The Mozilla Foundation celebrated the worldwide release of Firefox 1.0 Tuesday as new Mydoom variants exploited yet another Internet Explorer vulnerability. But for those who consider Firefox a more secure alternative to Microsoft's browser, a new advisory Wednesday was a reminder that it's far from bulletproof.
The advisory from Danish security firm Secunia pointed out three "moderately critical" security holes in Mozilla Firefox 0.x. Attackers could exploit them remotely to detect local files, cause a denial of service, disclose sensitive information, spoof the file download dialog and gain escalated privileges, the advisory said.
The problems are fixed in Firefox 1.0, and open source enthusiasts often note that Mozilla is rarely the target of a successful attack. Nevertheless, some IT professionals wonder if that will change if enough people ditch Internet Explorer for Firefox.
"As Mozilla's market share increases, you're bound to see more attacks against it," said Jack Feeman, Microsoft Office specialist and supervisor of Largo, Fla.-based Cox Target Media Inc.'s Technical Writing Group. "The reason Firefox hasn't been broken yet is because nobody has tried. I have the beta version of Firefox on one of my machines and I don't think it's necessarily more secure."
Others doubt Mozilla's market share will grow enough to entice attackers. If it does, they believe Firefox will weather attacks more successfully than Internet Explorer has in the past.
"IE's big problem is it's so embedded into the Windows operating system and you can get to a lot of different programs by exploiting its vulnerabilities," said Mark Loveless, senior security analyst with Houston-based BindView Corp. "Attackers mostly target home users, and since IE is free and comes with Windows out of the box, most of those users aren't going to take the time to download another browser. As long as that's the case, IE will continue to get the most attention from attackers. It's just too convenient for people to use and too easy to be taken advantage of."
Thomas Kristensen, Secunia's chief technology officer, agreed. "IE's tight integration with the underlying operating system has proved problematic again and again because of the way security zones are handled," he said. "Being able to access trusted or local zones makes compromising the system much easier. Mozilla runs as a standalone application that doesn't provide additional functionality in a local context. The kinds of flaws we've seen in IE are less likely to affect Mozilla Firefox because of its design."
He said people should also consider the vendors' ability to fix vulnerabilities in a timely fashion. "So far, it appears the Mozilla Foundation is performing better than Microsoft," Kristensen said. "Another interesting factor is the difference in severity of the vulnerabilities in the browsers. According to our statistics, the vulnerabilities in Internet Explorer are more severe than those in Firefox."
By his count, Secunia's database includes 67 advisories related to Microsoft's browser, compared to 17 for Mozilla. The database also shows two of the Mozilla advisories remain in the unpatched category compared to 17 of the Internet Explorer advisories.
John Lal, president of Boston-based Winferno Software, said nothing in the architecture of Firefox makes it more secure than Internet Explorer and that the more popular Mozilla becomes, the more likely it is to be attacked. But he said it's still a Windows world and he doubts Mozilla's success will dramatically change that. The best approach is to help improve the Windows experience with something that allows for a more secure browsing experience, he said, adding that his company offers that with its Secure IE product.
"SecureIE uses the same basic display engine as IE. The Web page displays and user interaction is the same as Internet Explorer," Lal said. "A critical difference is that we use our own security manager with several added features. For the end user, it means full compatibility with Windows, it looks like IE, but you get more security."
Gary Schare, Microsoft's director of product management for Windows, dismissed the notion that Firefox is more secure than Internet Explorer. "Security is an industrywide problem that doesn't single out one vendor," he said. "Evil people will pursue their own needs no matter what software you are using. It doesn't matter if a browser has 3% market share or 95% because it only takes a couple people with evil goals."
He said Microsoft's browser is also more secure today because of the added security muscle of Windows XP Service Pack 2, and that the software giant has done a lot of work behind the scenes to create industry-wide coalitions to bolster security.
Despite his belief Mozilla has been more successful in responding to vulnerabilities, Kristensen acknowledged SP2 was a big improvement on Micrososft's part.
"When you look at SP2 and the improvements it has brought to light, I believe we will see fewer highly critical vulnerabilities in IE on XP SP2 because they have restricted certain functionality in the Local Security Zone and have removed other potential problems," he said.
One thing is clear, Schare said: Now that Firefox 1.0 is out, the Mozilla Foundation will learn how tough it is when you don't have the luxury of constantly updating a beta program.
"They've had a free ride up to now because they've been in Beta," he said. "Now that they've shipped 1.0, they're not going to want to change it every day. We don't have the luxury they've had. When we develop a fix, we have to consider compatibility issues and a host of other things. Now they'll have a taste of how difficult it can be."
At the time of writing, the Mozilla Foundation had not responded to an interview request.