POLL: POWERSHELL VS. GUI - DO YOU WANT TO BE A DEVOP OR AN ADMIN?
Tweets: Firefox most vulnerable – Windows 7 news – Google browser security handbook
By Michael Pietroforte - g+ - Fri, December 19, 2008 - 2 comments Michael Pietroforte is a Microsoft Most Valuable Professional (MVP) with more than 28 years of experience in system administration.
- Windows 7 6956 Preview – Nice video but a bit blurred.
- Firefox is most vulnerable Windows software in 2008 and most popular too.
- Microsoft sees ‘huge increase’ in IE attacks – Well, Firefox is not really better.
- Microsoft sends out Windows 7 Beta 1 invites – I am also a Windows 7 beta tester. I will have a look at it soon.
- Paul Thurrott thinks that Microsoft will release Windows Beta 1 today.
- KezNews.com has other information. They believe that Windows 7 Beta 1 will be available on Jan 5.
- Microsoft Windows 7 blog: Continuing our discussion on performance
- Google releases browser security handbook – quite comprehensive
- Working with Active Directory Snapshots in Windows Server 2008 – Comprehensive article by Daniel Petri.
It would have been more accurate to say, “Besides Internet Explorer, Firefox is the most vulnerable software in 2008″.
I have issues with the “Criteria for the Vulnerable Applications List”. Two of their criteria are false about Firefox, namely
“5) Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the
vulnerability, if such a patch exists.”
AND
“6) The application cannot be automatically
and centrally updated via free Enterprise
tools such as Microsoft SMS & WSUS.”
These two points are false.
Firefox has an automatic update feature. This feature is on by default. Updates are automatically downloaded in the background and then installed when the browser restarts. (The same can’t be said for IE.)
The fact that Internet Explorer (any version) is not on the list at all seems highly suspect.
While it is true that administrators *can* push out updates for IE, that’s assuming you are operating in an enterprise environment.
If we run IE through their six criteria, we get some interesting results:
1.) Runs on Windows – yup, installed by default
2.) Well known – yup, installed by default and still has a majority market share (over 89% last time I checked)
3.) Not classified as malicious – nope, IE is well trusted
4.) A: Contains at least one vulnerability reported after Jan 2008 – yes; B: registered at NIST – yes; C: given a severe security rating between 7-10 — not sure, tool looked too complex.
5.) Relies on the end user for patching rather than the administrator — Enterprise users can patch, but home users are on their own. (Given how often people click “cancel” this seems like a poor metric).
6.) The application cannot be centrally updated via tools like Microsoft SMS – well, yes, IE can, but again you’re assuming an enterprise environment. Home users are on their own to make use of Microsoft Update.
So, according to those criteria, IE is just as vulnerable.
Given that IE has a larger market share, AND that there are more exploits reported overall, I’m really not that concerned about Firefox.
In fact, the more I learn about IE, the scarier it is. A quick search of the vulnerability database at http://nvd.nist.gov returns the following statistics: IE: 696 results, Firefox: 400 results. Make of that what you will.
Matt, the automatic update feature of Firefox is useless in corporate environments because end users should never ever have the rights to update software. If you allow this then you already have a serious security hole in your network. It wouldn’t matter then what browser you use anyway. But of course you can use SMS or any other software deployment solution to update Firefox. I agree that there is no real difference between Firefox and IE when it comes to security. The biggest disadvantage of Firefox in corporate networks is its lousy support for Group Policy. If security is a top priority I would use Opera.