You are here: IT-Observer » Articles » IT Insight RSS | White Papers |   

Mozilla: The Honeymoon is over





When Firefox’s Mozilla came onto the scene four months ago it looked like an end to the constant struggle against Microsoft’s Internet Explorer security vulnerabilities was finally in sight.

The promise was almost too good to be true: a viable alternative that had been designed with a security conscious approach, no pop-ups and none of IE’s vulnerabilities.

The word from the early adopters was positive: smoother, faster and more secure. Their praise coupled with CERT’s recommendation that customers switch browsers away from IE has pushed Mozilla into the mainstream. It has now been downloaded nearly 27 million times and for the first time in three years, IE’s market share has fallen below 90%. Mozilla’s now as commonplace in City offices as it is with tech-savvy home users.

But how is Mozilla faring now that the honeymoon period is over?

Certainly cracks have been appearing. The number of vulnerabilities has risen dramatically in the last quarter and ScanSafe has noticed a rise in the number of exploits it is stopping on Mozilla. In fact, when you compare the 8 vulnerabilities announced by Mozilla in the last quarter with the 7 new vulnerabilities announced by Microsoft things aren’t looking so rosy.

Some of the common Mozilla exploits ScanSafe is stopping include the Java applet spyware installer which uses a Mozilla/Firefox vulnerability to target windows users, and several buffer overflow attacks which can result in damage to the user's files, changes of data, or disclosure of confidential information. Other vulnerabilities include spoofing of the URL displayed in the address bar. These attacks suggest Mozilla’s design is not as security conscious as promised.

Neither has Mozilla managed to free itself of the all the vulnerabilities that have plagued IE. A vulnerability announced on the 1st March showed that Mozilla shares the same drag and drop vulnerabilities. This can be exploited to execute arbitrary code in a user’s browser session by tricking a user into dragging an image to the address bar.

The vulnerabilities that are appearing suggest that Mozilla is not managing to offer the security it initially looked set to offer. Its arrival amidst a climate of hostility towards IE caused its adoption rates to rise exponentially.

Since entering the public domain Mozilla has become a target, perhaps even a challenge for web threat writers. Only now the cracks are starting to show. Although ScanSafe is still stopping the vast majority of viruses on IE, the number of viruses it is stopping on Mozilla is growing as the browser gains in popularity. It is a simple fact that virus writers will concentrate their efforts on where there is possibility for more damage. However, the choice between insecure and relatively less insecure is not much of a choice at all.

But then it may be asked is it really within the remit of a browser to guarantee Internet security. Are we asking too much? We don’t expect our browsers to block viruses, spyware or malicious scripts so why should we have such high expectations for their security capabilities.

Maybe a secure browser will be developed. In the meantime the only way to guarantee network integrity is proactive threat management by scanning and filtering.



GFI LANguard N.S.S. NEW v8 out now!
Complete network vulnerability management, providing powerful vulnerability scanning, patch management and auditing solution. DOWNLOAD A 30-DAY TRIAL TODAY!

Visit GFI Security Software page for more information.

 

FREE IP PBX: 3CX VOIP Phone System for Windows. No timeouts or limitations

 

Latest News

Essential Bluetooth hacking tools
25.05.07  Bluetooth provides an easy way for a wide range of mobile devices to communicate with each other without the need for cables or wires.

DEP for IE7 in Vista
22.05.07  Security tips blog, security-hacks, has posted details on how to enable DEP for Internet Explorer 7 in Vista.

SMB over SSH: Secure File Sharing
18.05.07  Security tips blog, security-hacks, has published an simple guide to share files securely in heterogeneous networks.

Avoid data leaks by clearing the page file
14.05.07  Security-Hacks publishes a useful tip to avoid potential data leaks when you run out of memory.

How to set Master Password in Firefox
11.05.07  Nowadays many web sites require you to type a user name and password before you can enter the site.

How to test your firewall?
10.05.07  Security tips blog, Security-Hacks, has published a compilation of tools to test your firewall: "We’ve compiled a list of tools we believe will be of value to both home users and advance users.

eEye released integer overflow auditing tool
16.02.07  Vulnerability research company eEye Security has released a free security vulnerability auditing tool that helps spotting possible integer overflow vulnerabilities.

Copyright © IT-Observer Online Publication 2000 - 2007 Top | RSS Feeds | About Us   
Site Meter