SANS Report – Mozilla/Firefox More Secure

The SANS Institute (a respected information security research and education organisation) has released a new version of its “Top 20 Internet Security Vulnerabilities” document (via Slashdot).

It’s pretty good news. The introduction to the “Web Browsers” section gives an excellent summary of the current problems with IE. And, at first glance, Mozilla/Firefox beats IE 7 to 15 in the vulnerabilities list.

In fact, it’s even better than that. One of the seven is a MIME problem in Mozilla Mail – it’s hardly fair to include that when looking at browser function. The claim that “all these vulnerabilities also apply to Firefox 0.9.x” – I’d be impressed if that one does :-) And the last one (Cross-Site Scripting) was also never a problem in Firefox or Mozilla 1.7. So we actually win 5 to 15. Of course, some of the IE ones may be similarly bogus. Feel free to comment if you feel that’s the case.

But that’s not the whole picture. Security is not just about the vulnerability count, it’s also about (among other things) the development methodology, the application architecture and the speed of response to problems. Fortunately, we’re ahead in those areas as well – as the SANS report notes.

5 thoughts on “SANS Report – Mozilla/Firefox More Secure

  1. Another thing i noticed is that almost all Mozilla vulnerabilities are already fixed, whereas many IE vulnerabilities are not, and must be dealt with via (cumbersome) workarounds.

    Just go here: http://www.sans.org/top20/#w6 (section W6.3) and click on the links to the vulnerabilities. Then look under “Solution:”.

  2. Me thinks that ‘Mozilla Fails to Restrict Access to “shell:”‘ isn’t a failure of Mozilla, but of the OS failing to provide proper protocol security.

  3. Congratulations! I keep recommending Firefox to people, and this is one of the prime reasons I do. Unfortunately not everyone wants to switch, many seeing it as unnecessary hassle.

    I wonder if there is a link to the last post here. The main advantages of the Gecko-based browsers seem to be:

    (1) increased security (touted as, to coin a phrase, the killer reason on “Browse Happy”);

    (2) better compliance with standards, and general technological superiority.

    The first reason is obviously good for any user. And the second helps us all: If these browsers – together with Safari and Opera – were to become what was used by the majority of users the evolution of the web would no longer be held back, and we’d all gain. (Web designers could use, for example, adjacent sibling selectors – it’s hardly rocket science in CSS terms!) The simpler and neater code that would result from greater CSS use would in the long run probably particularly benefit assistive devices.

    These are good reasons. But I can’t see that either of these – or any of the other obvious reasons – is of immediate benefit to AOL specifically.

    Here I think is the downside for them…

    We all know that every now and then we’ll need to use IE to access a badly-written site.

    There can be problems with organizations like banks, too – though for different reasons. Banks probably worry that one will try to access with an old browser that hasn’t got adequate encryption; so – lazily – they sniff for IE5/6 and chuck anything else out.

    I changed my ISP for this very reason. Some pages on their site – in effect the https ones – were inaccessible with my usual browser (Safari on Mac OSX). If I switched to my Windows machine, and used my favourite Windows browser – Firefox – I was thrown out, too. In either case, I got this message:

    “You need to update your browser” together with a link to Microsoft’s site.

    Bloody cheek!

    I wrote to my previous ISP twice, but they failed to amend the page. (I guess my previous ISP was a very large organization, and whoever receives the complaint mail doubtless would have no responsibility for the site and wouldn’t know where to pass such a request.)

    But it annoyed me; so I changed to a smaller one that seemd to be browser neutral.

    Isn’t this likely to be AOL’s concern? I’d think they’d want their customers to have *one* interface to the web. Can you imagine the average AOL customer swapping between browsers every now and then – even if it’s only for 1% of sites? Likely if they got a message: “You need to update your browser”, they’d ring tech support and say, “What’s wrong with my browser? I only just put it on off your CD, and it seems to be out-of-date or broken already. I always used to be able to book a holiday [etc., etc.] with it. Now I can’t get to the site.”

    I love Safari on my Mac and Firefox on Windows and I hate this situation. But I see no easy way round this one. IE has been so dominant for so long that people code/miscode for it – consequently although it’s a bad browser, it will always “work”.

  4. I posted the following comment on Slashdot.

    I wouldn’t take SANS’s list of browser security holes [sans.org] too seriously. It lists the most publicized holes in Mozilla rather than the most serious holes. (To get a list of the most serious holes, look the “critical severity, high risk” holes (marked in red) on mozilla.org’s list [mozilla.org].) SANS’s list includes Mozilla XPInstall Dialog Box Security Issue [secunia.com], which was fixed a few months ago, but fails to mention that a fully-updated version of IE in SP2 is still vulnerable. Under the list, SANS claims that Firefox does not have automatic updates, which is false.