Maybe Firefox doesn't have a security edge after all

On his blog, a Firefox evangelist takes a months-old quote from a Microsoft security expert completely out of context and tries to convince his readers that Firefox is still more secure than Internet Explorer. Trouble is, that might not be true any more. Why the desperate, distorted attack? Are Firefox fans beginning to realize that IE has the upper hand on security issues these days?

Kvetching about Microsoft security flaws is so 2002.

That thought came to mind today when I read a misleading and disingenuous post by Firefox evangelist Asa Dotzler. Now, Asa just got back from a trip halfway around the world. So I’m going to assume that it was jet lag that caused him to write and publish a post entitled microsoft security manager calls users stupid, which contained these fightin’ words:

A couple of months ago, Mike Danseglio, the Program Manager for the Security Solutions group at Microsoft blamed users for the Windows security nightmare, saying "there really is no patch for human stupidity."

Nice one, Mike.

Actually, Mike, there really is no patch for that kind of blame shifting. We make software and it's our job to make it work. Designing and building software is an extremely complex process but it is not magic and it is not only possible to make it safe, it's a requirement.


At Mozilla, we put the user first. Always. We spend our days working to improve the Web for users and to protect them from the bad guys. At Microsoft, at least some have decided it's better spend their time calling users stupid and blaming them for the problem.

Zing! Boy, Asa, you really showed him, didn’t you? Too bad you took the quote completely out of context. Did Danseglio "blame users for the Windows security nightmare"? Judge for yourself. Here’s the full paragraph from Ryan Naraine’s eWeek article:

"Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity," [Danseglio] said.

Oh. Phishing is what we’re talking about here? (To their credit, several commenters on Asa’s post pointed out the same thing.) So how good is Firefox at handling phishing attempts? After all, one of the rotating text blurbs on the Firefox Start page boasts: “Browse the Web with confidence. Firefox protects you from viruses, spyware, and phishing.” Curiously, the linked page doesn't mention phishing even once.

So I put it to the test. I just copied a link from one of the many phishing attempts I receive in my e-mail inbox every day and opened it in Firefox. Guess what? It opened right up, with no indication from Firefox that the site was suspicious or that I shouldn’t enter my Paypal login credentials there. In other words, if I do something stupid, I’m going to pay the consequences and maybe have my Paypal account cleaned out.

See for yourself:


Looks pretty legit, doesn’t it?

I clicked on the Help menu in Firefox and typed in phishing. Nothing. I guess Firefox hasn’t gotten around to recognizing that phishing is a problem. Oh, wait, they have. But it's only available in alpha code right now, not in a stable beta or a released version.

Now, IE6 doesn’t have any anti-phishing features, either. But what happens if I open the same page in IE7, which is available as a stable public beta? The results are pretty dramatically different:


Internet Explorer blocks navigation to the page with a bright red warning icon and a clear explanation. The address bar turns red too, and clicking the Phishing Website badge to the right of the address displays this additional information:


Advantage IE, at least for now.

Asa’s not the only one to grossly distort Mike Danseglio’s comments, as I’ve noted before. But the fact is that social engineering is still a brutally effective way to get people to download and install stuff that ultimately is going to harm them. And you can use just about any software to do it. It’s hard to engineer security that protects people from being fooled into doing stupid things. That’s true on the street, if you happen across a three-card monte game. It’s true on the web, too.

And as long as we're talking irony, let's talk about ActiveX. Most of the substance of Asa's post is about ActiveX support in IE. He says:

For years, Mozilla struggled with website compatibility issues because it did not support Microsoft's ActiveX technology, another major vector for security attacks on users. Not only would it have been a lot of work to reverse engineer and build Mozilla support for ActiveX, it would have opened Mozilla up to some of the worst threats on the Web. It would have been a bad idea.

So, what do I see when I open Asa's home page in IE7?



Ha! (The ActiveX control used on his page is QuickTime, by the way, and don't get me started.)

Once upon a time, Firefox had a big security advantage over IE. Today, not so much. Firefox has had four updates in the seven months since it was released. Each of those updates fixed one or more major security issues that could result in a user clicking a link or viewing a webpage and installing hostile code. If you miss an update, you’re vulnerable, even if you’re not stupid. In other words, Firefox isn’t so secure, either, and its developers are only human. (And don’t talk to me about Firefox’s Auto Update. I just checked the version of Firefox running on this machine. It’s, which means I’m a release behind and in mortal danger of getting zapped if I don’t update right away.)

But don’t take my word for it. Ask Adam Shostack, who has forgotten more about computer security than most so-called security experts know. He also knows a thing or two about phishing, as a quick perusal of his August 2005 essay, Preserving the Internet Channel Against Phishers, will attest. Adam just went to work for Microsoft, a development that raised lots of eyebrows in the security community. He explains:

In the past, I've heaped scorn on Microsoft's security related decisions. Over the last few years, I've watched Microsoft embrace security. I've watched them make very large investments in security, including hiring my friends and colleagues. And really, I've watched them produce results.

In making this decision, I've had conversations with many people and organizations. The one theme that stands out was the difference in the conversations I had with Microsoft versus other software producers. Some of things that Microsoft does and are looking to improve haven't even made it in rudimentary form anywhere else.

Ironically, some early versions of that essay appeared as posts on Shostack’s Emergent Chaos blog, under the titles Don't Use Email Like a Stupid Person and More on Using Email Like A Stupid Person.

He’ll fit right in at Microsoft.