SANS have released their “Top 20 security vulnerabilities” for 2007.
Users who are allowed by their employers to browse the Internet have become a source of major security risk for their organizations. A few years back securing servers and services was seen as the primary task for securing an organization. Today it is equally important, perhaps even more important, to prevent users having their computers compromised via malicious web pages or other client-targeting attacks.
Quite right. 9 days (rather than 286 days) should be looking pretty good to a lot of companies right now.
The SANS article does have a section on browsers. It says the following about Firefox:
Mozilla Firefox is the second most popular web browser after Internet Explorer. It also has a fair share of vulnerabilities. In 2007, it has released several updates to address publicly disclosed vulnerabilities. Similarly to Internet Explorer, unpatched or older versions of Firefox contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. …
Yes, but how many people are actually using old versions of Firefox (as opposed to old versions of IE)? According to Secunia, only 5% of Firefox users, as opposed to 10% of IE users. Actually, I’m amazed the IE number is that high. Most Windows PCs I come across are very out of date with patches. Firefox, on the other hand, doesn’t give you a choice.
They lay into IE about Active X, and then list 10 things you should or could do to mitigate the risk. The last one?
Consider using other browsers such as Mozilla Firefox that do not support ActiveX technology.