Mozilla Firefox Security Flaws Exposed
Published May 10, 2005
Well, if success breeds anything, among its chief offspring are critics, moochers looking for a handout, and people trying to exploit a weakness. In that regard, Mozilla's Firefox browser - frequently touted as a bulletproof application not prone to the security holes that have plagued Microsoft's Internet Explorer browser - is now seeing its code cracked and some security problems exposed.
According to reports, new vulnerabilities with the program have been identified (this makes the fourth such incident in the span of three months). This latest round of coding flaws (called the "proof of concept" flaws) has been rated "extremely critical" by the Secunia security company, and could allow an attacker to convince the user he is downloading files from the Mozilla Foundation itself, for example, from sites like addons.mozilla.org or update.mozilla.org.
As interim fixes, Mozilla is encouraging users to either deactivate JavaScript or to set the brower to not accept installation of additional software, such as extensions or themes. Mozilla also plans to release a security update called Firefox 1.0.4.
Conspiracy theorists might wonder if Microsoft software engineers are staying up late developing ways to attack the supposedly invulnerable browser that has been stealing market share (if there can be a market for a product which is distributed freely). Microsoft's Internet Explorer still has about 90% of the browser market, but that is down from a high of almost 95% before the release of Firefox 1.0 (which has been downloaded some 44 million times).
Clearly, one has to ask whether these latest flaws will discourage further defection from Internet Explorer. As a Firefox user myself, I don't think so, although they are troubling. One of the big pitches for switching was security, and these holes indicate that the security claims may have been overstated a bit. Then again, it is reminiscent of the notion that there aren't many viruses or security problems with Apple or Linux systems - part of that may be that they represent such a small portion of the global market that hackers aren't that interested in mucking with the code. There's more bang for the buck in hacking Windows systems. Similarly, for a long time IE vulnerabilities were examined principally because so many people were using the browser; with all the attention being paid to Firefox, it was probably inevitable that people start challenging the notion that it was truly invulnerable.
Two things, however, may help Firefox continue chipping away at Microsoft's dominance. The first factor is how quickly Mozilla responds to this threat - candidly, telling users to turn off JavaScript is an interim fix at best (and an irritant as well). If a fix is quickly forthcoming, that will alleiviate some concerns. The other factor is that Firefox isn't all about security; it's also about an improved browser experience. With tabbed browsing and a host of other features (and the ability to extend functionality through extensions and themes) the program is far more customizeable than Internet Explorer. While it remains to be seen whether those factors will be enough to overcome the latest in a string of vulnerabilities, I certainly hope so - if nothing else, Firefox has stimulated interest in what a browser can do, and has highlighted the creative stagnation which so frequently exists when a company has monopoly power over a market.
- Mozilla Firefox Security Flaws Exposed
- Published: May 10, 2005
- Type: Opinion
- Section: Sci/Tech
- Filed Under: Sci/Tech: Internet, Sci/Tech: Software
- Writer: W.E. Wallo
- W.E. Wallo's BC Writer page
- W.E. Wallo's personal site
- Spread the Word
- Like this article?
- Email this
Save to del.icio.us
Comments on this articleComments
You may be right about the weak closing argument - it's still early here. :)
However, I think it depends on how you look at the "pitch." Is it one "or" the other, or one "and" the other? Security has been a big claim, as has stability and file size (Firefox is much smaller, cleaner code, etc - who knows, maybe that plays into the ability to identify flaws). But the open source nature of Firefox makes it more receptive to customization and innovation than IE has been. For many people, such as myself, those innovations were the reason to switch (if I were really concerned about security, I'd own an Apple, and I don't).
So while you may feel that the pitch is shifting, I think it is a multiple-pronged issue rather than one single thing.
Thanks for the input, though.
I didn't leave IE because of its security problems. I left because of Microsoft's arrogance. All software has vulnerabilities. MS software is loaded with gratuitous vulnerabilities that demonstrate MS's contempt for its user base.
The closing argument may be weak - but the alternative is weaker. Nature discovered strength through diversity many millions of years ago. Non-diverse populations are vulnerable because they are all prone to the same weaknesses - when one dies, they all die (or, at least, a lot do). We need similar diversity in technology to create strength through cross-fertilisation, and improvement through competitive innovation. I will contnue to back Firefox (which has shown no more vulnerability than IE) because diversity is important for the long term.
Dead on Greg. That this country decided to allow MS to become the only legal monopoly just amazes me. It has created exactly the situation described in Business 101. Lack of competition stifles innovation and creates companies unresponsive to customer complaints. If there's no alternative to MS then why should they bother fixing anything? Just throw some new un-needed features in to keep the marketing boys happy and sell, sell, sell.
It's all about a thing called 'value leverage'...The contributors to this blog are in psychographic terms 'innovators'...i.e. people interested in technology. Mainstream markets consist of people who are interested in the application of technology and only take a passing interest in its nuts and bolts.
IBM got this wrong in the early 80's when it failed to understand 'a standard' has more value than manufacturing excellence (this is what it chose as its basis of competitive advantage with the launch of the 5150)
Actual risk and perceived risk are different. The perceived risk is a systems architecture that has no support, migration path, or skills pool. The actual risk is loss of availability, loss of data and confidentiality.
Mainstream markets perceive risk differently from technologists and therefore value 'security' differently.
Microsoft wrote the standards book and is well aware of what is valued by mainstream markets.
Add your comment, speak your mind
(Or ping: http://blogcritics.org/mt/tb/29270)
Great opening line - weak closing argument though.
Firefox isn't all about security; it's also about an improved browser experience - Firefox, and most of the non-Microsoft competition tends to shift their pitch when convenient, no offense meant personally.