Thu 12 Nov 2009
The Problem with Browser Security
Posted by andyitguy under information security
[2] Comments
Today I ran across a blog that highlights a web trends report by Cenzic. The blog focused on browser vulnerability trends. To some the findings may be surprising. Firefox had 44% of the vulnerabilities of the four browsers listed in the report. Firefox (44%), Safari (35%), Internet Explorer (15%) and Opera (6%).
44%! How does that happen with a browser that is supposed to be a “more secure alternative” to Internet Explorer? There are lots of other people smarter and more qualified than I am to go into the details of how and why on something like this. So I’m not even going to try and give a technical explanation. What I will do is give you my thoughts on why from a tactical and social level, as well as a few thoughts on my take as to what it problem with browser security is.
First let’s look at why a hacker may want to target Firefox more than the other 3 listed browsers. It’s not market share because it still lags behind IE by quiet a bit. I think it’s mindset. Why do people use Firefox? Because it is supposed to be more secure than IE but also because it is open and has lots of cool plug-ins that can be run to do all sorts of fun stuff. Thus lies a lot of the problem. Now we have users who have a false sense of security and are running potential insecure plug-ins. If I’m a hacker looking for a ripe target it doesn’t get much riper. I mean since you have “typical” users assuming that they are more secure they are more likely to engage in risky behaviors. Other reasons that a hacker may target Firefox is because they have access to the source code just like the rest of us and they can find vulnerabilities by looking through the code. So in addition to using tools to find them they can also be reading the code to learn how to better use the tools to their advantage.
So does that mean that we need to rush out and migrate all our users and systems to run Opera? I mean 6% is really good compared to the others. Of course not. It’s not practical from a business or process stand point and it would break lots and lots of things that our businesses need to do daily. Not to mention the fact that if we were able to do this then the bad guys would turn their attention to Opera and the number of vulnerabilities would quickly jump up.
So what do we do? Many of us are still leery about IE and it’s past problems. Plus in the security world there is a stigmatism attached to using IE. Only the bravest of security professionals will admit to using IE as their primary browser. Of course the question is rhetorical. Most security professionals don’t rely on just the browser for their security. They use common sense, security plug-ins (i.e. noscript), applications such as sandboxie, surfing the net in a VM or only from a Linux system. There are lots and lots of things that we can do to ensure that our browsing is more secure. The problem is that we have to figure out how to get our users to browse more securely.
Changing browsers in a enterprise is not an easy task. It would be impossible in some companies and very impractical in most others. Too many applications are written to only work with IE and ActiveX. Not to mention that for the most part one browser really isn’t any more secure than any other. It may be today but what about tomorrow. Can we really afford to run around changing browsers every couple of years? Absolutely not. That means that we have to do other things to limit the risk of allowing our users to use the internet for business and pleasure.
Since we can’t change browsers that means that we have to either change users or change their habits and level of understanding. Obviously changing the users is even less doable than changing browsers regularly so that means that we have to teach our users how to safely work and play on the internet. I’m not going into lots about this because I did so the other day here. Just wanted to reiterate that the only way to solve the problem with browser security it to implement what technology we can and to educate our users.
2 Responses to “ The Problem with Browser Security ”
Trackbacks & Pingbacks:
-
[...] The Problem with Browser Security – Andy, IT Guy [...]
(Firefox fanboi – read below with pinch of salt)
Remember that Firefox is Open Source so bugs are out there for all to see. IE *may* have the same amount of bugs or more or less – who knows.. they would be buried in secret code.
Hackers, generally, are very lazy guys who really only target bugs that are well known and usually patched. The guys who target bugs that are not generally well known are scary but are the exception.
So, your risk measurement is not really “how many bugs are there” but “how long are known bugs unpatched for”. Firefox is really good at patching – I’d be browsing and a pop-up will happen that says “new version downloaded and applied, reboot” and voila – I am sorted. Extensions are not automatically downloaded and applied but I do get notifications when updates are available. The new feature that checks plug-ins is very new and green but has lots of potential.
The nice thing is that when I started my browser the other day it complained to me in big letters (friendly but not vague) that I must upgrade my flash plug-in. Very nice.
I haven’t used IE7 or IE8 for very long but IE 6 has none of those lovely features even if it is covered by “Patch Tuesday”.