Firefox 1.5 gets the sniff test

By Bill Brenner, News Writer 03 Oct 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

First came all the praise about Firefox 1.0 being more secure than Internet Explorer (IE). Then came headlines about mega-downloads chipping away at Microsoft's market share. Then came months of uncovered flaws and security updates that now has Firefox up to version 1.0.7.

Now comes Firefox 1.5 in beta, an upgrade Mozilla Engineering Director Mike Schroepfer said will be more secure than ever, with an automatic update service that downloads patches as needed. Indeed, blogs and Web sites are buzzing about the beta release, including MozillaZine, WebmasterWorld.com and PC World's blog.

But will Firefox 1.5 live up to the hype? SearchSecurity.com asked those who have tried it to weigh in. Based on the responses, the new version appears to be faster and more user-friendly but not necessarily more secure. If you've already switched from IE to Firefox, you're bound to like 1.5. If you've played around with Firefox but haven't embraced it as more secure, this update may not be the one that converts you.

Here are two IT professionals who have dabbled with the beta copy. One uses Firefox regularly. The other uses IE and remains unconvinced that switching to Mozilla's browser will make his enterprise more secure.

Chris Casey, systems engineer and founder of Salem, Mass.-based IT services provider North Shore Technical Services
Casey is a Firefox user who downloaded version 1.5 the day it came out. He said Mozilla has a lot of catch-up work to do. As he put it, there are still extension problems and when he played with the tabbed preference download it "hosed out" on him. "I also found that 1.5 doesn't seem to play well with QuickTime 7, though that could be a QuickTime problem," he said.

Current glitches aside, he likes the direction it's heading in. "Ideally, when this is out of beta, you'll be able to visit more sites that don't always work under the current version of Firefox," he said. "There are some sites where you have to use IE." He doesn't think 1.5 is a security milestone. But he doesn't think that was the point, anyway.

Version 1.5 isn't about making the browser better and more secure, he said. It's about making it prettier and more user-friendly.

"With the current Firefox, it tells you when a new version is available with security fixes," he said. "In 1.5, it will have seamless patching, which is better from a consumer standpoint. Grandma won't get what the little green arrow is in the current browser. With seamless patching it just happens. It won't scare people. It'll be more palatable to the generic user."

Firefox isn't built more securely than IE.  The reason it's more secure than IE is because it's open source… Chris Casey Systems engineer and founder , North Shore Technical Services

Casey said people tend to miss the boat when they measure Firefox's security by the number of vulnerabilities uncovered compared to IE. "Firefox isn't built more securely than IE," he said. "The reason it's more secure than IE is because it's open source and people are always paying attention to it, reviewing it for flaws and fixing them quickly."

In the end, he said, security is only as good as the user's common sense. It doesn't matter which browser you use. Wander cyberspace recklessly and sooner or later you'll get hurt.

"The more I think of security the more I see it as a common-sense issue," he said. "The things you wouldn't do in real life are the things you shouldn't do on the Internet. It's not a fake world anymore. It's real. You wouldn't go down a dark alley at night, so why would you go onto a site you aren't familiar with or don't trust?"

Brad Bourland, IT director for the Houston Astros
Bourland said his shop is primarily IE-based. He has dabbled with Firefox here and there but not extensively. So far, nothing has convinced him that deploying it across the network would mitigate his security risks.

Out of curiosity, Bourland said he briefly checked out Firefox 1.5. He wasn't impressed, and said one of his issues with the browser has been its tendency not to work with certain sites.

"Most Web sites seem designed with IE in mind, and with Firefox I've found that some sites don't work properly," he said. "Certain buttons on certain sites don't always work."

Related news: Firefox 1.0.7 fixes security holes

That doesn't mean he's an IE loyalist or thinks that one browser is more secure than the other. He said he's always suspicious of Microsoft when it comes to security. But Microsoft is the devil he knows, and so it can be easier to manage the risks. "I can hire a Windows 2000 expert who can get up and running quickly," he said. "The fact is it's mainly a Windows/IE world and it's easier to solve problems and deal with the thing you're familiar with."

He agreed with Casey that the browser you use makes no difference if you're not smart about your overall security habits. He said his operation takes security very seriously, and that no matter what you use it's very important to:

• Stay up to date on patching, whether it's for IE or any other software or device running on the network.
• Always evaluate what you're doing and how you're doing it and be willing to change when something else is proven to improve security.
• Have updated antivirus and antispyware.
• Make sure the firewalls are configured properly.

Tags: Security Patch Management,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary