David Baxter PhD
Late Founder
The Great Browser Security Debate
MX Logic IT Security Blog
13 March 2009
Similar to the debates that have been raging for a few years now between the "security" of Apple's OS X (and previous versions) as compared to Microsoft Windows are debates between how using Firefox is a more secure browser than Internet Explorer.
Is it, really? Or Is it just a matter of perception?
At the end of the day, the level of security of any application installed on our computer is a combination of the vendor's ability to release timely updates to address new security issues, and the user's ability/willingness to install those updates. The discussion about application security is completely irrelevant if user's do not install the updates that the vendor provides.
Take this recent analysis of the Conficker worm/botnet as an example. According to the report, more than 90% of the users who got infected with Conficker got infected while using Internet Explorer 6, the default browser that comes with Windows XP. Windows XP is also the OS that has the highest concentration of infected Conficker users, but that is to be expected as it is currently the most deployed Windows OS version. What this tells me is that many users who are running Internet Explorer 6 are not keeping it up to date with updates and patches. This is also somewhat to be expected because the largest concentration of infections are in countries like China, Brazil, Russia, and India who also have some of the highest numbers of pirated copies of Windows in the world. You could argue that this might not be the best example of browser security because Conficker is an exploit for an OS level vulnerability, but the reasoning is still sound in that if you aren't applying OS patches you likely aren't patching your browser either. If you aren't familiar with the "insecurity iceberg" report, I would recommend it. It is a good read as it outlines browser and plugin usage across many different data cross-sections to illustrate that browser security is about more than just the browser. It also includes the many plugins that are available such as Adobe Flash, Java, Apple Quicktime, and Adobe PDF Reader.
So, to go back to my original question, is Firefox really more secure than Internet Explorer? In addition to my previous argument about patching, I believe this also comes down to an issue of perception. For example, Firefox releases security updates more frequently than Internet Explorer. Does that make it more secure or less secure? Additionally, Firefox has a "nagware" type of feature where it regularly throws popups at you when a new version is available encouraging you to upgrade to the latest and greatest version of the browser. This gives the impression to the user that they are being kept safer. Second, Firefox has an active community of developers creating plugins for Firefox that help create additional security features on top of what the browser already provides. Neither Firefox nor IE have any native protection against what is known as Clickjacking. With Noscript, a plugin available for Mozilla based browsers like Firefox (et al), Clickjacking protection can be added. IE currently has no protection available although it is being planned for IE 8. Another security threat that I have written about previously is the danger that can be introduced by URL abbreviation services like TinyURL and SnipURL. Firefox has a plugin that will allow users to preview where these abbreviated URLs will really take the user before they click the link. URL abbreviation services are being used more and more by phishers and malware creators to trick users into clicking on legitimate looking links and redirecting them to malicious web sites. So, there are security related addons that users can plug into their browsers if you know what the good, actively maintained ones are and know where to look, but this functionality isn't native to the browser and leaves the user with having yet even more software to have to update.
You could make analogies between the OS X and Windows debate here too. Apple users claim they don't have the malware problem that Windows users have. In sheer volume of released exploits, this is certainly true, however you are also dealing with a much smaller market share. Is the reason that Firefox exploits haven't been more widely targeted that they just don't have the market share to support the effort on the part of cyber criminals?
My point is that there are compelling arguments on both sides of the browser security war debate, but at the end of the day is onus is still on the user to make sure their software (includes both browser and plugins!) is patched regularly, and that they are employing additional security measures like anti-virus and outbound traffic blocking firewalls to reduce their risk. More online threats are moving to the browser every day so having multiple layers of defenses in place at different points of the network remains your best method to minimize risk.
MX Logic IT Security Blog
13 March 2009
Similar to the debates that have been raging for a few years now between the "security" of Apple's OS X (and previous versions) as compared to Microsoft Windows are debates between how using Firefox is a more secure browser than Internet Explorer.
Is it, really? Or Is it just a matter of perception?
At the end of the day, the level of security of any application installed on our computer is a combination of the vendor's ability to release timely updates to address new security issues, and the user's ability/willingness to install those updates. The discussion about application security is completely irrelevant if user's do not install the updates that the vendor provides.
Take this recent analysis of the Conficker worm/botnet as an example. According to the report, more than 90% of the users who got infected with Conficker got infected while using Internet Explorer 6, the default browser that comes with Windows XP. Windows XP is also the OS that has the highest concentration of infected Conficker users, but that is to be expected as it is currently the most deployed Windows OS version. What this tells me is that many users who are running Internet Explorer 6 are not keeping it up to date with updates and patches. This is also somewhat to be expected because the largest concentration of infections are in countries like China, Brazil, Russia, and India who also have some of the highest numbers of pirated copies of Windows in the world. You could argue that this might not be the best example of browser security because Conficker is an exploit for an OS level vulnerability, but the reasoning is still sound in that if you aren't applying OS patches you likely aren't patching your browser either. If you aren't familiar with the "insecurity iceberg" report, I would recommend it. It is a good read as it outlines browser and plugin usage across many different data cross-sections to illustrate that browser security is about more than just the browser. It also includes the many plugins that are available such as Adobe Flash, Java, Apple Quicktime, and Adobe PDF Reader.
So, to go back to my original question, is Firefox really more secure than Internet Explorer? In addition to my previous argument about patching, I believe this also comes down to an issue of perception. For example, Firefox releases security updates more frequently than Internet Explorer. Does that make it more secure or less secure? Additionally, Firefox has a "nagware" type of feature where it regularly throws popups at you when a new version is available encouraging you to upgrade to the latest and greatest version of the browser. This gives the impression to the user that they are being kept safer. Second, Firefox has an active community of developers creating plugins for Firefox that help create additional security features on top of what the browser already provides. Neither Firefox nor IE have any native protection against what is known as Clickjacking. With Noscript, a plugin available for Mozilla based browsers like Firefox (et al), Clickjacking protection can be added. IE currently has no protection available although it is being planned for IE 8. Another security threat that I have written about previously is the danger that can be introduced by URL abbreviation services like TinyURL and SnipURL. Firefox has a plugin that will allow users to preview where these abbreviated URLs will really take the user before they click the link. URL abbreviation services are being used more and more by phishers and malware creators to trick users into clicking on legitimate looking links and redirecting them to malicious web sites. So, there are security related addons that users can plug into their browsers if you know what the good, actively maintained ones are and know where to look, but this functionality isn't native to the browser and leaves the user with having yet even more software to have to update.
You could make analogies between the OS X and Windows debate here too. Apple users claim they don't have the malware problem that Windows users have. In sheer volume of released exploits, this is certainly true, however you are also dealing with a much smaller market share. Is the reason that Firefox exploits haven't been more widely targeted that they just don't have the market share to support the effort on the part of cyber criminals?
My point is that there are compelling arguments on both sides of the browser security war debate, but at the end of the day is onus is still on the user to make sure their software (includes both browser and plugins!) is patched regularly, and that they are employing additional security measures like anti-virus and outbound traffic blocking firewalls to reduce their risk. More online threats are moving to the browser every day so having multiple layers of defenses in place at different points of the network remains your best method to minimize risk.