Firefox Suffers Seven-Year Itch

While Mozilla is celebrating over Firefox’s growth in Europe, the open-source browser maker is simultaneously up in arms over software vulnerabilities. A security research firm is reporting Mozilla’s current browsers are once again susceptible to a seven-year-old flaw that could let malicious people spoof the contents of Web sites.

According to Secunia, Firefox 1.x and Mozilla 1.7x are vulnerable to a frame injection flaw that first surfaced in 1998. Secunia reported the hole as “moderately critical.”

“The problem is that the browsers don’t check if a target frame belongs to a Web site containing a malicious link, which therefore doesn’t prevent one browser window from loading content in a named frame in another window,” said the Secunia advisory.

That means if you are viewing a trusted site in one window and an open site that belongs to a spoofer in another window, the spoofer can insert code in the window showing the trusted site. If you enter your personal information in the spoofed site, then the spoofer can use your identity for illegal activities.

Firing at a Growing Target

Yesterday, French Web metrics company XiTi released a report indicating Firefox was the browser used by 14.08 percent of users who access a sample of Web sites that use XiTi measurement software. The figure was at 13.31 percent in April and 11.60 percent in March. The report tracked browser use in 24 European countries. Some analyst have argued that Firefox’s growing popularity has made it a larger target for hackers, crackers and other malicious people. Others deny such claims. However, a recent study authored by Symantec sheds some light on the debate.

The number of documented vulnerabilities affecting Mozilla and Firefox was higher than the number affecting Microsoft’s Internet Explorer between July 1, 2004 and Dec. 31, 2004, according to the latest Internet Security Threat Report from Symantec.

The report noted 13 vulnerabilities affecting Internet Explorer compared to 21 vulnerabilities affecting Mozilla and Mozilla Firefox browsers. However, Internet Explorer still had a higher proportion of serious flaws. Nine of Microsoft’s 13 flaws were rated as highly severe; only 11 of the 21 Mozilla browser flaws were labeled highly severe.

Who Responds Faster?

Jupiter Research analyst Joe Wilcox told LinuxInsider the argument that says Firefox’s popularity is leading to the discovery of more vulnerabilities may contain some truth. But, he added, Microsoft could say the same thing.

“There is still the argument that Microsoft software is in greater use so it’s targeted more,” Wilcox said. “It’s a great marketing argument because there’s really no way to prove it.”

Most analysts seem to agree that it’s not really about which browser has more vulnerabilities or why — since all browsers will have flaws. What really matters is which development camp responds fastest with patches to fix the flaws.

According to the Symantec report, it has taken Microsoft longer to fix Internet Explorer flaws: Microsoft took an average of 43 days to fix vulnerabilities compared to Mozilla’s 26 days.

Protecting the Perimeter

Other debates argue which approach to software development is more efficient. Does the all-eyes approach allow Mozilla to respond more quickly? This is up for debate, but again, analysts stress the basic facts. There are always going to be flaws in software, they say. What matters is who can fix them and how quickly they are fixed.

“Many large companies have fortified their networks with firewalls and done a pretty good job at it,” Wilcox said. “If you block off that route for breaking into the computer, then the hackers simply go somewhere else. The most obvious place for them to go is to the application layer via the Web browser. The browser allows two-way traffic in and out of the corporate network. It’s like a tunnel going right into the company. You have toprotect that tunnel.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jennifer LeClaire
More in Enterprise

LinuxInsider Channels