, and get information out to application developers and authors of extensions. Hofmann said that a couple of the changes in the 1.0.3 release will require some extension authors to make "adjustments to be forward-compatible" and that most extensions that were affected already have new versions available for Firefox 1.0.3.

At any rate, as pointed out on MozillaNews, there have been more vulnerabilities documented by Symantec that affect Mozilla browsers, but that IE has a greater number of high-severity vulnerabilities. It should also be noted that the vulnerabilities listed for Firefox have not been widely exploited, while IE has been widely exploited. Several critical issues in IE remain open. To be fair, a few vulnerabilities are still listed for Firefox as well.

It's certainly true that Firefox and the Mozilla Suite are not perfect, and do not offer a 100 percent guarantee against security problems simply because the projects are open source. The increased attention being paid to Firefox almost assures that further vulnerabilities will be found. However, the project is developing a good track record of fixing security vulnerabilities as they are discovered, and proactively seeking out security problems. To date, Hofmann says that he is not aware of any exploits in the wild that affect Firefox or Mozilla, which means that the vulnerabilities that have been reported have not had any real impact on the Mozilla userbase aside from the inconvenience of upgrading -- which can hardly be said for Internet Explorer.

Those with a careful eye for distinguishing between the severity of vulnerabilities, the length of time required to find fixes and actual exploits, will find that Firefox is still the better choice for security-conscious users.

Index entries for this article
GuestArticles	Brockmeier, Joe

to post comments

Updating IE is a non-trivial process

Posted Apr 21, 2005 9:42 UTC (Thu) by simon_kitching (guest, #4874) [Link] (1 responses)

And the most important item of all: updating firefox simply updates firefox. Updating IE is an update of a core piece of the windows kernel that can have interesting and unexpected side-effects.

I worked on a large dynamic-html-based app for a while, and we were pushing the boundaries of IE. As soon as a new version of IE was released, we usually wanted it. But the operations dept were *with valid reasons* refusing to install such upgrades without a full test cycle of the whole desktop + critical apps. Result: we were often stuck well behind where we wanted to be.

Having a browser separate from the OS makes installing system upgrades in business environments *much* easier.

Updating IE is a non-trivial process

Posted Apr 21, 2005 21:35 UTC (Thu) by mchristensen (guest, #4955) [Link]

I'm not a fan of IE, but this is just technically inaccurate.

Upgrading IE does not upgrade the windows kernel. It does however, upgrade a core piece of the Windows Operating System, because it forms a significant chunk of the standard Windows API. But that does not mean that it is in the kernel.

Microsoft uses this distinction to their advantage all the time. It's an important part of the Operating System when they are asked to remove it, but then when somebody complains about security Microsoft will tell you it's not part of the kernel.

Since it forms a core piece of the Windows API, many desktop apps (and the file browser) depend on it, and it needs to be tested as you describe. However, the kernel itself does not change when you upgrade IE.

The bigest problem is that it runs under a system account with all kinds of unnecessary privileges.

--Mark Ramm-Christensen

Security in Firefox

Posted Apr 21, 2005 12:46 UTC (Thu) by eyal (subscriber, #949) [Link] (1 responses)

I'm sure I'm not alone among LWN readers as the "IT officer" of family and friends. Whenever I get a new "client" I clean up their PC, install Firefox and instruct them not to touch IE unless they really must (some online banks etc.)

After that their PCs stay clean for months, whereas with IE it's a matter of days before they're full of malware.

So with all due respect to the various lists of vulnerabilities, what matters is how each browser performs in actual use. There isn't a doubt that Firefox is safer to use.

And as the previous poster pointed out, updating Firefox is quick and easy, whereas IE update replaces half of the OS.

updates

Posted Apr 28, 2005 7:59 UTC (Thu) by dufkaf (guest, #10358) [Link]

'updating Firefox is quick and easy'

Not as easy as it can be. Windows has Windows Update service. Firefox update service in in fact only download of full setup. Update and full setup should not be same things. I am missing something like hotfixes for windows.
For dialup users it is bad to download ~5MB with each bugfix. It is also a bit boring to click through the setup wizard again and again. Hotfix replacing (or just patching) few specific files would be nice. Is anything like this in a pipeline?

Security in Firefox

Posted Apr 28, 2005 20:33 UTC (Thu) by huaz (guest, #10168) [Link]

: Maybe, but the evidence that's in so far suggests otherwise.

What evidence?

From the article I think it's fair to say that firefox has got its fair share of bugs and security issues. IE has more reported bugs because it has more market share.

Let's be honest and do our things better.