Zero-Day Browser Exploits, Part 2: The Continuing Debate

The debate rages over whether open source browsers such as Firefox and Konqueror provide better zero-day attack protection than proprietary browsers such as Microsoft’s Internet Explorer (IE) and OperaSoftware’s Opera browser. Security experts line up on both sides of the discussion, often advising thatneither open nor closed source browsers provide enough protection to provide worry-free journeys on theInternet.

Part 1 of this two-part feature compared proprietary and open source browsers. Part 2 addresses some of the factors to consider when choosing a browser.

All browsers are vulnerable to attacks depending on the state of the computerrunning them and the interaction of other installed software. However, some experts proffer that open source browsers such as Firefox are inherently more secure, if for no other reasons than exploits are morequickly patched and the smaller installed user base makes them less likely targets of hackers.

“Microsoft is no slouch in addressing vulnerabilities. IE remains the target of choice. It is extremelyvaluable for users to see the time frame of fixes for discovered vulnerabilities. Open source browsersprovide a tremendous amount of transparency in fixing problems. They have complete visibility,” SunilJames, security researcher for Arbor Networks, told LinuxInsider.

Factoring Variables

Much of the discussion over whether open or closed source browsers are more secure resembles a religious argument, suggested Steven R. Gordon, professor of Information Technology Management at Babson College. Regardless of which browser type users choose to believe is safer, they should consider several key mitigating factors.

The first is market share. Anyone wanting to launch an attack would like to affect the greatest number ofcomputers possible, he said. One could argue on the one hand that IE is more vulnerable because thereis more incentive to attack it over any of the open source browsers.

“On the other hand, one could argue that it is better to fly under the radar and attack a browser such asKonqueror because the attack is less likely to be detected and can therefore be carried out over a longerperiod of time,” Gordon told LinuxInsider. “Where does Firefox sit? Its market share is not as small asKonqueror nor as large as IE, but it is probably large enough to generate incentives similar to thosegenerated by IE.”

Further Factors

The second is source availability. On the one hand, the availability of source code gives attackers a headstart in identifying possible avenues for attack. On the other hand, it allows thousands of goodSamaritans to identify possible vulnerabilities and propose fixes before the vulnerabilities areexploited, Gordon explained.

The third factor is feature complexity. The more types of files a browser can handle, the greater theopportunity is for an attack because the code for handling each type of file is subject to differentexploits, he said.

“For example, an April 2007 zero-day exploit that related to the way QuickTime files were read by Javaaffected Safari, Firefox and IE. Similarly, add-ins, which are accepted by most browsers but are probablyused more by the open source community, provide another avenue of attack,” he explained.

Reasons Exposed

One of the most prevalent arguments on the open versus closed source browser security debate is the eyeball factor. The argument states that since open source has far more eyeballs looking at code, theresult is better code.

“But the counter-arguments are equally strong. If all the extra eyes are lazy and unschooled in security,then they are useless. Most look at code to tweak it, not to look for holes. Second, if code is keptsecret, it is safer,” Bob Walters, CEO of open source network gateway developer Untangle, toldLinuxInsider. “If the code itself is security code, then the more eyes argument becomes more valid.”

All tests fail to conclusively prove open source has fewer bugs. There is a similar bug count inboth open source and proprietary browsers, according to Walters.

“Browsers are not security code. Writing browser code has been all about getting as much HTML code todisplay as possible. This is the opposite goal of security code writers,” he explained.

No Silver Bullet

Vulnerability management solutions firm PatchLink sought a closer view of its customers’ concerns overbrowser security issues in a recent survey. Responses from 250 customers revealed that the No. 1security concern was zero-day vulnerabilities, Paul Zimski, director of product and market strategy atPatchLink, told LinuxInsider.

“An overwhelming majority of respondents — 83 percent — said that Internet Explorer was the applicationthat they were most concerned about protecting. Yet IE is the de facto business standard,” he noted.

Despite improved vulnerability management available through third-part products, the survey revealed that the inability to effectively control user behavior and the shrinking time from vulnerability to exploitare the most significant challenges to combating zero-day threats, according to Zimski.

As a result, IT managers are trying to gain control through an increasing number of security products andtime spent monitoring and setting policies, PatchLink’s survey analysis concluded.

Fire Drill Strategy

Since IT managers have high concern over browser security, they are changing their tactics in order to bemore prepared for a zero-day attack, according to PathLink. For instance, 70 percent of IT managerscompleted fire-drill remediations within eight hours in 2007, compared to just 39 percent during theprevious year.

In addition, 60 percent percent of the respondents supplemented their vulnerability management process toinclude both agent- and network-based vulnerability scanning, according to the survey. Half of therespondents said they have more than 10 agents currently installed to perform security and/or operationstasks. Sixty-six percent said they spend an hour or longer every day monitoring security and IT consoles,administrating agents and updating security policies.

The survey also revealed faster remediation and more comprehensive risk assessment and prioritization washelping organizations to proactively address browser and other security concerns. IT managers reacted muchmore quickly to emergency patches this year compared to last, as 29 percent of organizations deployedcritical updates within two hours during 2007, compared to just 14 percent in 2006.

Zero-Day Browser Exploits, Part 1: Is Open Source Safer Than IE?