Firefox or IE? Strange answer to security question

Firefox or IE? Strange answer to security question

Summary: A study by the non-profit Honeynet Project has come up with a strange answer to the Firefox versus Internet Explorer security question.

SHARE:
155

A study by the non-profit Honeynet Project has come up with a strange answer to the Firefox versus Internet Explorer security question.

During the experiment, conducted in May 2007, the group compared three browsers -- Internet Explorer 6 SP2, Firefox 1.5.0 and Opera 8.0.0 -- to determine whether using an alternative browser would be an effective means to reduce the risk of malware attacks.

(Note: Firefox 1.5 is no longer supported and the latest version of Microsoft's Web browser is IE 7.0. Opera's newest iteration is 9.23)

The results:

Common perception about Internet Explorer and Firefox is that Firefox is safe and Internet Explorer is unsafe. However, a review of the remote code execution vulnerabilities (primary source: SecurityFocus) that were publicly disclosed for Firefox 1.5 and Internet Explorer SP2 reveals that, in fact, more were disclosed for Firefox 1.5 indicating more the opposite is true.

This image shows known remote code execution vulnerabilities per browser:

Vulnerabilities

However, when client honeypots with these browsers surfed to a list of about 30,000 known exploit servers, the URLs that resulted in a 0.5735% of successful compromises of Internet Explorer 6 SP2 did not cause a single successful attack on Firefox 1.5.0 or Opera 8.0.0.

[ GALLERY: How to use Internet Explorer securely ]

"Particularly the results on Firefox 1.5.0 are surprising, considering the number of remote code execution vulnerabilities that were publicly disclosed for this browser and the fact that Firefox is also a popular browser," the Honeynet Project said, speculating that perhaps Firefox was never a target of those exploits.

We can only speculate why Firefox wasn’t targeted. We suspect that attacking Firefox is a more difficult task as it uses an automated and "immediate" update mechanism. Since Firefox is a standalone application that is not as integrated with the operating system as Internet Explorer, we suspect that users are more likely to have this update mechanism turned on. Firefox is truly a moving target. The success of an attack on a user of Internet Explorer 6 SP2 is likely to be higher than on a Firefox user, and therefore attackers target Internet Explorer 6 SP2.

[ GALLERY: How to avoid hacker attacks on Mozilla's Firefox browser ]

Citing browser distribution statistics from w3Schools.com, the study noted that Internet Explorer 6 is still used by more than 38 percent of Internet users worldwide.

Considering that Internet Explorer 7 has been pushed as a high security update by Microsoft for several months, there is an indication that a large number of these users probably do not have automatic updates turned on. Some portion of these 38.1% that do have automatic updates turned on have probably made a conscious decision not to update to Internet Explorer 7, but rather to just accept Internet Explorer 6 patches. Nevertheless, we suspect that many simply do not have automatic updates enabled.

The study, titled "Know Your Enemy: Malicious Web Servers," is available for download (.pdf).

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

155 comments
Log in or register to join the discussion
  • Statistics explanation

    [i]However, when client honeypots with these browsers surfed to a list of about 30,000 known exploit servers, [b]the URLs that resulted in a 0.5735% of successful compromises of Internet Explorer 6 SP2[/b] did not cause a single successful attack on Firefox 1.5.0 or Opera 8.0.0.[/i]

    I don't understand what that statistic means. If these were 30,000 known exploit servers, shouldn't there have been a 100% compromise rate?

    Also, what were the client machines? Were they all configured the same or was this a sample of actual users on the Internet who happened to be using IE6 SP2? If these were actual users and it turns out that only 0.5% of IE6 SP2 users who naviated to a [b]known[/b] exploit server were compromised, it certainly blows away the frothing at the mouth claims of "you are 100% certain to be compromised if you use IE6" from the ABMer zealots.

    It would also be interesting to know what kept the 99.5% of IE6 SP2 users safe even while they were surfing to [b]known[/b] exploit servers. If the only difference between the 99.5% and the 0.5% was that the 99.5% had auto updates on, then this study would suggest that IE6 SP2, combined with auto updates, is actually a fairly safe way of surfing the Internet. Not the safest, no, but nowhere near as bad as certain people (with blatant anti-MS agendas) would like to suggest.

    Oh, and I use Firefox so I'm certainly not biased in favor of IE. I'm just curious exactly what that statistic meant since it wasn't very well explained.
    NonZealot
    • Read the Full .pdf

      The full study answers all your questions.
      jfp
      • Thanks, I missed that link

        The full study raises a couple interesting points.

        1. From what I understand of their methods, no conclusions can be made about which browser is actually exploited more often. They first identified malicious URLs by using IE6 SP2 and watching for changes to the machine indicative of a drive-by-infection. Once they identified those URLs, they then retested with Firefox and Opera and discovered that those browsers weren't infected. This only tells us is that sites built to exploit IE6 aren't written to also exploit Firefox or Opera. A URL serving Firefox and Opera exploits wouldn't have been identified in the first pass as a malicious URL since only IE6 was used to identify malicious URLs.

        2. The 0.5% refers to the percentage of Adult oriented URLs that were found to contain IE6 exploits and is not at all representative of how many clients were actually exploited. 100% of those URLs were capable of exploiting an unpatched IE6 SP2 machine [b]however none (not 1) were able to exploit a fully patched IE6 SP2 machine[/b].

        3. I wish they had also tested the clients while logged in as a restricted rights user. Whenever particularly nasty exploits have been published, I've looked at the details and discovered that 100% of them were written assuming the user was an Administrator. Take away those privileges and 100% of the drive-by-download exploits would fail. This is not only important for XP users that have changed the default settings but is also extremely relevant with Vista considering that the default configuration takes away almost all of IE7's system privileges.

        As I said above, I'm a Firefox user because I actually prefer Firefox regardless of how secure it is so what I'm about to say is said without a hint of bias. This article proves what I've suspected all along: you are very safe no matter what browser you use as long as you keep up with the latest patches. Considering all of these products have auto-patching capabilities turned on by default, this is not a difficult practice to follow. If it makes you feel better that Firefox and Opera offer 99.9999% protection while IE only offers 99.9998% protection, use Firefox/Opera. Otherwise, use whatever browser gives you the best functionality.
        NonZealot
        • Finally. A valid and insightful post. thanks <nt>

          <b></b>
          xuniL_z
        • Concise analysis...

          Straight to the point
          JCitizen
        • Great Analysis

          It's a shame the authors of this article didn't put 2 + 2 together like you did.
          dbucciar
        • "no conclusions can be made"

          Well of course not. Otherwise you wouldn't
          be able to read it wearing your Microsoft
          glasses.
          Ole Man
        • IE has some systematic holes not shared by Firefox,

          Both IE and firefox implement leaky sandboxes.

          * The way ActiveX is used in IE is inherently insecure.
          * The way Firefox XPI installs are implemented are inherently insecure.
          * Both trust Windows helper application bindings when they shouldn't.

          The systematic security of these two programs comes down to the relative security
          problems inherent in XPI and in ActiveX. I believe that ActiveX *as used in IE* is
          inherently far less secure than XPI, and that the relative incidence of exploits and
          vulnerabilities bears me out.

          I do not consider IE secure enough for general use, except by people who are
          extremely security conscious. For the general population, the risk of accidentally
          approving execution of a compromised component is too high.
          Resuna
    • Explination Was Clear They're Compairning Old Corrupt Browsers

      That is the reason for updates and no one is in any doubt that firefox has it fair share of attacks. That is the nature of the business. The main thing to note is speed at which firefox releases its upgrades as compaired to IE: and Firefox just Kicks the ever loving crap out of MS on repairs.

      modern compairison:

      IE - 7
      secunia

      Vendor Microsoft

      Product Link View Here (Link to external site)

      Affected By 18 Secunia advisories

      Unpatched 56% (10 of 18 Secunia advisories)

      Most Critical Unpatched
      The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 7.x, with all vendor patches applied, is rated Highly critical


      secunia
      firefox

      Vendor Mozilla Organization

      Product Link View Here (Link to external site)

      Affected By 14 Secunia advisories

      Unpatched 43% (6 of 14 Secunia advisories)

      Most Critical Unpatched
      The most severe unpatched Secunia advisory affecting Mozilla Firefox 2.0.x, with all vendor patches applied, is rated Less critical


      Firefox continually updates there software and IE just fails so what is more secure firefox or IE.

      FIREFOX

      winner by a landslide.
      if anyone is still using IE your just dumb!
      IceTheNet@...
  • Oh Boy, here we go

    Somewhere an avid IE fan is going to point to and FF fan and go, " Nyah Nyah nyah nyah nyah." and point a finger or something.
    An article such as this will probably start a flame war. But at least it isn't a My OS is better than your OS thing as it seems this article was PRIMARILY aimed at browsers used on a WIndows platform.

    Something else to consider is this seems to deal with the PREVIOUS (or obscenely previous) versions of these browsers instead of the more up to date ones. And I hadve to wonder where their supportive data is. I also wonder if they are performing all of these 'tests' as we speak on the more up to date versions?

    I do like that it was poited out that FF wasn't coded into the OS like IE is thus making it more of a moving target and harder to crack. On the flip side of that IE is coded into the OS and has protection that FF does not. It all depends on how you look at it.

    I personally prefer FF a lot more than I do IE but I do use IE sometimes as there are websites that just won't work without it. But then again I also use Netscape.
    Shelendrea
    • Or it could happen that

      an avid FF fan is going to point to an IE fan and do the same thing of the zero exploits. <br>
      But I don't really care. I use IE7 and have had FF loaded for a long time now. Originally to see if it was all it claimed. I found it to be faster than IE 6, but I find IE7 to be noticably faster than FF on XP now. IE7 is always slow on that initial load, but it flies the rest of the period you have your machine on, which for me could be a month or more.
      xuniL_z
    • Hmm?

      "... IE is coded into the OS and has protection that FF does not"

      Uh - like what protection? Is there an e-condom in there or something?
      zoroaster
      • Don't know anything about IE6/XP

        but IE7 in Vista runs in a protected mode "sandbox", where it has very limited access to the OS. Firefox does not run in this mode (hopefully they will get around to fixing that one day), so if exploited it has the potential to be more damaging, running with user privileges. Of course, they may be IE exploits discovered that allow the exploiter to bypass the protected mode.

        But as I said, don't know of any relevant to this study.
        Azriphale
      • Yes.

        It's cherry flavored.
        xxn1927
    • Another ~strange~ thing

      Notice how the Zealots (almost all of them)
      claim to use firefox, yet religiously defend
      IE?
      Ole Man
  • Lies... Damned Lies... and Statistics.

    One of the problems I have with this study is that the Honeynet Project did not include the latest versions of IE and Firefox as a comparison. I know they wanted to use what the most prevailing version to run their tests. But I think they did both IE and Firefox a disservice by not [i]also[/i] including the newer versions. It would have been educational for everyone.
    sbarman
    • This info is of no use whatsoever...

      I can almost understand including IE6 (the swiss-cheese of browsers), but Firefox 1.5? It hasn't even been supported for some time now.

      The RIGHT test would have been:

      IE 6
      IE 7
      Firefox 2.06
      Opera (whatever is the latest version).

      That would have been a useful test.
      BitTwiddler
      • Close...

        Close, but no cigar. Try this:
        IE 6
        IE 6 SP2 (fully patched)
        IE 7 (currant version, fully patched)
        Firefox 1.5
        Firefox 1.8
        Firefox 2.06? (currant verrsion, fully patched)
        Opera 8
        Opera 9.23? (currant version, fully patched)

        Just for fun, let's also take a look at Safari for Windows-Hmmm?
        justanitguy
        • There is no Firefox 1.8

          [i]Close, but no cigar. Try this:
          IE 6
          IE 6 SP2 (fully patched)
          IE 7 (currant version, fully patched)
          Firefox 1.5
          Firefox 1.8
          Firefox 2.06? (currant verrsion, fully patched)
          Opera 8
          Opera 9.23? (currant version, fully patched)[/i]

          Firefox went from 1.5.0.* to 2.0.*, there was never a 1.8. The version of the Gecko engine used in Firefox 2 is 1.8, this confuses many users.
          Greenknight_z
          • True but wasn't there a 1.7 for about a week before 2.0 came out?

            NT
            maldain