Maybe Firefox doesn't have a security edge after all

Maybe Firefox doesn't have a security edge after all

Summary: On his blog, a Firefox evangelist takes a months-old quote from a Microsoft security expert completely out of context and tries to convince his readers that Firefox is still more secure than Internet Explorer. Trouble is, that might not be true any more. Why the desperate, distorted attack? Are Firefox fans beginning to realize that IE has the upper hand on security issues these days?

SHARE:
TOPICS: Security
297

Kvetching about Microsoft security flaws is so 2002.

That thought came to mind today when I read a misleading and disingenuous post by Firefox evangelist Asa Dotzler. Now, Asa just got back from a trip halfway around the world. So I’m going to assume that it was jet lag that caused him to write and publish a post entitled microsoft security manager calls users stupid, which contained these fightin’ words:

A couple of months ago, Mike Danseglio, the Program Manager for the Security Solutions group at Microsoft blamed users for the Windows security nightmare, saying "there really is no patch for human stupidity."

Nice one, Mike.

Actually, Mike, there really is no patch for that kind of blame shifting. We make software and it's our job to make it work. Designing and building software is an extremely complex process but it is not magic and it is not only possible to make it safe, it's a requirement.

[...]

At Mozilla, we put the user first. Always. We spend our days working to improve the Web for users and to protect them from the bad guys. At Microsoft, at least some have decided it's better spend their time calling users stupid and blaming them for the problem.

Zing! Boy, Asa, you really showed him, didn’t you? Too bad you took the quote completely out of context. Did Danseglio "blame users for the Windows security nightmare"? Judge for yourself. Here’s the full paragraph from Ryan Naraine’s eWeek article:

"Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity," [Danseglio] said.

Oh. Phishing is what we’re talking about here? (To their credit, several commenters on Asa’s post pointed out the same thing.) So how good is Firefox at handling phishing attempts? After all, one of the rotating text blurbs on the Firefox Start page boasts: “Browse the Web with confidence. Firefox protects you from viruses, spyware, and phishing.” Curiously, the linked page doesn't mention phishing even once.

So I put it to the test. I just copied a link from one of the many phishing attempts I receive in my e-mail inbox every day and opened it in Firefox. Guess what? It opened right up, with no indication from Firefox that the site was suspicious or that I shouldn’t enter my Paypal login credentials there. In other words, if I do something stupid, I’m going to pay the consequences and maybe have my Paypal account cleaned out.

See for yourself:

eb_phish_firefox1.png

Looks pretty legit, doesn’t it?

I clicked on the Help menu in Firefox and typed in phishing. Nothing. I guess Firefox hasn’t gotten around to recognizing that phishing is a problem. Oh, wait, they have. But it's only available in alpha code right now, not in a stable beta or a released version.

Now, IE6 doesn’t have any anti-phishing features, either. But what happens if I open the same page in IE7, which is available as a stable public beta? The results are pretty dramatically different:

eb_phish_ie7_1a.png

Internet Explorer blocks navigation to the page with a bright red warning icon and a clear explanation. The address bar turns red too, and clicking the Phishing Website badge to the right of the address displays this additional information:

eb_phish_ie7_2a.png

Advantage IE, at least for now.

Asa’s not the only one to grossly distort Mike Danseglio’s comments, as I’ve noted before. But the fact is that social engineering is still a brutally effective way to get people to download and install stuff that ultimately is going to harm them. And you can use just about any software to do it. It’s hard to engineer security that protects people from being fooled into doing stupid things. That’s true on the street, if you happen across a three-card monte game. It’s true on the web, too.

And as long as we're talking irony, let's talk about ActiveX. Most of the substance of Asa's post is about ActiveX support in IE. He says:

For years, Mozilla struggled with website compatibility issues because it did not support Microsoft's ActiveX technology, another major vector for security attacks on users. Not only would it have been a lot of work to reverse engineer and build Mozilla support for ActiveX, it would have opened Mozilla up to some of the worst threats on the Web. It would have been a bad idea.

So, what do I see when I open Asa's home page in IE7?

eb_mozilla_activex.png 

Ha! (The ActiveX control used on his page is QuickTime, by the way, and don't get me started.)

Once upon a time, Firefox had a big security advantage over IE. Today, not so much. Firefox has had four updates in the seven months since it was released. Each of those updates fixed one or more major security issues that could result in a user clicking a link or viewing a webpage and installing hostile code. If you miss an update, you’re vulnerable, even if you’re not stupid. In other words, Firefox isn’t so secure, either, and its developers are only human. (And don’t talk to me about Firefox’s Auto Update. I just checked the version of Firefox running on this machine. It’s 1.5.0.3, which means I’m a release behind and in mortal danger of getting zapped if I don’t update right away.)

But don’t take my word for it. Ask Adam Shostack, who has forgotten more about computer security than most so-called security experts know. He also knows a thing or two about phishing, as a quick perusal of his August 2005 essay, Preserving the Internet Channel Against Phishers, will attest. Adam just went to work for Microsoft, a development that raised lots of eyebrows in the security community. He explains:

In the past, I've heaped scorn on Microsoft's security related decisions. Over the last few years, I've watched Microsoft embrace security. I've watched them make very large investments in security, including hiring my friends and colleagues. And really, I've watched them produce results.

In making this decision, I've had conversations with many people and organizations. The one theme that stands out was the difference in the conversations I had with Microsoft versus other software producers. Some of things that Microsoft does and are looking to improve haven't even made it in rudimentary form anywhere else.

Ironically, some early versions of that essay appeared as posts on Shostack’s Emergent Chaos blog, under the titles Don't Use Email Like a Stupid Person and More on Using Email Like A Stupid Person.

He’ll fit right in at Microsoft.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

297 comments
Log in or register to join the discussion
  • Firefox doesn't have ActiveX...

    That's a security edge times 20 no matter which way you look at it. It prevents alot of stupid people saying yes to ActiveX controls, and prevents alot of stupid people from visiting sites that install them for you without you knowing.
    ju1ce
    • I forgot to add...

      I agree though, phishing right now is at a high and should be a concern for both companies. This is deffinitly bad news for Firefox at the moment.
      ju1ce
      • Since I started using Firefox 0 viruses

        Cant say I had the same experience with IE6 or IE7 Beta. If I was a common person my computer would have been toast by now with IE. IE7 is an improvmente, but ActiveX just makes it that much troublesome.

        Phishing is a big problem, and most users by experience will eventually learn not to ever click on a popup (For that matter I dislike Mail dot com and other sites that just clobbers you with them).

        So if you love MS (Use all there tools daily, don't like to do so, but know how - VB, C#, ASP, SQL 2003, visual, J, name it, do it) go ahead and be exposed with IE7, you wont be no more smarter than a newbie that just discovered the Internet.

        Like many others said, ActiveX is only good for Intranets, not the Internet. And IE7 allows ActiveX, Firefox does not.
        Uralbas
    • That might have been true in 2002

      But show me one site today that can install an ActiveX control in XP SP2 or later without the user's explicit permission. In fact, they can't eben pop up a dialog box anymore. You get the little Infobar, which you can ignore.

      Have you actually used IE to visit a site that includes Active X lately?
      Ed Bott
      • I have

        And like you said it pops up an info bar.

        Which the typical user (I have observed this on many occasions) then immediately clicks on the bar and then installs the Active X app.

        The info bar hasn't done a single thing to protect the user except put 1 maybe 2 extra clicks for them.

        That is [b]not[/b] what I call a security enchancement.
        dragosani
        • What would you suggest?

          Since the ActiveX installation requires user intervention, what would be a better way to do it, from a security standpoint?

          Carl Rapson
          rapson
          • Easy answer...

            Don't allow it to be used outside of a local IP.
            ju1ce
          • By "it"...

            ...I assume you mean ActiveX? That's a good idea. ActiveX was never a good idea outside of intranets.

            But it seems to me that the problem is more with web site developers than Microsoft. Microsoft made ActiveX technology available, but it's the developers who decided to make use of it on Internet web sites.

            Carl Rapson
            rapson
          • I can swear...

            Microsoft touted it to be used over the internet as well. :)

            Either way, local intranet only.
            ju1ce
          • Well...

            ...you're probably right, but that still doesn't mean it was a good idea. Of course, hindsight is 20/20, and how could Microsoft know that early that there would be so many malware writers just waiting for the chance to attack Windows?

            Carl Rapson
            rapson
        • Know your browser

          For an unpublished activeX control to be installed onto a user's machine. It takes a bit more than 1 or 2 clicks. They are going to have to do the following...

          1. Tools->Internet Options
          2. Go to Security Tab
          3. Click Custom Level for Internet
          4. Then modify the necessary ActiveX control settings.

          And yes thats right... if you are an admin and don't wan't ActiveX controls for your users ... Microsoft Internet Explorer can disable ActiveX in the browser. Its all right there.
          jmccormick79
          • If you are using IE 6.. It's two and the steps are quick and fast..

            Steps..

            Point and click by default.

            A bar comes up, you click it and a popup comes up.. click again on the DEFAULT place your mouse starts on.. and voila.. "WOOPS" I installed it by mistake. :P
            ju1ce
      • An explicit problem...

        Warnings, pop-ups and the like mean almost nothing to uneducated users.. Which accounts for the majority of users currently.

        I had someone deliver their computer to me to remove all the spyware they had installed on their computer. (They refused to use Firefox because someone told them IE doesn't have issues). I cleaned out all the spyware.. No kidding.. Three days later they call me up telling me they have popups happening again, their home page has been taken over.. Yet for some reason, they refuse to use Firefox. :P

        To an educated user.. Firefox, IE, Opera whatever is merely a tool. There is inherently no differences other than additional functionality. Others choose some for precautionary measures, others choose out of mere bias.

        I have said it consistently on these talkbacks, I use Firefox simply for the reason I don't have to worry about ActiveX taking over my browser. It's that simple. I believe ActiveX is a great tool for intranet, but for internet.. I think ActiveX leads your computer more prone to viruses. Any way you spin it, it's always the cause of something related to the internet and browsing.

        Have I used IE7? Nope. I still use Firefox. Pop-up's or not, I just don't want to have to worry about pressing No to install etc. I know what I'm doing and don't want or have a need to be annoyed by popups I know I shouldn't be installing. It's mere bias and somewhat factual in why I choose Firefox. That's more than what most IE users can say. Instead they point to security issues that aren't exploited. Who cares? How many people actually get hit by an exploits (other than ActiveX related exploits) and soon to be Phishing (as it becomes more mainstream).
        ju1ce
        • The other thing I've noticed...

          When that bar comes up, the cursor goes right over install ActiveX control.

          Microsoft employees have went on to bash many companies who have defaults set to "Install" (I remember the IE vs Firefox security article a couple weeks back).

          I don't know about you, but think about how many users you know who by default double click on everything rather than single click?
          ju1ce
        • Stop running your machine as an admin....

          ...and activeX will not be an issue while browsing with IE.

          ActiveX controls cannot be installed unless you are an administrator - even if a website exploits an IE flaw that bypasses the prompts to install. Not running as an admin is a good idea anyway, IE or no IE.
          toadlife
          • Although I agree with your premise....

            I disagree with the solution..

            One thing I dislike about today's technology is the need for this, that, and the world in order to have a functional computer.

            I need anti-virus, anti-spyware (usually more than one), firewall, non-admin for a personal computer at home.

            I have found ways around having to need "all" of those things, or spend on things I don't need by using software that allows me to do as such.

            Why put all this effort into finding ways to avoid things when software can be built that can do it for you? Is it sheer laziness or brilliance on the software developers part? Each person will have a different answer to this based on their previous experiences.

            I have never had a personal firewall (disable XP's) and have only relied on a hardware one. It does what I need it to do. With not having the firewall on, even if "very small".. I reduce firewall checks, and processing power on behalf of my computer for other things.

            Anti-virus? Well I'll admit up until about 6 months ago I never really had one because of cost. I didn't want to pay 50 bucks for Norton's or McAffee's or anything else if it was going to bog down my computer (which both do). I know use Avast which has been great? Is it perfect? By all means no, but it has done the trick up to now. Although I have yet to see a virus on my computer since the installation. :P It has caused no system slow down compared to the "free year" I got with norton's with my motherboard purchase. I didn't use my free year. I just never installed it. Threw it out.

            Anti-spyware? Anyone notice MS Defender hasn't had an update in like 35 days and that warning keeps coming up? It's driving me bananas. Although it's a great piece of software, if it's going to be updated once every 2 months I'll be switching again. I don't have this loaded every time to scan m y computer since I have it scan my computer at 12 noon every day. :P

            Now as Admin.. As much as it has been a flaw, it's the one thing I enjoy about Windows. For educated users, going into "non-admin" mode is a hassle. Since usually we know what we are installing. But what about run away activex? Well since I use firefox it negates that issue altogether. With Vista by default no admin.. Guess what I'm going into admin. I don't want to be bombarded with stupid popups with UAP. Sorry, but for beginning users great. They need it to protect themselves.

            Can stuff happen? Sure, but then again.. The worst thing that's happened to me since this new computer is my stupid video driver. My games keep crashing my computer. Which just so happen to be Microsoft games... Irony?

            I'll take the risk of something happening because so far in my experience.. It's never happened, and well why would I put myself through a pain wrenching popup extravaganza to prevent myself from doing something stupid when I don't do stupid things to begin with? And my backup will hopefully prevent the most of it anyways.. Maybe I'm to lax.. but whatever, it's worked for me so far.
            ju1ce
          • Now what would be neat...

            Anti-Virus or Anti-Spyware checker that also looks for Phishing sites.

            Add more value to the buck, seeing as it's disecting packets anyways.
            ju1ce
          • Running as admin...

            ... is kind of like pedestrians walking down the center of the road, despite their being sidewalks.

            You mention running anti-virus and anti-spyware, so that if you do get hit with something, those things should fix the problem.

            That's kind of like the pedestrian saying I'll have an ambulance on standby for if I get hit by a car as I walk down the middle of the road.

            (Personally, I don't use anti-spyware on my machine, and I only use anti-virus because the company I work for requires it in order for me to make a VPN connection. I run as limited user, only as admin when I absolutely must, and I have never had spyware or viruses on my machine.)
            PB_z
          • Bad analogy....

            "Running as admin...
            ... is kind of like pedestrians walking down the center of the road, despite their being sidewalks."

            That would be more akin to...

            I go on porn sites, virus sites with no protection whatsoever. I don't do that. :)

            "That's kind of like the pedestrian saying I'll have an ambulance on standby for if I get hit by a car as I walk down the middle of the road."

            Bad analogy again. Hold's no water whatsoever but I can understand your line of thinking moreso than you can seem to understand my own.

            "I run as limited user, only as admin when I absolutely must, and I have never had spyware or viruses on my machine."

            Again, neither have I and yet I run as Admin.. So who "really" is the more common sense user?

            Both have the plus and minuses, it's which pro's and con's outweight your line of thinking. Keep it as simple as that.

            At my place of work, we have almost all users on "restricted user" or "limited user" because we have to protect them from themselves. Or else our network guys would be more busy than they are now.

            I am not going to restrict myself because I trust my decision's on the internet. Do I trust most others? No.. Most users only know how to read email, browse and occasionally (or addictively) play on-line poker.
            ju1ce
          • That's a terrible analogy.

            I run as admin all the time. I acknowledge that I shouldn't and maybe I'll stop. But for the meantime, I am currently and I always have been running as an administrator on my desktop.

            I'm also using Firefox, Windows Defender, ZoneAlarm (free) and AVG Free Edition. I get absolutely no problems -- so uh... I can't see why it's anything like the analogy you described above.
            A_Pickle