Millions of Internet users have downloaded the Mozilla Foundation's Firefox browser and made it their vehicle of choice for surfing the Web, even when Internet Explorer is right at their fingertips. Firefox proponents claim that the browser offers an improved user experience and better security than IE. But do Firefox's security improvements justify a corporate-wide migration to the open-source browser? Let's take a look at the security advantages offered by Firefox and the challenges of a browser migration.
Firefox vs. Internet Explorer
The main security advantage touted by Firefox (lack of ActiveX support) is also its potential weak spot for some users. One of the features of Internet Explorer that makes it work so well for users is ActiveX, a downloadable applet technology that allows Web sites to send applications to user desktops, integrating the browser very tightly with the Windows operating system. Many developers have taken advantage of the useful and cool capabilities offered by ActiveX in order to deliver feature rich applications over the Web. The problem, of course, is that all of this power comes at a price. ActiveX applets have the potential for complete access to a user's computer, reading and writing files, running programs and doing just about anything that a local executable can do.
ActiveX does have a security model, but it is heavily reliant on the user to make informed decisions about what code they trust. Applets can be signed by their developers to provide some additional certainty as to their source, but signed applets can be just as destructive as those that are not signed. The tendency for users' eyes to glaze over when security warnings pop up does not help matters. In many cases, Windows will tell a user that an applet may be dangerous and the user will click OK without stopping to think about the consequences.
Firefox lacks the ability to run ActiveX applets. If your users need to run applications that rely on ActiveX, they will need to switch browsers to do so, making it impossible for you to limit all Web browsing to Firefox.
Making the switch from Internet Explorer to Firefox is not a security cure-all. The increased user base for Firefox has resulted in increased attention to the program from the attacker community. In 2005, 21 Firefox related security advisories were released by security firm Secunia. Of these, just over a third was rated "Extremely Critical" or "Highly Critical." About half of the vulnerabilities were "Moderately" or "Less" critical. On the bright side, 86% of the vulnerabilities were addressed with patches and 10% with partial fixes.
On the other hand, Internet Explorer was the subject of 12 Secunia advisories in 2005. Of these, 33% were rated "Extremely" or "Highly" critical and 42% as "Moderately" or "Less" critical. Half of the IE vulnerabilities are still unpatched, 8% are partially patched, and 42% have patches available.
Migrating to Firefox
Installing Firefox is technically simple. When users first run Firefox, a wizard assists them in importing their bookmarks, cookies, saved passwords, etc. You'll need to make sure that your users' systems have the media plugins required (for example, Flash, Quicktime, etc.) for your applications. The developers of Firefox have thoughtfully put up a page with information on switching as well as links to the most commonly needed plugins.
Patching, however, is a potential pitfall for Firefox users in a corporate setting. When Microsoft patches IE, the new code is easily distributed using Windows Update, SUS or other utilities. Currently, Firefox patches require a complete reinstall of the program each time an update is made. While settings and preferences are retained in this process, it would be nice to have better integration with existing patch management solutions. One company, FrontMotion, provides some solutions for easier rollout and integration of Firefox in the corporate environment, providing MSI installers and utilities to allow configuration and installation via Active Directory. Currently, these tools are free and can be downloaded from the FrontMotion Web site.
Finally, Firefox versus IE is not a one-for-one swap. IE is integral to Windows, and installing Firefox does not remove it (or the need to keep it patched and updated) from the system. Many programs make use of IE "under the covers" and are thus subject to its advantages and disadvantages.
When making the decision as to which browser to use in a corporate environment, security is just one amongst many factors. With proper installation, configuration and user education, Internet Explorer can be used successfully in a corporate environment, as can Firefox. You need to look at the whole picture to make the right decision as to which browser(s) to use in your environment. And remember, that migrating to Firefox does not eliminate the need to keep Internet Explorer patched and updated.
About the author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.