Zero-Day Browser Exploits, Part 1: Is Open Source Safer Than IE?

Are open source browsers such as Firefox and Konqueror more secure than Microsoft Internet Explorer (IE) 7.0 and proprietary browsers like Opera? That is an age-old question, security experts say, with no clear-cut answer.

“In my opinion, you will never get a good answer to this question. This is a religious argument,especially as the statistics anyone cares to trot out apply only to the past,” Steven R. Gordon, professorof information technology management at Babson College, told LinuxInsider.

Essentially, both browser types are free, making traditional budget-based purchase decisions void. However, more is at stake than free versus paid when it comes to browser security. Running a browser that is more susceptible to zero-day attacks and other vulnerabilities can cost users untold amounts of money in compromised computers and stolen documents and personal information.

Pro and Con

True believers will tell you that open source browsers are much less likely to be exploited by hackers.They will inevitably cite two primary reasons. One, the source code is readily available, so anyvulnerabilities are plain to see and fix sooner. Two, open source browsers such as Firefox and Konquerorhave far fewer uses, so hackers have much less incentive to go after exploits to make money.

Microsoft evangelists will just as vehemently argue the easy availability of open source browser codeactually encourages tampering. Now that Firefox is gaining popularity, obscurity is no longer a defense,insist fence-sitters.

“Microsoft has made major improvements in its security. It is not perfect and never will be. Neither willopen source browsers,” Paul Zimski, senior director of product and market strategy at vulnerabilitymanagement solutions firm PatchLink, told LinuxInsider. “Zero-day attacks will continue to change. It isdefinitely an arms race. It comes down to using safe business practices to defend against zero-dayattacks.”

Chicken or Egg Quandary

A zero-day exploit is one that takes advantage of a security vulnerability on the same day that thevulnerability becomes generally known. Zero-day attacks, however, are not native to specific browsers inisolation. Often, vulnerabilities in programs that tap into Web browsers for video and audio functionalityare the culprits.

Compiling a definitive chronological list of the major instances of active(zero-day) attacks that exploited vulnerabilities in Firefox, Konqueror or other open source browsers,compared to the number and scope of attacks on Internet Explorer, is asreliable as a plan to accurately predict the future of computing.

The exploits are usually quite similar. The attacks on vulnerabilities of related programs typicallyfound the same weaknesses in Internet Explorer, Opera and open source browsers, according to security experts.

“Open source versus closed source browser vulnerabilities are not easy to compare item for item. There isno one compilation tracked anywhere,” Sunil James, security researcher for Arbor Networks, toldLinuxInsider. “A study by Secunia found that IE had three times as many zero-day vulnerabilities reported over four years. But getting into numbers is a gray area.” Secunia is a vulnerability intelligence and security software provider.

Most zero-day attacks go against normal computing activities, suggested Zimski. Those caught off guard in such attacks usually have not applied the latest upgrades and patches.

“Attacks on both types of browsers are essentially the same,” Zimski said.

Dueling Browsers

The most recent example of this zero-day attack commonality is two vulnerabilities discovered this summer involving an exploit in the IE handler that made both IE and Firefox susceptible to attack. It was mostly a problem when both browsers existed on the same machine, according to Zimski.

The two flaws involved conflicts with Internet Explorer. The vulnerability allowedattackers to execute arbitrary commands when users directed the Firefox browser to visit malicious Websites that contain a specially crafted “mailto” URI (uniform resource identifier) containing a “percent” character and ends in a certain extension, such as “.bat” or “.cmd.”

Typically, attackers use vulnerabilities to trick browsers into misunderstanding the intent of therequested action. The goal in making browsers secure is to have browsers fetch code and save it so outside influences cannot get to run it, Zimski explained.

2006 Mishaps

The Sans Institute tracks Internet security issues. Earlier this year, the research company issued areport on the top 20 Internet security vulnerabilities in 2006.

Research conducted by the institute found that multiple zero-day vulnerabilities in Internet Explorerwere continuing. The report also said that a rapid growth in critical Firefox and Mozilla vulnerabilitieswas taking place.

One of the biggest problems with IE’s zero-day vulnerabilities, according to the Sans Institute, is its susceptibility to drive-by attacks when users visits Web sites set up to exploit vulnerabilities in IE that Microsoft hasn’t yet patched or for which the user failed to install the patch. These vulnerabilities areresponsible for many thousands of computers being infected with spyware and adware.

IE suffers from so many vulnerabilities — some that Microsoft may never have publicly disclosed — thatthe company had to issue separate Cumulative Security Updates for its browser February 2006 and April 2006, the Sans Institute reported.

By comparison, Firefox and Mozilla users had to patch eleven vulnerabilities that can be exploited by amalicious Web page to execute arbitrary code on a user’s system as well as several more criticalvulnerabilities, according to the Sans Institute.

Which One Safer?

“Exploits on browsers date back to the start with Netscape and Mosaic. As far as IE is concerned, therehave been a ton of them. But now IE 7 is stabilizing,” Robert Hansen, CEO of security consulting firmSecTheory, told LinuxInsider. “Firefox is much better than IE with the speed of fixes. Also, peoplewho use it are more knowledgeable [about security issues].”

The Sans Institute gives Firefox an edge over other open source browsers and IE.

“Firefox continues to be seen as somewhat safer than Internet Explorer, but it is no panacea,” the reportstates.

Another viewpoint also supports the notion that open source browsers in general are safer, and Firefox inparticular is better than Microsoft’s proprietary browser.

“Open source browsers are inherently safer. They are not as widely adopted, and they are faster in beingpatched,” Roger Thompson, CTO of Exploit Prevention Labs, told LinuxInsider. “Eventually, Firefox willbecome key. But it is wishful thinking to assume that Firefox will supplant MSIE. Redmond is too strong in marketing for that to happen.”

Zero-Day Browser Exploits, Part 2: The Continuing Debate

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Enterprise

LinuxInsider Channels