Talking to co-workers about browser security

Just now, one of my co-workers asked me (over the cubicle wall) “Did you hear about the security flaws in Firefox?” I told her that I had. Then I composed the following email to her:

You can read more about the flaw here:
http://blog.washingtonpost.com/securityfix/2007/07/…

Flaws are constantly discovered (usually a few every month) in every web browser (Internet Explorer, Firefox, Opera), and they’re usually patched pretty quickly. Mozilla tends to patch flaws within a week of their having been discovered. Microsoft sometimes takes months to patch their Internet Explorer flaws.

No matter what browser you use, it’s always a good idea to avoid any sites you don’t trust and to keep your browser version up to date.

You can see from the release notes of the previous versions of Firefox that almost all the new releases are due to the patching of security flaws in previous versions:
http://www.mozilla.org/projects/security/…

Hope that helps!

I don’t ever want to make it sound as if one company (Mozilla or Microsoft) is the “good guy” or the “bad guy” or that one browser is a good browser and the other bad. Firefox vulnerabilities, for some reason, tend to make headlines more than Internet Explorer ones, even during the times that Internet Explorer has more vulnerabilities, more severe vulnerabilities, or a longer time between patches. I don’t want people getting the impression that Firefox is inherently more insecure than Internet Explorer (when some might argue the opposite to be true… and actually have a good case).

Bottom line: most end-users are not going to install NoScript and whitelist sites one by one. Even I’ve grown tired of doing that. It’s always a fine line between convenience and security, so I think the advice I gave was the most sound I could give in trying to find that balance—Ultimately, it doesn’t matter what browser you use. Just don’t visit fishy (or phishy) sites, and always keep your software up to date.

Anything anyone want to add?

0 comments

  1. Don’t use IE! There are many, many more security “flaws” and vulnerabilities in IE than Firefox, and it is a security risk to use IE (regardless of platform). Unless a site absolutely, positively require it (like your mother’s MLS issue), never ever use IE. Ever.

  2. Firefox is the more secure browser of the two, by far. However, its security might have been oversold: Firefox (like Linux) acquired a reputation for being invulnerable, and no software is invulnerable. That’s probably part of the reason why Firefox bugs make the headlines more often.

    Again, part of the reason.

  3. Certainly I’d recommend Firefox if someone asked for a browser recommendation, but I think if you run IE7 with a fully patched Windows and a fully patched IE, it shouldn’t be too terrible.

  4. It’s not just the browser. It’s the spirit. I find it rude and technically sloppy for a site to require a browser. Thus, I’ll penalize them by depriving them of my traffic. They’ll probably get an email from me, too.

  5. Patched or no, there is no accounting for stupidity. Firefox is inherently more secure, inherently more well-made than IE. Given a dumb user, FF makes for a better choice.

  6. Patched or no, switch to linux, such as Ubuntu, because the Linux kernel restricts remote code execution. Windows doesn’t care as long as it ends with a .cab or .exe.

  7. Just as an update, it’s a week later, and Firefox has finally been patched for this flaw:

    Fixed in Firefox 2.0.0.5
    MFSA 2007-25 XPCNativeWrapper pollution
    MFSA 2007-24 Unauthorized access to wyciwyg:// documents
    MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
    MFSA 2007-22 File type confusion due to %00 in name
    MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
    MFSA 2007-20 Frame spoofing while window is loading
    MFSA 2007-19 XSS using addEventListener and setTimeout
    MFSA 2007-18 Crashes with evidence of memory corruption

    Not sure how long the Internet Explorer patch will take, though.

  8. I use Opera myself, but I’m not worried about security overmuch, to be honest. I don’t htink I’ve ever seen a security/bugfix for Opera. It hasa more regular release cycle than IE, but not as updated as FF I think.

    Personally I feel I.E. is less safe. Even patched, in Windows XP and before, it is too integrated into the system; an I.E. exploied == OS Exploit.

Leave a Reply to Alejandro Cancel reply

Your email address will not be published. Required fields are marked *