, SecurityFocus 2005-09-21
The Mozilla Foundation's Firefox browser successfully took market share away from software giant Microsoft's Internet Explorer over the past 18 months, but has found that popularity comes with growing pains.
Critics of the open-source Firefox browser took its security track record to task this week after a biannual Internet security report noted that the application had almost twice as many vulnerabilities as Internet Explorer in the first half of 2005, with a higher fraction of those flaws being severe.
"Mozilla's popularity has gone from almost zero to double digits, so they have had to deal with a lot of sudden attention," said Mikko Hypponen, chief research officer for antivirus firm F-Secure. "Since Mozilla has become popular, people have been looking for more vulnerabilities."
And researchers appear to be finding flaws with greater frequency. In the first six months of 2005, the Mozilla family of browsers had 25 vulnerabilities, with 72 percent rated as high severity, according to the Internet Security Threat Report released by Symantec this week. During the same period, Microsoft's Internet Explorer had 13 confirmed vulnerabilities, with 62 percent rated as high severity, the report said. Symantec is the parent company of SecurityFocus.
That poses a problem for the open-source browser's security image. Much of the popularity of the Mozilla Foundation's Firefox has been built on the browser being a secure alternative to Microsoft's Internet Explorer. In June 2004, a pop-up toolbar's ability to infect computers when their users browsed a malicious Web site with Internet Explorer gave Firefox additional momentum to start claiming market share from Microsoft's well-known browser. Mozilla's browsers accounted for almost 7 percent of popular Web traffic as of May 2005, the most recent data available, according to analytics firm WebSideStory.
While the developer of Firefox, now known as the Mozilla Corporation, has also attributed the browser's success to its ease of use, security has always been a way for the application to stand apart from the perceived problems of Microsoft's browser. For example, the Mozilla Foundation still carries a quote on its Web site from a USA Today article lauding the security of Firefox. The Mozilla Corporation is the commercial subsidiary of the non-profit Mozilla Foundation responsible for developing and marketing Mozilla products.
Now, the picture has been turned upside down: After some high profile vulnerabilities were found in the browser earlier this year, some security experts questioned whether the Mozilla Corporation could claim that Firefox is more secure than Internet Explorer. With the latest data showing that Microsoft has cut the number of publicly disclosed flaws while the number of vulnerabilities in Firefox climbs, open-source developers may have to find new metrics to compare the browsers.
"The high level, from our perspective, is that it's hard to make any sort of apples-to-apples comparison," said Chris Beard, head of products for the Mozilla Corporation.. "But we believe our process works and we are the safest browser around."Microsoft's tendency to roll up patches for Internet Explorer could decrease the apparent number of vulnerabilities, while the open development process of Firefox could inflate its vulnerability count, Beard contended. On Wednesday, the Mozilla Corporation released a new version of the browser fixing two serious security issues.
The researchers at Symantec agree that the data does not show the whole picture.
"There is no easy way to compare (Firefox and Internet Explorer), because Microsoft is really a black box," said Oliver Friedrichs, senior manager for Symantec's Security Response. "When Microsoft fixes problems, the public generally doesn't know about them. For Firefox, the nature of the process means that we know what gets fixed."
A Microsoft representative was not made available for comment.
Other issues suggest the Mozilla Corporation, which spun off from the non-profit Mozilla Foundation last month, might be encountering other growing pains as well.
Recently, one researcher who found a flaw complained that he didn't like the response from the Mozilla Corporation--and outed the details of the vulnerability to punish the developers.
Tom Ferris, an independent security consultant in southern California, found a flaw in Internet Explorer and a different flaw in Mozilla's Firefox browser within weeks of each other. With the Internet Explorer flaw, Ferris publicized the existence of the vulnerability but withheld all significant details. However, for the Firefox issue, he made public the flaw and enough detail that vulnerability researchers were able to reportedly exploit the issue.
The difference in how he handled the flaws was driven by how he was treated by each development team, Ferris said. While Microsoft and the Mozilla Foundation responded quickly, the Mozilla security group seemed to be hesitating on paying him a bounty on the bug he found, Ferris claimed.
"I never thought that the Mozilla Foundation would push me around," he said. "That is something I would have expected from Microsoft. I am not a Microsoft zealot, but they were much more responsive."
Yet, Mozilla developers contradict Ferris's reading of their intent and maintained that the incident was an isolated problem, not a trend in developer relations.
"We need time to investigate and understand the issue before we can determine whether it does qualify for the bug bounty," said Mike Schroepfer, director of engineering for the Mozilla Corporation. "Our priority in these cases is to investigate the issues and work with the security team to develop fixes first."
More than ever, the Mozilla developers are now in a race against those that would use the vulnerabilities against their products, said F-Secure's Hypponen. The only real, if not practical, solution for security-conscious users may be to ditch the popular applications and use software that is not so cool, he said.
Hypponen pointed to the early 1980s, when virus writers created their first malicious programs for Apple's Macintosh computers. At first, Windows seemed safe from viruses, then the popularity of Microsoft's operating system made that the most threatened platform, while the Macintosh--and most notably, Mac OS X--has seen hardly any viruses in the past decade.
"If you run a Mac right now, you don't need antivirus," Hypponen said. "If you want to be safer, you should be using software that other people are not using."