Comments on: Tweets: Firefox most vulnerable – Windows 7 news – Google browser security handbook http://4sysops.com/archives/tweets-firefox-most-vulnerable-windows-7-news-google-browser-security-handbook/ For Windows Administrators Fri, 19 Mar 2010 19:02:26 +0000 http://wordpress.org/?v=abc hourly 1 By: Michael http://4sysops.com/archives/tweets-firefox-most-vulnerable-windows-7-news-google-browser-security-handbook/comment-page-1/#comment-121779 Michael Tue, 23 Dec 2008 20:15:36 +0000 http://4sysops.com/?p=1974#comment-121779 Matt, the automatic update feature of Firefox is useless in corporate environments because end users should never ever have the rights to update software. If you allow this then you already have a serious security hole in your network. It wouldn't matter then what browser you use anyway. But of course you can use SMS or any other software deployment solution to update Firefox. I agree that there is no real difference between Firefox and IE when it comes to security. The biggest disadvantage of Firefox in corporate networks is its lousy support for Group Policy. If security is a top priority I would use Opera. Matt, the automatic update feature of Firefox is useless in corporate environments because end users should never ever have the rights to update software. If you allow this then you already have a serious security hole in your network. It wouldn’t matter then what browser you use anyway. But of course you can use SMS or any other software deployment solution to update Firefox. I agree that there is no real difference between Firefox and IE when it comes to security. The biggest disadvantage of Firefox in corporate networks is its lousy support for Group Policy. If security is a top priority I would use Opera.

]]> By: Matt A http://4sysops.com/archives/tweets-firefox-most-vulnerable-windows-7-news-google-browser-security-handbook/comment-page-1/#comment-121677 Matt A Sat, 20 Dec 2008 16:48:26 +0000 http://4sysops.com/?p=1974#comment-121677 It would have been more accurate to say, "Besides Internet Explorer, Firefox is the most vulnerable software in 2008". I have issues with the "Criteria for the Vulnerable Applications List". Two of their criteria are false about Firefox, namely "5) Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists." AND "6) The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS." These two points are false. Firefox has an automatic update feature. This feature is on by default. Updates are automatically downloaded in the background and then installed when the browser restarts. (The same can't be said for IE.) The fact that Internet Explorer (any version) is not on the list at all seems highly suspect. While it is true that administrators *can* push out updates for IE, that's assuming you are operating in an enterprise environment. If we run IE through their six criteria, we get some interesting results: 1.) Runs on Windows - yup, installed by default 2.) Well known - yup, installed by default and still has a majority market share (over 89% last time I checked) 3.) Not classified as malicious - nope, IE is well trusted 4.) A: Contains at least one vulnerability reported after Jan 2008 - yes; B: registered at NIST - yes; C: given a severe security rating between 7-10 -- not sure, tool looked too complex. 5.) Relies on the end user for patching rather than the administrator -- Enterprise users can patch, but home users are on their own. (Given how often people click "cancel" this seems like a poor metric). 6.) The application cannot be centrally updated via tools like Microsoft SMS - well, yes, IE can, but again you're assuming an enterprise environment. Home users are on their own to make use of Microsoft Update. So, according to those criteria, IE is just as vulnerable. Given that IE has a larger market share, AND that there are more exploits reported overall, I'm really not that concerned about Firefox. In fact, the more I learn about IE, the scarier it is. A quick search of the vulnerability database at http://nvd.nist.gov returns the following statistics: IE: 696 results, Firefox: 400 results. Make of that what you will. It would have been more accurate to say, “Besides Internet Explorer, Firefox is the most vulnerable software in 2008″.

I have issues with the “Criteria for the Vulnerable Applications List”. Two of their criteria are false about Firefox, namely
“5) Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the
vulnerability, if such a patch exists.”
AND
“6) The application cannot be automatically
and centrally updated via free Enterprise
tools such as Microsoft SMS & WSUS.”

These two points are false.

Firefox has an automatic update feature. This feature is on by default. Updates are automatically downloaded in the background and then installed when the browser restarts. (The same can’t be said for IE.)

The fact that Internet Explorer (any version) is not on the list at all seems highly suspect.

While it is true that administrators *can* push out updates for IE, that’s assuming you are operating in an enterprise environment.

If we run IE through their six criteria, we get some interesting results:
1.) Runs on Windows – yup, installed by default
2.) Well known – yup, installed by default and still has a majority market share (over 89% last time I checked)
3.) Not classified as malicious – nope, IE is well trusted
4.) A: Contains at least one vulnerability reported after Jan 2008 – yes; B: registered at NIST – yes; C: given a severe security rating between 7-10 — not sure, tool looked too complex.
5.) Relies on the end user for patching rather than the administrator — Enterprise users can patch, but home users are on their own. (Given how often people click “cancel” this seems like a poor metric).
6.) The application cannot be centrally updated via tools like Microsoft SMS – well, yes, IE can, but again you’re assuming an enterprise environment. Home users are on their own to make use of Microsoft Update.

So, according to those criteria, IE is just as vulnerable.

Given that IE has a larger market share, AND that there are more exploits reported overall, I’m really not that concerned about Firefox.

In fact, the more I learn about IE, the scarier it is. A quick search of the vulnerability database at http://nvd.nist.gov returns the following statistics: IE: 696 results, Firefox: 400 results. Make of that what you will.

]]>