FireFox Security Getting Worse, Microsoft Improving
Actually, FireFox security probably isn’t getting worse, but what may be happening is that people are now beginning to wake up to, and find, the security vulnerabilities in the software. When FireFox first became available, everyone seemed to believe the hype that it was the most secure browser available. As a result, many people started using it, thinking all of a sudden they were much safer while surfing the web. A false sense of security.
However, slowly but surely, people began to notice the weaknesses of FireFox, and it became clear that even FireFox suffered from many security vulnerabilities. And it only seems to get worse, even to the point that it now often seems FireFox even has more vulnerabilities than Internet Explorer.
As I said in December 2005:
The point I’m trying to make is that people still don’t get that security issues on the Internet and with software in general, are a common problem that everyone and every product is dealing with, or is going to have to deal with. It’s not just Internet Explorer, people. As soon as FireFox gets popular, you’re going to see more exploits being published for it. Heck, the vulnerabilities ARE present, people just don’t feel like using them. Yet.
I had discussed FireFox as far back as April 2005, in my article titled “Why Microsoft is winning.” And there I basically warned about the same problems with FireFox.
Symantec has recently been warning about vulnerabilities in Mozilla browsers (including FireFox), and even says they contain more vulnerabilities than Internet Explorer:
Symantec’s Internet Security Threat Report Volume VIII contains data for the first six months of this year that may contradict this perception.
According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, “the most of any browser studied,” the report’s authors stated. Eighteen of these flaws were classified as high severity.
“During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity,” the report noted.
The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as “high”, which Symantec defined as “resulting in a compromise of the entire system if exploited.”
The same article also mentions:
There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
That’s ofcourse the known issues. This doesn’t say anything about the total number of vulnerabilities that actually exist in the software, of which probably most have not been noticed yet by the right people (you can be sure hackers know of them).
As has recently been shown, two hackers claim to know of at least 30 unpatched FireFox flaws:
SAN DIEGO–The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer’s Mac OS X and Linux, they said.
“Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure,” said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.
…
The hackers claim they know of about 30 unpatched Firefox flaws. They don’t plan to disclose them, instead holding on to the bugs.
And it would be naive for anyone to think there couldn’t be more. In fact, I’d bet there are MANY more.
It seems people are beginning to understand now that software security is a general problem. It makes no sense to bash specific companies for the lack of security in their software while you hype up other software with baseless arguments. Gone are the days where Microsoft was the only one taking the heat for their “bad quality software.” In fact, Microsoft has really improved their software products with regard to security and reliability, and have the infrastructure in place to respond to security issues unlike any other company, just like I said would happen. They’ve done such a good job, that Symantec is now complaining to the EU, essentially demanding that Microsoft make Windows Vista less secure, because they fear selling less of their security software:
Symantec has also complained about a new security feature called Kernel PatchGuard that prevents software–malicious or otherwise–from altering the Windows kernel at runtime. In the past, security companies have been forced to patch the Windows kernel because so much malicious software does so as well. That process will not be possible in Windows Vista, which should make the system more secure. Symantec wants it removed.
Seriously, can you imagine this? This is a clear example of the crazy world we live in. First people complain about the bad security in Microsoft’s software for years, and when they finally do something about it, they start complaining that it is too secure. When I see this kind of stuff, it just feels like I hit my head a few times with enormous force against a brick wall.
Ofcourse, Symantec is also afraid of Microsoft’s Windows Live OneCare antivirus software, which has been doing VERY good ever since it got released and managed to get quite a lot of marketshare for a new product:
The antivirus and PC care package nabbed 15.4 percent of security suite sales at retailers such as Best Buy and Amazon.com, according to NPD’s data. The average price was $29.67, well below Microsoft’s list price of $49.95. Online at Amazon.com, OneCare is available for only $19.99.
“Microsoft’s penetration pricing strategy is clearly working and they are capturing significant unit share,” NPD analyst Chris Swenson told CNET News.com. “I think many in the industry were surprised with how well Windows Live OneCare did in its first month on the market.”
OneCare hit U.S. store shelves in late May, three years after Microsoft announced its intent to move into the antivirus realm. The product combines antivirus, anti-spyware and firewall software with backup features and several tune-up tools for Windows PCs. Symantec and McAfee have both announced new products to rival OneCare.
…
Microsoft took market share from all incumbents in June, according to NPD’s data. It particularly gained on market leader Symantec, which saw its unit share drop 10.1 percentage points from May. At the same time, McAfee lost 3.3 points and Trend Micro dropped 1.3 points.
And it’s no surprise, because it is really lightweight and easy to use and requires little interaction while also being relatively cheap. Compare that to Symantec’s Norton Antivirus software, which is just slow and bloated. And I know, because I used it for many years. So I saw this coming way in advance:
It’s going to be interesting to see what Microsoft comes up with regarding their antivirus solution. They have already proven to be quite capable of delivering an antispyware solution. Microsoft’s antispyware solution currently is the best solution available for Windows.
I think they’ll do a good job with antivirus as well. Their biggest competitors right now are Symantec and McAfee. I’ve been using Symantec’s Norton Antivirus and Firewall for years now. But I’ve been using it because there is nothing better available for a standalone Windows client. As many of you already know, Norton Antivirus is slow and bloated. Even on the fast computers that I work on it takes a long while just to load the main Norton Internet Security window and to navigate certain dialogs. Not to mention the issues you sometimes have to deal with, if you’re not so lucky, of antivirus not wanting to start and receiving all kinds of weird errors, after which you have to check Symantec’s knowledgebase and follow procedures of how to fix it. But I still use it because, like I said, it’s the best option right now for a standalone PC. It works and it updates itself without me having to worry about it.
McAfee’s solutions for standalone PC’s are lightweight and faster, but you have to jump through all kinds of hoops just to get your software updated. It’s just too much work and very inconvenient. For the enterprise McAfee’s solutions are currently the best available though. Nothing comes even close to ePolicy Orchestrator.
So when we look at the standalone PC, there’s certainly room for improvement and I think Microsoft is going to use the weaknesses I described in Symantec’s and McAfee’s products to their advantage. If they can deliver a nice, simple, fast and userfriendly interface and an update feature similar to Windows Update in XP SP2, and ofcourse quality protection, they’ll give their competitors a lot of problems in the near future. It seems even their pricing is going to be much lower than the current prices for antivirus solutions.
I have to admit, it feels good to see old analysis come true in the future. It kindof confirms you weren’t just smoking (too much) crack back then. 🙂
Anyway, knowing what we know today, that security issues are going to be with us for a long time to come and that it will affect all software, we have to become smart about it and not be naive. Like I wrote before, instead of having a false sense of security, we have to realize the software we’re using is most likely vulnerable, and as a result we have to be constantly suspicious about things going on on our PC, about websites we visit, emails we receive etc. There should be a large effort to educate users about these things, make them smarter and have them realize the risks. No matter how secure the software is, the uninformed user is always the weakest link. Security software has to become more intelligent, more sophisticated and more userfriendly at the same time, being able to detect potentially malicious activity very early on, and informing the user in simple and clear ways of what’s going on and what they can do about it. There is still LOTS of work to do in those areas, and the companies that can get those things right in the future, will be the ones with very successful security software.
So instead of whining to the EU, Symantec should be doing something more productive and work on their products.
Update October 4, 2006: It looks like the claim made by the hackers about the 30 vulnerabilities in FireFox was made up. This does not mean, however, that there aren’t vulnerabilities at this moment in FireFox. There are. And you’ll see them fixed in the future. Everything I said above about FireFox still stands.
Microsoft also responded to complaints from Symantec and McAfee:
Ben Fathi, a Vole VP, told Eweek that Symantec and McAfee need to improve their products. Symantec and McAfee were asking Microsoft to keep patients sick so they can doling out life saving drugs.
I have to agree. Also:
Microsoft has listened to Symantec and McAfee for nearly two years and features like Windows Security Center and PatchGuard are not new to Vista. Fathi questioned McAfees and Symantec’s motives for hitting out against Microsoft.
McAfee and Symantec have only one motive. It’s called Windows Live OneCare.
Comments
There are 0 responses. Follow any responses to this post through its comments RSS feed. You can leave a response, or trackback from your own site.