Categories
Mozilla Software

Firefox and Security

ZDnet’s George Ou recently blogged about Firefox Security that raised a few questions in my mind (that he didn’t mention). I’d like to go over them briefly:

Is it possible to write a secure program (other than a “Hello World”)?

I’ll go on the record saying there is no such thing as a secure web browser, or any large program. It’s just not possible, at least right now (who knows what great secure programs we’ll have when the apes take over and enslave us). If you look hard enough you’ll find some vulnerabilities even in OpenBSD. Why? Studies have shown programmers make quite a few mistakes (isn’t that obvious?). In most cases these bugs are obscure “outlier” cases where 99% of users never see. Of those a small percentage are security vulnerabilities. As with anything there are degrees of severity (hence security vulnerabilities are rated). Many may never be experienced. But a few are found by accident, and a few by malice.

What is security, and how is it graded?

My big question is how do you grade a products security? It’s clear the industry as a whole doesn’t have a clue how to do so. Right now software security is an informal process of yelling “I found one” and posting a message showing the exploit. I personally believe a few things come into play when discussing if a product “is secure”:

  1. Response time for patching – does the creator issue a patch quickly, or do they take forever to acknowledge and fix the vulnerability.
  2. Box Install Security – how secure is the product “out of the box”? For example, OpenBSD is very secure out of the box, but I can still install a whole bunch of vulnerable software on it. Then who is at fault? Does that make OpenBSD less secure as a platform?
  3. Vulnerability vs. Exploit – just because there is a potential (vulnerability), doesn’t mean there is a will or capacity to do so, or someone already taking advantage (exploit). I’d much rather have software on my computer with 10,000 vulnerabilities than 1 exploit. I think most users would make the same choice should they be given it. We’d prefer 0 and 0, but we’ll take vulnerabilities over exploits.

How does Mozilla Firefox/Thunderbird rate on the above?

Well, lets go through each metric and discuss it briefly:

  1. Response time is rather quick typically (at least from what I’ve seen). It will get faster with Firefox 1.5, since patches can be deployed to Firefox users quicker. The quicker the user base updates, the less attractive an exploit is. Right now it’s not as easy to keep people up to date. They technically re-download the entire browser, which is somewhat slow, and turns people off. That’s not good. But the new update system is good.
  2. Box Install Security – this is a somewhat more complex issue. I’d say Firefox is rather secure out of the box, at least relative to IE since it doesn’t have ActiveX. It does have a platform for extensions, but any extension available from the installer (limited to DOM Inspector and [my child] Reporter) are clean. After that, it becomes the user’s responsibility to download from reputable developers (just like you would for any other download). IE technically does have an extension system (we see that with browser addons such as Google Toolbar), and is subject to the same principle.
  3. Exploits – I’ll leave it to you to check how they compare to their competition.

So is the honeymoon over?

I don’t think there ever was a real “honeymoon”. Since the beginning the purpose of mozilla.org was essentially (copied from the Developers page):

Developers can help Mozilla by fixing bugs, adding new features, making Mozilla smaller and faster, and making Mozilla development easier for others.

The emphasis is mine. It’s appreciated when people find bugs and vulnerabilities. To the degree of a $500 bounty on security vulnerabilities. So finding vulnerabilities means the honeymoon has finally arrived (if you want to look at it that way). The good thing about vulnerabilities is once they are patched, they won’t become exploits (unless the patch is ineffective for some reason). Similar to law enforcement getting tipped off about a robbery and acting on it. That’s not bad, it’s good, assuming your information is timely and accurate, and law enforcement is effective.

Again, it’s important to note the difference between a ‘vulnerability’ and an ‘exploit’. Technically every computer ships with a vulnerability: your keyboard and monitor. People can spy on you, and alter your data. Yes, it is a vulnerability. It’s #1. Is it feasible to fix? Likely not (though you can limit the effects by not working on sensitive info with people around, and locking your computer screen when your not in front of the keyboard). Exploits are what I’m personally afraid of. Thankfully none have really hit Firefox just yet. With the release of Firefox 1.5, and the new update system, it will be much easier to limit any damage an exploit could cause with easier updating to remove vulnerable systems.

Is there a lesson of the day?

I’d say there is a lesson. Keep your software up to date. No code is perfect, nor will it be anytime soon. If your up to date, you have the best defense out there. By choosing a product which has the best security model design , and keeping it updated is the first step to a secure computer. Obviously a virus scanner is good too. Personally I believe Firefox has a more secure design by not being so “friendly” with the OS, and not supporting ActiveX, but regardless of your choice, keep it up to date. I’m sure the IE team will agree that’s the single most important thing you can do to stay safe. Run the latest release version.

I’m personally surprised that in 2005 Apple and Microsoft still don’t have a method for software developers to register their products to be used with the default updating mechanism in the OS. It would be ideal if the OS could track updates for me and keep my system up to date. They only work for software from the OS maker. There are third party services for this (VersionTracker), but none in the OS itself. Instead we have a patchwork of updating mechanisms for products. Each work differently, and it’s a confusing mess. But that’s a topic for another day.

4 replies on “Firefox and Security”

But a few are found by accident, and a few by malice.

And a few by people trying to make the software more secure.

Vulnerability vs. Exploit

You could split this up further: Vulnerability known vs. Exploit code available vs. Active exploits

I’d say there is a lesson. Keep your software up to date.

Would you go as far as to recommend that users upgrade to betas or nightlies? Given that fixes often go into public CVS long before releases come out, doing so might make sense if security is important to you.

I’m personally surprised that in 2005 Apple and Microsoft still don’t have a method for software developers to register their products to be used with the default updating mechanism in the OS.

I agree.

Jesse:
1. Good point
2. Another good point
3. I wouldn’t recommend nightlies. But keeping latest release builds. There are still a fair number of Firefox users not running the latest version.

How about QA? Wasn’t a security regression shipped in 1.0.4?
Microsoft has more testers and more automated tests.

How about fuzz testing?
Microsoft fuzz tests EVERYTHING, AFAIK Mozilla do very limited fuzz testing (not for JavaScript, for example).

How about compile-time code-checks?
Microsoft compiles with /GS, and uses Prefast etc, which catches LOTS of buffer overflows, integer overflows and even race conditions.

How about threat modelling?
I haven’t seen a single threat modelling document from Mozilla. Every Microsoft code checkin is threat-modelled.

Mozilla is safer in some ways. It has less users, it has better community relations, rewards for security make 0-day exploits less likely, and it patches critical security updates faster on average. It also has far better security at the UI level – yellow address bar, etc.

Overall though I trust the Trident code far more than Gecko.

“Microsoft has more testers and more automated tests”
Are you sure MS has more testers? (Think bout Firefox 1.5 which has been tested every day since Firefox 1.0)
“Microsoft: fuzz tests EVERYTHING, compiles with /GS, and uses Prefast etc, Every Microsoft code checkin is threat-modelled”
And still Mozilla alpha’s are more stable than MS beta’s.

I agree Mozilla should use more elaborate automated testing methods

Leave a Reply to Robert Cancel reply

Your email address will not be published. Required fields are marked *