ie8 fix
madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

Report finds Firefox security lacking

By | December 10, 2011, 3:09pm PST

Summary: Firefox lags behind Google’s Chrome and Microsoft’s Internet Explorer browsers in several key areas.

A report by security firm Accuvant finds Mozilla’s Firefox lacking when it comes to modern security safeguards.

The report (available here) finds that Firefox lags behind Google’s Chrome and Microsoft’s Internet Explorer browsers in several key areas.

Note: The report was funded by Google, but Accuvant is a well-respected security firm and the report appears to be both fair and accurate.

Here are a few example:

According to the report Firefox security was found lacking in three key areas:

  • Sandboxing - A technology which limits how much access an exploit has to the target machine.
  • Just-In-Time (JIT) hardening - Technology which prevents malicious JavaScript code on a website from compiling code on the target computer.
  • Plug-in security - This limits how much access plug-ins have and also prevents the download of malicious add-ons.

Firefox also topped the list when it came to critical vulnerabilities.

The conclusions of the report won’t make comfortable reading for Firefox fans:

Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening.  While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner.  Therefore, we believe Google Chrome is the browser that is most secured against attack.

Accuvant has made its data and test tools available for download to anyone interested.

If you’re interested in security, Firefox might not be the right browser for you.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Mozilla Firefox, Security Company, Web Browsers, Home Office Security, Security, Internet, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

23
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Report finds Firefox security lacking
Aerowind 12th Dec
@wright_is I'm the same way. Every once in a while I switch to Chrome to see how much it's improved and I'm always sort of amazed how bad the experience is. I guess I'm just a bit too spoiled by my few Firefox addons.
View in thread
0 Votes
+ -
Change the title to Google paid "study"
wackoae Updated - 10th Dec
The alleged study was payed by Google and it claims results that are totally contrary than what ALL of the independent studies found.

On top of that, Chrome is SPYWARE. How is a browser that is built with the purpose of collecting data from users more "secure" than anything else?
0 Votes
+ -
RE: Report finds Firefox security lacking
daikon 10th Dec
@wackoae
If Chrome browser was spyware, then Microsoft Security Essentials would have tagged as such.

What data did it collect from you? The test tools are there to verify what is claimed.
0 Votes
+ -
Given that MSE has flagged Chrome as malware multiple times
wackoae 10th Dec
@daikon I find it hilarious that you try to use that as a defense.

And about being spyware .... just search for it. Even a Google will give you a very large number of independent testing showing how Google "filters" everything you do via their servers.
0 Votes
+ -
RE: Report finds Firefox security lacking
CobraA1 10th Dec
@wackoae

"The alleged study was payed by Google and it claims results that are totally contrary than what ALL of the independent studies found."

Examples?

"On top of that, Chrome is SPYWARE."

Proof?
0 Votes
+ -
Answers
wackoae 10th Dec
@CobraA1 See results from Secunia, Networks Associates, and any independent security company you prefer.

Proof of spyware is been available for years. Everything you do via Chrome is filtered via Google's servers. Feel free to Google it .... plenty of independent results to backup other people's findings.
0 Votes
+ -
RE: Report finds Firefox security lacking
CobraA1 11th Dec
"See results from Secunia, Networks Associates, and any independent security company you prefer."

Uh huh, so give me an example. Secunia just lists vulnerabilities, it doesn't list browser security features.

"Feel free to Google it .... plenty of independent results to backup other people's findings. "

Let's see . . .

First result is Google anti-spyware . . .
Second result, ditto . . .
Third result is about their toolbar, which I don't use . . .

Fourth result looks promising . . .
Nope, 2008. Too old, things may have changed. Also, it's just autocomplete in action. If you're scared of it, turn it off.

Fifth result, more anti-spyware.
Sixth result is a financial stock report.
Seventh, more anti-spyware.
Eighth, how YOU can spy on Google, lol.
Ninth, spyware removal.
Tenth, what Google is doing to fight spyware.

Terms "google spyware" (w/out quotes) in Bing, as of this date.
0 Votes
+ -
RE: Report finds Firefox security lacking
honeymonster 11th Dec
@wackoae

totally contrary than what ALL of the independent studies found

Show us ONE example of such an "independent study". One?

Firefox has been THE browser with the MOST security vulnerabilities for years now. According to Secunia or any other source.
0 Votes
+ -
Or, if you happen to be in the Linux Camp, IT DOESN'T MATTER.
Dietrich T. Schmitz * Your Linux Advocate Updated - 10th Dec
Here's my Kubuntu AppArmor LSM session information which shows Firefox sandboxed[1]:

root@AOD260:/etc/apparmor.d# aa-status
apparmor module is loaded.
11 profiles are loaded.
11 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/firefox-8.0/firefox{,*[^s][^h]}
/usr/lib/firefox-8.0/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox-8.0/firefox{,*[^s][^h]}//browser_openjdk
/usr/sbin/cupsd
/usr/sbin/mysqld-akonadi
/usr/sbin/mysqld-akonadi///usr/sbin/mysqld
/usr/sbin/tcpdump
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
/sbin/dhclient (1326)
/usr/sbin/cupsd (1163)
/usr/sbin/mysqld-akonadi///usr/sbin/mysqld (1704)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

-------------
[1] Note: Default out-of-the-box Kubuntu configuration has FF disabled.
You can enable by removing the symlink /etc/apparmor.d/disabled/usr.bin.firefox

and running command:

apparmor_parser -a /etc/apparmor.d/usr.bin.firefox

I also recommend adding Noscript plugin to Firefox. DTS
0 Votes
+ -
RE: Report finds Firefox security lacking
jgm@... 10th Dec
@Dietrich T. Schmitz * Your Linux Advocate Thanks, I was going to suggest that sandboxing should be the role of the OS, not the browser. Sandboxing is only necessary on the browser end if it's running on an OS that's allowing too much authority to the browser software in the first place.

For those not familiar with AppArmor, it's a program that implements mandatory access controls on programs. It can even be used to restrict the activities of the root account.
0 Votes
+ -
Precisely.
Dietrich T. Schmitz * Your Linux Advocate 10th Dec
@jgm@...
Thanks, I was going to suggest that sandboxing should be the role of the OS, not the browser.

Very astute. MS have seen fit to feather their own nest, namely to make IE run in protected mode, and sandboxing their Office 2010 product.

All other software vendors are left to deal with their own defensive measures.
So, I would agree that security should be the O/S's responsibility.

That's the current state of affairs with Windows; Linux gives you plenty of security and while there may be security vulnerabilities reported, they are fixed in due course while the user is shielded from Zero-Day attacks by LSM sandboxing.

That is the best approach to security.
0 Votes
+ -
RE: Precisely.
Rabid Howler Monkey Updated - 10th Dec
@Dietrich T. Schmitz wrote:
"MS have seen fit to feather their own nest, namely to make IE run in protected mode, and sandboxing their Office 2010 product. All other software vendors are left to deal with their own defensive measures. So, I would agree that security should be the O/S's responsibility.

Integrity levels are part of the Windows Vista/7 OS:

"What is the Windows Integrity Mechanism?
http://msdn.microsoft.com/en-us/library/bb625957.aspx

and they were used to create IE protected mode and Office 2010 protected view, effectively sandboxing IE (including Flash Player with Adobe's assistance) and Office 2010 apps.

As for 3rd party software on Windows, Google's Chrome browser and Adobe's Reader X both rely on Windows integrity levels for sandboxing in Windows Vista/7. Here's a resource Microsoft makes available to any parties wishing to sandbox their application:

"Designing Applications to Run at a Low Integrity Level
http://msdn.microsoft.com/en-us/library/bb625960.aspx

And some directions for sandboxing Firefox using Windows integrity levels:

http://www.h-online.com/security/features/Vista-s-Integrity-Levels-Part-2-747338.html

It's really no more difficult than with LSM on Linux using AppArmor, SELinux or Tomoyo. Unless you're using SuSE or Mandriva as these distros have provided their users with a GUI, making it relatively easy to create (and modify) app profiles or policies (SuSE uses AppArmor and Mandriva uses Tomoyo).
0 Votes
+ -
RE: Report finds Firefox security lacking
101abn 10th Dec
You are right, Linux does not matter.
0 Votes
+ -
RE: Report finds Firefox security lacking
CobraA1 10th Dec
@Dietrich

"/usr/lib/firefox-8.0/firefox{,*[^s][^h]}
/usr/lib/firefox-8.0/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox-8.0/firefox{,*[^s][^h]}//browser_openjdk"

How many regular users are going to understand this?

Messing around with symlinks and using the command line is not what we should be expecting the average user to do.
0 Votes
+ -
RE: Or, if you happen to be in the Linux Camp, IT DOESN'T MATTER.
Rabid Howler Monkey 11th Dec
@Dietrich T. Schmitz * Your Linux Advocate The 'apparmor_parser -a' command inserts the AppArmor definitions into the kernel:

http://manpages.ubuntu.com/manpages/lucid/man8/apparmor_parser.8.html

and this command must be run with root privileges. Since Ubuntu, by default, disables the root account, one must run the command with 'sudo'. To run the command as you have shown (without 'sudo'), running 'sudo -i' first would be necessary.
0 Votes
+ -
That is a typo. Good catch.
Dietrich T. Schmitz * Your Linux Advocate 11th Dec
@Rabid Howler Monkey nt

I have elaborated on this whole 'which browser has better security' issue over at Google plus:

h-t-t-p-s://plus.google.com/u/0/101839830409692150605/posts/eZF5mdErqxD

It's a deflection from a more serious issue that Microsoft need to take ownership of that isn't being discussed.
0 Votes
+ -
RE: Report finds Firefox security lacking
CobraA1 Updated - 11th Dec
@Dietrich Except you (falsely) paint us as pushing "security by obscurity" issues. There are other issues as well:

-The popularity of the OS. Like it or not, this is a battle over more than just security, and Linux is unlikely to be taking over the desktop soon, apparmor or not. If you want to talk about security, Windows has to be in the picture. "Just move to Linux" is not gonna fly with most people.

-Usability. If you need to mess with symlinks and command line stuff, you can't expect the average user to use it. In their eyes, it's not their place to mess with low level technical stuff. If we expect it to be used, we need to make it usable.

-Compatibility. Like it or not, this is an issue. Microsoft can't just slap in a new security feature and expect everything to work. One of the big issues with any new feature, including security features, is going to be how well it plays with the rest of the ecosystem. Compatibility is a reason why most people choose Microsoft, and it's not something they can just ignore.

-Implementation. Windows is a large, vast OS. There are so many APIs in it that it's gonna be tough to effectively sandbox everything. The question becomes, what's the best way to implement an effective sandbox?

It's also going to be interesting how things unfold with the new Metro style interface. Maybe that's really what needs to be done - start fresh, drop regular apps and replace them with something new, and focus security efforts on it. The old system is incredibly complex, and a new system would be far easier to secure.
0 Votes
+ -
RE: Report finds Firefox security lacking
Teran 10th Dec
Forget the sandbox, Noscript keeps them out of the playground.
0 Votes
+ -
RE: Report finds Firefox security lacking
wright_is 12th Dec
@Teran That is the main thing that is keeping me on Firefox. Chrome and IE might have some better security options, once a malware script starts executing, but NoScript stops the scripts even executing.

I much prefer that, to the "security" that Chrome provides. It also improves performance, because all those spying scripts from Facebook, Google Analytics, Adsearch, Doubleclick etc. don't get to run in the first place. I also add FlashBlock to the list and that stops Flash from automatically running - no annoying full-screen ads overlaying the article you are trying to read.

NotScripts is coming along, but still doesn't compare to NoScript. When there is a functional equivalent to NoScript, I'll start looking at Chrome, until then, I'll stick with Firefox.

(Of the 9 domains which try and run scripts on this page, only about 4 of them have been enabled.)
0 Votes
+ -
RE: Report finds Firefox security lacking
Aerowind 12th Dec
@wright_is I'm the same way. Every once in a while I switch to Chrome to see how much it's improved and I'm always sort of amazed how bad the experience is. I guess I'm just a bit too spoiled by my few Firefox addons.
0 Votes
+ -
RE: Report finds Firefox security lacking
Rabid Howler Monkey Updated - 10th Dec
The study looked at *default* browser settings, which is how the majority of users run their web browsers. This means that JavaScript, IFrames, image loading (think malverts) and plug-ins are *all* allowed by default, subject to web site blacklisting provided by the browser. Yikes!

@Dietrich T. Schmitz Ubuntu, and I'm guessing its supported derivatives including Kubuntu, does not enable the default AppArmor Firefox profile by default and most users run Firefox without it. A user must use the CLI and enter a command as sudo to enable the default AppArmor profile.

@Teran NoScript is a great Firefox add-on that one can use to minimize their attack surface. However, it must be downloaded, installed, configured and properly used. Trusted web sites get hacked. And if one's Adobe Flash Player, Adobe Reader (even if you're using Reader X) or Sun JRE (read Java) apps are not kept updated, one can get nailed. (Note: Chrome ships with both PDF reader and Flash Player plug-ins that are enabled, sandboxed and transparently updated. Chrome also blocks access to Java content if the JRE plug-in is out of date. IE9 sandboxes Adobe's Flash Player. Neither Chrome nor IE9 sandbox the JRE plug-in.)

Having said all of this, Firefox can be made more secure with just a bit of elbow grease.
0 Votes
+ -
RE: Report finds Firefox security lacking
jgm@... 10th Dec
Regarding the 3rd criticism, plugins, this is from Mozilla's announcement of Firefox 8: "Sometimes you download third-party software and are surprised to discover that an add-on has also installed itself in your browser without asking permission. At Mozilla, we think you should be in control, so we are disabling add-ons installed by third parties without your permission and letting you pick the ones you want to keep." Not only do users need to opt-in to plug-in installation, but the first time Firefox 8 starts it shows the users a list of installed plugins and let's them choose what they want to keep or disable. That certainly meets the "prevent download of malicious add-ons" qualification.
0 Votes
+ -
RE: Report finds Firefox security lacking
lehnerus2000 10th Dec
Use NoScript.
It stops those annoying js and Flash bandwidth/CPU wasters.

You mean this Chrome Sandboxing?
http://www.zdnet.com/blog/hardware/google-engineers-claim-that-chrome-pwn-bug-is-a-flash-bug/12743?tag=content;siu-container
0 Votes
+ -
RE: Report finds Firefox security lacking
cameigons Updated - 11th Dec
Thanks for posting this Adrian, I'm gonna do some research about this and if possible see what the Mozilla community has to say on these issues.

About what others commented, I too use NoScript, AppArmor, among other things. But despite that Firefox seems to be at fault here, we might be more secured because we're tech savvy, but it hurts FF's reputation among the general public.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix