Mozilla suffers growing pains

A vulnerable age

Security for virtualized datacentres

The Mozilla Foundation's Firefox browser successfully took market share away from software giant Microsoft's Internet Explorer over the past 18 months, but has found that popularity comes with growing pains.

When Microsoft fixes problems, the public generally doesn't know about them. For Firefox, the nature of the process means that we know what gets fixed.

Critics of the open-source Firefox browser took its security track record to task this week after a biannual Internet security report noted that the application had almost twice as many vulnerabilities as Internet Explorer in the first half of 2005, with a higher fraction of those flaws being severe.

"Mozilla's popularity has gone from almost zero to double digits, so they have had to deal with a lot of sudden attention," said Mikko Hypponen, chief research officer for antivirus firm F-Secure. "Since Mozilla has become popular, people have been looking for more vulnerabilities."

And researchers appear to be finding flaws with greater frequency. In the first six months of 2005, the Mozilla family of browsers had 25 vulnerabilities, with 72 per cent rated as high severity, according to the Internet Security Threat Report released by Symantec this week. During the same period, Microsoft's Internet Explorer had 13 confirmed vulnerabilities, with 62 per cent rated as high severity, the report said. Symantec is the parent company of SecurityFocus.

That poses a problem for the open-source browser's security image. Much of the popularity of the Mozilla Foundation's Firefox has been built on the browser being a secure alternative to Microsoft's Internet Explorer. In June 2004, a pop-up toolbar's ability to infect computers when their users browsed a malicious website with Internet Explorer gave Firefox additional momentum to start claiming market share from Microsoft's well-known browser. Mozilla's browsers accounted for almost seven per cent of popular web traffic as of May 2005, the most recent data available, according to analytics firm WebSideStory.

While the developer of Firefox, now known as the Mozilla Corporation, has also attributed the browser's success to its ease of use, security has always been a way for the application to stand apart from the perceived problems of Microsoft's browser. For example, the Mozilla Foundation still carries a quote on its website from a USA Today article lauding the security of Firefox. The Mozilla Corporation is the commercial subsidiary of the non-profit Mozilla Foundation responsible for developing and marketing Mozilla products.

Now, the picture has been turned upside down: After some high profile vulnerabilities were found in the browser earlier this year, some security experts questioned whether the Mozilla Corporation could claim that Firefox is more secure than Internet Explorer. With the latest data showing that Microsoft has cut the number of publicly disclosed flaws while the number of vulnerabilities in Firefox climbs, open-source developers may have to find new metrics to compare the browsers.

"The high level, from our perspective, is that it's hard to make any sort of apples-to-apples comparison," said Chris Beard, head of products for the Mozilla Corporation.. "But we believe our process works and we are the safest browser around."

Microsoft's tendency to roll up patches for Internet Explorer could decrease the apparent number of vulnerabilities, while the open development process of Firefox could inflate its vulnerability count, Beard contended. On Wednesday, the Mozilla Corporation released a new version of the browser fixing two serious security issues.

The researchers at Symantec agree that the data does not show the whole picture.

"There is no easy way to compare (Firefox and Internet Explorer), because Microsoft is really a black box," said Oliver Friedrichs, senior manager for Symantec's Security Response. "When Microsoft fixes problems, the public generally doesn't know about them. For Firefox, the nature of the process means that we know what gets fixed."

A Microsoft representative was not made available for comment.

Growing pains

Other issues suggest the Mozilla Corporation, which spun off from the non-profit Mozilla Foundation last month, might be encountering other growing pains as well.

Recently, one researcher who found a flaw complained that he didn't like the response from the Mozilla Corporation - and outed the details of the vulnerability to punish the developers.

Tom Ferris, an independent security consultant in southern California, found a flaw in Internet Explorer and a different flaw in Mozilla's Firefox browser within weeks of each other. With the Internet Explorer flaw, Ferris publicized the existence of the vulnerability but withheld all significant details. However, for the Firefox issue, he made public the flaw and enough detail that vulnerability researchers were able to reportedly exploit the issue.

The difference in how he handled the flaws was driven by how he was treated by each development team, Ferris said. While Microsoft and the Mozilla Foundation responded quickly, the Mozilla security group seemed to be hesitating on paying him a bounty on the bug he found, Ferris claimed.

"I never thought that the Mozilla Foundation would push me around," he said. "That is something I would have expected from Microsoft. I am not a Microsoft zealot, but they were much more responsive."

Yet, Mozilla developers contradict Ferris's reading of their intent and maintained that the incident was an isolated problem, not a trend in developer relations.

"We need time to investigate and understand the issue before we can determine whether it does qualify for the bug bounty," said Mike Schroepfer, director of engineering for the Mozilla Corporation. "Our priority in these cases is to investigate the issues and work with the security team to develop fixes first."

More than ever, the Mozilla developers are now in a race against those that would use the vulnerabilities against their products, said F-Secure's Hypponen. The only real, if not practical, solution for security-conscious users may be to ditch the popular applications and use software that is not so cool, he said.

Hypponen pointed to the early 1980s, when virus writers created their first malicious programs for Apple's Macintosh computers. At first, Windows seemed safe from viruses, then the popularity of Microsoft's operating system made that the most threatened platform, while the Macintosh - and most notably, Mac OS X - has seen hardly any viruses in the past decade.

"If you run a Mac right now, you don't need antivirus," Hypponen said. "If you want to be safer, you should be using software that other people are not using."

Copyright © 2005, SecurityFocus

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story


Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.