The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Firefox Vulnerabilities: Souvenirs of Windows 95

Share:
I've been waiting for an announcement of vulnerabilities in Firefox due to popular extensions. I've compared it to Windows 95 before. Yet students often opine that Firefox is more secure than Internet Explorer. It is worth repeating this explanation from the announcement:

"Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension."

Asking which of Firefox and Internet Explorer is most secure is like asking which of two random peasants is wealthier. They both might be doing their best and there may be significant differences but I wouldn't expect either to be a financier. While I'm running with this analogy, let me compare the widespread and often mandatory use of client scripts in websites (e.g., JavaScript) to CDOs: they both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy. They have also both caused a lot of damage, as having scripting enabled is required for many attacks on browsers. How much smaller would botnets be without scripting? Like CDOs, scripting is a financial affair; it is needed to support advertising and measure the number of visitors and click-throughs. Scripting will stay with us because there's money involved, and if advertisers had their way, there would be no option to disable plugins and JavaScript, nor would there be extensions like NoScript. To be fair, there are beneficial uses for JavaScript, but it's a tangled mess with a disputable net value. Here's my take on media and advertising:

Every medium supported exclusively by advertising tends to have a net value of zero for viewers and users (viewsers?). This is where radio and TV are right now. If the value was significantly higher than zero, advertisers could wring more profits from it, for example by increasing the duration or number of annoying things, polluting your mind or gathering and exploiting more information. If it was significantly less than zero, then they would lose viewership and therefore revenue.

So, with time, and if advertising is allowed to power all websites through the requirement for scripting and JavaScript, surfing the web will become as pleasant, useful and watchable as TV, for example (with the difference that your TV can't be used --yet-- to attack people and other nations). I don't mind being locked out of websites that critically depend on advertising revenue -- just like I don't watch TV anymore because it has become a negative value proposition to me. However I mind being needlessly exposed to risks due to other people's decisions, when I use other websites. I'm looking forward to the "component directory lockdown" in Firefox 3.6 as a step in the right direction, and that's the bright light at the end of the tunnel: some things are improving.

Comments

Posted by Joe Chrysler
on Monday, November 23, 2009 at 10:06 AM

A great article! I m a big fan of FF - because of the many apps you have through greasemonkey - but I certainly keep the security issue in mind.
In the end only a few people (in relation to all internet users) is using these apps, so it shouldnt be worth the hack. But I m afraid thats almost all the security you can get right now.

Posted by Scott La Plant
on Monday, November 23, 2009 at 01:32 PM

It’s amazing that a popular Web Browser has such vulnerabilities and yet they do nothing to ensure that these plugins are safe and pose no risk to the end-users. This is the first time that I’ve been made aware of such vulnerabilities and I appreciate the article, I’ll have to be wary about which plugins I add.

Posted by NETA
on Monday, November 23, 2009 at 02:27 PM

There really are quite a few problems, especially with the plugins.  I would say about a third of them no longer work.

Posted by Jane
on Monday, December 7, 2009 at 02:27 PM

Technically speaking you might be right in saying that neither Internet Explorer nor FireFox are secure. However what I know is that 99% of the time my computer gets infected by worms and trojans while using IE and not while using FF.

Posted by Melvin
on Sunday, January 10, 2010 at 01:31 AM

I always thought firefox is more secure.  I’m really surprised.

red face

Posted by Travis
on Wednesday, February 3, 2010 at 09:14 PM

Thanks for the heads up. I just switched to FF because everyone and their mother kept telling me it was soooo much better. I guess they failed to do their research on security vulnerabilities. Gosh I swear I can’t win for losing. It is much faster though.

Posted by John Robin
on Friday, February 5, 2010 at 06:30 AM

I have seen that security issues has not become a main point for the web browser developers. In my opinion they still think about their idealism. There should be a more deep concern from them on agreement for rules and mainframe to develop secure web browsers with their own features and the plug-in developers can follow the rules to add more features based on the security rules.

Posted by Reco
on Monday, February 8, 2010 at 12:00 AM

Using Firefox beats the heck out of Internet Explorer.  You really have to vet the extensions and on take the ones you require.  Extensions are the best part of using Firefox.  I love being able to personalize the browser and make it a more useful application.

Posted by Craig Watts
on Friday, February 19, 2010 at 07:04 PM

Hello Pascal,
Thank you for your post. I have been using Firefox for several months now and have heard many comments that it is not as safe as Internet explorer. I have just updated Firefox to Firefox 3.6 which you mentioned in your post.  After what i have read about the new 3.6 i am hoping that it is now up to scratch.
Where are we going with advertising thsee days and the tactics that the powers that be who think they know whats best for us.

Posted by Anton
on Sunday, February 28, 2010 at 12:10 PM

The latest version should correct all these but it seems to be unstable for me.

Posted by ilan
on Wednesday, March 3, 2010 at 09:03 AM

I have seen that security issues has not become a main point for the web browser developers. In my opinion they still think about their idealism. There should be a more deep concern from them on agreement for rules and mainframe to develop secure web browsers with their own features and the plug-in developers can follow the rules to add more features based on the security rules.

Posted by Geoff Ritson
on Saturday, March 6, 2010 at 12:26 PM

I’ve experienced many problems with FF plugins.. Almost to the point where I have resigned myself back to IE until these security problems are eitherresolved or addressed.

Leave a comment

Commenting is not available in this section entry.