The pros and cons of migrating to Firefox

Millions of Internet users have downloaded the Mozilla Foundation's Firefox browser and made it their vehicle of choice for surfing the Web, even when Internet Explorer is right at their fingertips. Firefox proponents claim that the browser offers an improved user experience and better security than IE. But do Firefox's security improvements justify a corporate-wide migration to the open-source browser? Let's take a look at the security advantages offered by Firefox and the challenges of a browser migration.

Firefox vs. Internet Explorer

The main security advantage touted by Firefox (lack of ActiveX support) is also its potential weak spot for some users. One of the features of Internet Explorer that makes it work so well for users is ActiveX, a downloadable applet technology that allows Web sites to send applications to user desktops, integrating the browser very tightly with the Windows operating system. Many developers have taken advantage of the useful and cool capabilities offered by ActiveX in order to deliver feature rich applications over the Web. The problem, of course, is that all of this power comes at a price. ActiveX applets have the potential for complete access to a user's computer, reading and writing files, running programs and doing just about anything that a local executable can do.

ActiveX does have a security model, but it is heavily reliant on the user to make informed decisions about what code they trust. Applets can be signed by their developers to provide some additional certainty as to their source, but signed applets can be just as destructive as those that are not signed. The tendency for users' eyes to glaze over when security warnings pop up does not help matters. In many cases, Windows will tell a user that an applet may...

Firefox lacks the ability to run ActiveX applets. If your users need to run applications that rely on ActiveX, they will need to switch browsers to do so, making it impossible for you to limit all Web browsing to Firefox.

Making the switch from Internet Explorer to Firefox is not a security cure-all. The increased user base for Firefox has resulted in increased attention to the program from the attacker community. In 2005, 21 Firefox related security advisories were released by security firm Secunia. Of these, just over a third was rated "Extremely Critical" or "Highly Critical." About half of the vulnerabilities were "Moderately" or "Less" critical. On the bright side, 86% of the vulnerabilities were addressed with patches and 10% with partial fixes.

On the other hand, Internet Explorer was the subject of 12 Secunia advisories in 2005. Of these, 33% were rated "Extremely" or "Highly" critical and 42% as "Moderately" or "Less" critical. Half of the IE vulnerabilities are still unpatched, 8% are partially patched, and 42% have patches available.

Migrating to Firefox

Installing Firefox is technically simple. When users first run Firefox, a wizard assists them in importing their bookmarks, cookies, saved passwords, etc. You'll need to make sure that your users' systems have the media plugins required (for example, Flash, Quicktime, etc.) for your applications. The developers of Firefox have thoughtfully put up a page with information on switching as well as links to the most commonly needed plugins.

Patching, however, is a potential pitfall for Firefox users in a corporate setting. When Microsoft patches IE, the new code is easily distributed using Windows Update, SUS or other utilities. Currently, Firefox patches require a complete reinstall of the program each time an update is made. While settings and preferences are retained in this process, it would be nice to have better integration with existing patch management solutions. One company, FrontMotion, provides some solutions for easier rollout and integration of Firefox in the corporate environment, providing MSI installers and utilities to allow configuration and installation via Active Directory. Currently, these tools are free and can be downloaded from the FrontMotion Web site.

Finally, Firefox versus IE is not a one-for-one swap. IE is integral to Windows, and installing Firefox does not remove it (or the need to keep it patched and updated) from the system. Many programs make use of IE "under the covers" and are thus subject to its advantages and disadvantages.

When making the decision as to which browser to use in a corporate environment, security is just one amongst many factors. With proper installation, configuration and user education, Internet Explorer can be used successfully in a corporate environment, as can Firefox. You need to look at the whole picture to make the right decision as to which browser(s) to use in your environment. And remember, that migrating to Firefox does not eliminate the need to keep Internet Explorer patched and updated.

About the author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Web Security Advisor,   Application and Platform Security,   Web Security Tools and Best Practices,   Web Browser Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor DNS rebinding defenses still necessary, thanks to Web 2.0 New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.