Report finds Firefox security lacking

Report finds Firefox security lacking

Summary: Firefox lags behind Google's Chrome and Microsoft's Internet Explorer browsers in several key areas.

SHARE:
TOPICS: Browser, Security
23

A report by security firm Accuvant finds Mozilla's Firefox lacking when it comes to modern security safeguards.

The report (available here) finds that Firefox lags behind Google's Chrome and Microsoft's Internet Explorer browsers in several key areas.

Note: The report was funded by Google, but Accuvant is a well-respected security firm and the report appears to be both fair and accurate.

Here are a few example:

According to the report Firefox security was found lacking in three key areas:

  • Sandboxing - A technology which limits how much access an exploit has to the target machine.
  • Just-In-Time (JIT) hardening - Technology which prevents malicious JavaScript code on a website from compiling code on the target computer.
  • Plug-in security - This limits how much access plug-ins have and also prevents the download of malicious add-ons.

Firefox also topped the list when it came to critical vulnerabilities.

The conclusions of the report won't make comfortable reading for Firefox fans:

Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening.  While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner.  Therefore, we believe Google Chrome is the browser that is most secured against attack.

Accuvant has made its data and test tools available for download to anyone interested.

If you're interested in security, Firefox might not be the right browser for you.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • Change the title to Google paid "study"

    The alleged study was payed by Google and it claims results that are totally contrary than what ALL of the independent studies found.<br><br>On top of that, Chrome is SPYWARE. How is a browser that is built with the purpose of collecting data from users more "secure" than anything else?
    wackoae
    • RE: Report finds Firefox security lacking

      @wackoae
      If Chrome browser was spyware, then Microsoft Security Essentials would have tagged as such.

      What data did it collect from you? The test tools are there to verify what is claimed.
      daikon
      • Given that MSE has flagged Chrome as malware multiple times

        @daikon I find it hilarious that you try to use that as a defense.

        And about being spyware .... just search for it. Even a Google will give you a very large number of independent testing showing how Google "filters" everything you do via their servers.
        wackoae
    • RE: Report finds Firefox security lacking

      @wackoae

      "The alleged study was payed by Google and it claims results that are totally contrary than what ALL of the independent studies found."

      Examples?

      "On top of that, Chrome is SPYWARE."

      Proof?
      CobraA1
      • Answers

        @CobraA1 See results from Secunia, Networks Associates, and any independent security company you prefer.

        Proof of spyware is been available for years. Everything you do via Chrome is filtered via Google's servers. Feel free to Google it .... plenty of independent results to backup other people's findings.
        wackoae
      • RE: Report finds Firefox security lacking

        "See results from Secunia, Networks Associates, and any independent security company you prefer."

        Uh huh, so give me an example. Secunia just lists vulnerabilities, it doesn't list browser security features.

        "Feel free to Google it .... plenty of independent results to backup other people's findings. "

        Let's see . . .

        First result is Google anti-spyware . . .
        Second result, ditto . . .
        Third result is about their toolbar, which I don't use . . .

        Fourth result looks promising . . .
        Nope, 2008. Too old, things may have changed. Also, it's just autocomplete in action. If you're scared of it, turn it off.

        Fifth result, more anti-spyware.
        Sixth result is a financial stock report.
        Seventh, more anti-spyware.
        Eighth, how YOU can spy on Google, lol.
        Ninth, spyware removal.
        Tenth, what Google is doing to fight spyware.

        Terms "google spyware" (w/out quotes) in Bing, as of this date.
        CobraA1
    • RE: Report finds Firefox security lacking

      @wackoae

      <i>totally contrary than what ALL of the independent studies found</i>

      Show us ONE example of such an "independent study". One?

      Firefox has been THE browser with the MOST security vulnerabilities for years now. According to Secunia or any other source.
      honeymonster
  • Or, if you happen to be in the Linux Camp, IT DOESN'T MATTER.

    Here's my Kubuntu AppArmor LSM session information which shows Firefox sandboxed[1]:<br><br>root@AOD260:/etc/apparmor.d# aa-status <br>apparmor module is loaded.<br>11 profiles are loaded.<br>11 profiles are in enforce mode.<br> /sbin/dhclient<br> /usr/lib/NetworkManager/nm-dhcp-client.action<br> /usr/lib/connman/scripts/dhclient-script<br> /usr/lib/cups/backend/cups-pdf<br> [b] /usr/lib/firefox-8.0/firefox{,*[^s][^h]}<br> /usr/lib/firefox-8.0/firefox{,*[^s][^h]}//browser_java<br> /usr/lib/firefox-8.0/firefox{,*[^s][^h]}//browser_openjdk[/b]<br> /usr/sbin/cupsd<br> /usr/sbin/mysqld-akonadi<br> /usr/sbin/mysqld-akonadi///usr/sbin/mysqld<br> /usr/sbin/tcpdump<br>0 profiles are in complain mode.<br>3 processes have profiles defined.<br>3 processes are in enforce mode.<br> /sbin/dhclient (1326) <br> /usr/sbin/cupsd (1163) <br> /usr/sbin/mysqld-akonadi///usr/sbin/mysqld (1704) <br>0 processes are in complain mode.<br>0 processes are unconfined but have a profile defined.<br><br>-------------<br>[1] Note: Default out-of-the-box Kubuntu configuration has FF disabled.<br>You can enable by removing the symlink /etc/apparmor.d/disabled/usr.bin.firefox<br><br>and running command:<br><br>apparmor_parser -a /etc/apparmor.d/usr.bin.firefox<br><br>I also recommend adding Noscript plugin to Firefox. DTS
    Dietrich T. Schmitz *Your
    • RE: Report finds Firefox security lacking

      @Dietrich T. Schmitz * Your Linux Advocate Thanks, I was going to suggest that sandboxing should be the role of the OS, not the browser. Sandboxing is only necessary on the browser end if it's running on an OS that's allowing too much authority to the browser software in the first place.

      For those not familiar with AppArmor, it's a program that implements mandatory access controls on programs. It can even be used to restrict the activities of the root account.
      jgm2
      • Precisely.

        @jgm@...
        [i]Thanks, I was going to suggest that sandboxing should be the role of the OS, not the browser.[/i]

        Very astute. MS have seen fit to feather their own nest, namely to make IE run in protected mode, and sandboxing their Office 2010 product.

        All other software vendors are left to deal with their own defensive measures.
        So, I would agree that security should be the O/S's responsibility.

        That's the current state of affairs with Windows; Linux gives you plenty of security and while there may be security vulnerabilities reported, they are fixed in due course while the user is shielded from Zero-Day attacks by LSM sandboxing.

        That is the best approach to security.
        Dietrich T. Schmitz *Your
      • RE: Precisely.

        @Dietrich T. Schmitz wrote:<br>"MS have seen fit to feather their own nest, namely to make IE run in protected mode, and sandboxing their Office 2010 product. All other software vendors are left to deal with their own defensive measures. So, I would agree that security should be the O/S's responsibility.<br><br>Integrity levels are part of the Windows Vista/7 OS:<br><br>"What is the Windows Integrity Mechanism? <br><a href="http://msdn.microsoft.com/en-us/library/bb625957.aspx" target="_blank" rel="nofollow">http://msdn.microsoft.com/en-us/library/bb625957.aspx</a><br><br>and they were used to create IE protected mode and Office 2010 protected view, effectively sandboxing IE (including Flash Player with Adobe's assistance) and Office 2010 apps.<br><br>As for 3rd party software on Windows, Google's Chrome browser and Adobe's Reader X both rely on Windows integrity levels for sandboxing in Windows Vista/7. Here's a resource Microsoft makes available to any parties wishing to sandbox their application:<br><br>"Designing Applications to Run at a Low Integrity Level<br><a href="http://msdn.microsoft.com/en-us/library/bb625960.aspx" target="_blank" rel="nofollow">http://msdn.microsoft.com/en-us/library/bb625960.aspx</a><br><br>And some directions for sandboxing Firefox using Windows integrity levels:<br><br><a href="http://www.h-online.com/security/features/Vista-s-Integrity-Levels-Part-2-747338.html" target="_blank" rel="nofollow">http://www.h-online.com/security/features/Vista-s-Integrity-Levels-Part-2-747338.html</a><br><br>It's really no more difficult than with LSM on Linux using AppArmor, SELinux or Tomoyo. Unless you're using SuSE or Mandriva as these distros have provided their users with a GUI, making it relatively easy to create (and modify) app profiles or policies (SuSE uses AppArmor and Mandriva uses Tomoyo).
        Rabid Howler Monkey
    • RE: Report finds Firefox security lacking

      You are right, Linux does not matter.
      101abn
    • RE: Report finds Firefox security lacking

      @Dietrich

      "/usr/lib/firefox-8.0/firefox{,*[^s][^h]}
      /usr/lib/firefox-8.0/firefox{,*[^s][^h]}//browser_java
      /usr/lib/firefox-8.0/firefox{,*[^s][^h]}//browser_openjdk"

      How many regular users are going to understand this?

      Messing around with symlinks and using the command line is not what we should be expecting the average user to do.
      CobraA1
    • RE: Or, if you happen to be in the Linux Camp, IT DOESN'T MATTER.

      @Dietrich T. Schmitz * Your Linux Advocate The 'apparmor_parser -a' command inserts the AppArmor definitions into the kernel:

      http://manpages.ubuntu.com/manpages/lucid/man8/apparmor_parser.8.html

      and this command must be run with root privileges. Since Ubuntu, by default, disables the root account, one must run the command with 'sudo'. To run the command as you have shown (without 'sudo'), running 'sudo -i' first would be necessary.
      Rabid Howler Monkey
      • That is a typo. Good catch.

        @Rabid Howler Monkey nt

        I have elaborated on this whole 'which browser has better security' issue over at Google plus:

        h-t-t-p-s://plus.google.com/u/0/101839830409692150605/posts/eZF5mdErqxD

        It's a deflection from a more serious issue that Microsoft need to take ownership of that isn't being discussed.
        Dietrich T. Schmitz *Your
      • RE: Report finds Firefox security lacking

        @Dietrich Except you (falsely) paint us as pushing "security by obscurity" issues. There are other issues as well:<br><br>-The popularity of the OS. Like it or not, this is a battle over more than just security, and Linux is unlikely to be taking over the desktop soon, apparmor or not. If you want to talk about security, Windows has to be in the picture. "Just move to Linux" is not gonna fly with most people.<br><br>-Usability. If you need to mess with symlinks and command line stuff, you can't expect the average user to use it. In their eyes, it's not their place to mess with low level technical stuff. If we expect it to be used, we need to make it usable.<br><br>-Compatibility. Like it or not, this is an issue. Microsoft can't just slap in a new security feature and expect everything to work. One of the big issues with any new feature, including security features, is going to be how well it plays with the rest of the ecosystem. Compatibility is a reason why most people choose Microsoft, and it's not something they can just ignore.<br><br>-Implementation. Windows is a large, vast OS. There are so many APIs in it that it's gonna be tough to effectively sandbox everything. The question becomes, what's the best way to implement an effective sandbox?<br><br>It's also going to be interesting how things unfold with the new Metro style interface. Maybe that's really what needs to be done - start fresh, drop regular apps and replace them with something new, and focus security efforts on it. The old system is incredibly complex, and a new system would be far easier to secure.
        CobraA1
  • RE: Report finds Firefox security lacking

    Forget the sandbox, Noscript keeps them out of the playground.
    Teran
    • RE: Report finds Firefox security lacking

      @Teran That is the main thing that is keeping me on Firefox. Chrome and IE might have some better security options, once a malware script starts executing, but NoScript stops the scripts even executing.

      I much prefer that, to the "security" that Chrome provides. It also improves performance, because all those spying scripts from Facebook, Google Analytics, Adsearch, Doubleclick etc. don't get to run in the first place. I also add FlashBlock to the list and that stops Flash from automatically running - no annoying full-screen ads overlaying the article you are trying to read.

      NotScripts is coming along, but still doesn't compare to NoScript. When there is a functional equivalent to NoScript, I'll start looking at Chrome, until then, I'll stick with Firefox.

      (Of the 9 domains which try and run scripts on this page, only about 4 of them have been enabled.)
      wright_is
      • RE: Report finds Firefox security lacking

        @wright_is I'm the same way. Every once in a while I switch to Chrome to see how much it's improved and I'm always sort of amazed how bad the experience is. I guess I'm just a bit too spoiled by my few Firefox addons.
        Aerowind
  • RE: Report finds Firefox security lacking

    The study looked at *default* browser settings, which is how the majority of users run their web browsers. This means that JavaScript, IFrames, image loading (think malverts) and plug-ins are *all* allowed by default, subject to web site blacklisting provided by the browser. Yikes!<br><br>@Dietrich T. Schmitz Ubuntu, and I'm guessing its supported derivatives including Kubuntu, does not enable the default AppArmor Firefox profile by default and most users run Firefox without it. A user must use the CLI and enter a command as sudo to enable the default AppArmor profile.<br><br>@Teran NoScript is a great Firefox add-on that one can use to minimize their attack surface. However, it must be downloaded, installed, configured and properly used. Trusted web sites get hacked. And if one's Adobe Flash Player, Adobe Reader (even if you're using Reader X) or Sun JRE (read Java) apps are not kept updated, one can get nailed. (Note: Chrome ships with both PDF reader and Flash Player plug-ins that are enabled, sandboxed and transparently updated. Chrome also blocks access to Java content if the JRE plug-in is out of date. IE9 sandboxes Adobe's Flash Player. Neither Chrome nor IE9 sandbox the JRE plug-in.)<br><br>Having said all of this, Firefox can be made more secure with just a bit of elbow grease.
    Rabid Howler Monkey