In-Depth

Caveat Browser: Mozilla Targeted

Will security flaws dent Mozilla's status as a trusted alternative to Internet Explorer?

• By Mathew Schwartz
• 06/08/2005

Caveat browser.

When Symantec profiled the top security vulnerabilities and known attacks for a May 2005 study, the list included some of the usual suspects: Microsoft, Computer Associates, and flavors of Linux. The list also included Mozilla. In fact, one of last month's three top vulnerabilities rated “severe” by Symantec includes the “install method arbitrary code execution vulnerability 2,” which affects Mozilla’s Firefox. (Notably, the vulnerability was patched with the release of Firefox 1.0.4, at the same time the security flaw was announced, and a week before public details of the flaw were released.)

Firefox is the free and increasingly popular Web browser available for Windows, Macintosh, and Linux operating systems. Given the spate of Internet Explorer (IE) vulnerabilities over the past few years, many security experts now advise companies to pick another browser, and if Firefox wasn’t explicitly named in their reports, it was often at least one of the implied alternatives.

May’s Firefox vulnerability, however, wasn’t the browser’s first serious security flaw. Even so, Firefox still enjoys a sterling reputation compared with Microsoft’s aging, vulnerability-dogged Internet Explorer.

Then again, Firefox is young, and experts say there will no doubt be more serious security flaws in the future. Even so, experts still recommend it as a strong alternative to IE, and users don’t seem scared away—downloads of Firefox recently topped the 50-million mark.

Flaws or no flaws, attackers will keep hammering on Web browsers and applications. That’s because Web applications frequently lack effective security. Browsers’ vulnerabilities also turn them into easy-to-exploit, public-facing weak links.

Unfortunately, as Symantec notes in its study, “Vulnerabilities that affect Web browsers have become much more common.” Many new vulnerabilities are easily exploitable, and “allow attackers to bypass traditional security measures such as firewalls, as Web traffic is not typically filtered by firewalls,” notes Symantec. Thus “an attacker can circumvent the corporate perimeter security, giving them a platform within the corporate network from which to carry out further attacks.”

With new vulnerabilities in mind, what can organizations do (beyond patching) to guard against them in the interim between disclosure and a patch being released and implemented enterprise-wide? At the moment, virtual patching is one option, but such technology is mostly relegated to large enterprises.

In the future, Symantec says, new technologies may be able to mitigate browser vulnerabilities until patches appear. “It may be possible to prevent attacks that exploit this vulnerability by implementing intrusion detection systems to monitor HTTP for signs of attack, and filter them out before they can become successful,” it notes, perhaps even on the PC-desktop level.

Broswer Wars

Taking a step back, however, it’s also important to note that a discussion of security analyzing Mozilla, Opera, or any of the other so-called alternative Web browsers still isn’t applicable to a majority of enterprise users. True, many users know alternatives exist. For example, according to a survey conducted by Opera Software of 2,800 online users in the United States, 51 percent think their choice of browser can help encourage or prevent the incidence of malware and spyware on their PC.

Yet the survey found only 11 percent of users have switched to a different browser because of those security concerns. In particular, most market research firms estimate IE controls about 90 percent of the browser market, meaning most companies have not switched.

For the companies sticking with IE, there’s good security news: a new version of IE, version 7, is due this summer, at least in beta. IE 7 was supposed to ship with Longhorn, but after that next-generation operating system’s release date slipped again, and with bad press after months of serious IE vulnerabilities, Microsoft moved up the release date—though the exact date has not been announced.

Microsoft has been relatively mum on IE 7's new features. What’s known so far is that the browser will operate in a reduced privilege mode by default, to mitigate privilege-escalation attacks. It will also prohibit cross-domain scripting. Experts also guess that, with Microsoft having acquired antivirus and anti-spyware companies, such functionality may begin to appear in the browser.

For enterprise users who haven’t switched to alternative browsers, the new security functionality can’t come too soon.

Related Articles:

Defection to More-Secure Browsers? Don’t Bet On It
http://www.esj.com/Security/article.aspx?EditorialsID=1255

Multiple Mozilla, Netscape Vulnerabilities
http://esj.com/enterprise/article.aspx?EditorialsID=1374

New Firefox Flaws Surface
http://www.esj.com/Security/article.aspx?EditorialsID=1332