jotsheet

Though I love Firefox and have used it as my default browser for many months now, it seems FF users are too smug about the browser’s security. Some seem to think it impregnable to exploits and vulnerabilities, especially compared to its more popular, jock brother, Internet Explorer. But as Mozilla creeps up in popularity, it is bound to gather more attention from black hats, to which a PCWorld news story makes the very good point:

The public warning of the security vulnerabilities is evidence that the Mozilla Foundation’s products give a false sense of security, says Thor Larholm, a senior security researcher with PivX Solutions in Newport Beach, California.

“The only reason Mozilla and Firefox have a good track record in security with a low number of security vulnerabilities is simply because they don’t tell anyone about them,” Larholm says via e-mail.

“The Mozilla Foundation has fixed hundreds if not thousands of security vulnerabilities over the last few years without notifying the world and without providing security patches, instead they have simply just told their users to upgrade,” he says. “We have to remember that all software has security vulnerabilities, the only difference is in how we anticipate them and inform the world about their existence.”

Thor Larholm is right. Telling your users to upgrade is a viable strategy when your user base is geeks. That’s not the profile of the typical FF user anymore. Furthermore, as Firefox’s growth slows, we know empirically that users are downloading FF more infrequently. Besides, to the average user, what’s the real, demonstrable benefit of downloading and installing Firefox 1.0.1 (which is really just a security patch, similar to a Window Update) when he’s already got 1.0 or 1.0PR? In his mind, 1.0PR, 1.0, and 1.0.1 are basically the same programs. At least Microsoft makes it mindlessly easy.

People rail on Microsoft for their security lapses, but that’s because Microsoft tells folks about the lapses to give them a chance to address them. Sure, they don’t always do this in a timely manner—examples abound in which white hats have informed MS months in advance of exploits, received no response, and then informed the public—but MS generally does a good job. By way of comparison, when was the last time you heard of Mozilla issuing a press release about a security hole? They are, after all, creeping toward 6% market share, yes? Perhaps they shouldn’t leave it to Secunia. (But they still look great compared to IE [!].)

UPDATE: Thinking about this a bit more, I probably overstated the case. Firefox does have an Automatic Updates feature, which is somewhat analagous to Windows Update. I presume this prods normal folks to download updates more often than they normally would. Furthermore, the Mozilla Foundation is touting FF 1.0.1 as primarily a “security update.” It’s certainly as upfront as issuing a press release, which I talk about above.

Yet I’m left with the feeling that Mozilla gets off easy because they aren’t a real company with financial and contractual obligations to customers. When MS tells people about the security shortcomings in its software, it’s because their financial ass is on the line. Mozilla doesn’t really have a financial ass—or really an ass. I mean, right? So I get the feeling that they don’t emphasize the negatives any more than they absolutely have to.

Share This