On TechRepublic: 10 cool USB flash drive tricks
BNET Business Network:
BNET
TechRepublic
ZDNet

August 27th, 2007

Firefox or IE? Strange answer to security question

Posted by Ryan Naraine @ 10:29 am

Categories: Botnets, Browsers, Data theft, Digital rights management, Exploit code, Firefox, Google, Hackers, Metasploit, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Windows Vista

Tags: Security, Mozilla Firefox, Microsoft Internet Explorer 6, Microsoft Internet Explorer, Web Browser, Ryan Naraine

A study by the non-profit Honeynet Project has come up with a strange answer to the Firefox versus Internet Explorer security question.

During the experiment, conducted in May 2007, the group compared three browsers — Internet Explorer 6 SP2, Firefox 1.5.0 and Opera 8.0.0 — to determine whether using an alternative browser would be an effective means to reduce the risk of malware attacks.

(Note: Firefox 1.5 is no longer supported and the latest version of Microsoft’s Web browser is IE 7.0. Opera’s newest iteration is 9.23)

The results:

Common perception about Internet Explorer and Firefox is that Firefox is safe and Internet Explorer is unsafe. However, a review of the remote code execution vulnerabilities (primary source: SecurityFocus) that were publicly disclosed for Firefox 1.5 and Internet Explorer SP2 reveals that, in fact, more were disclosed for Firefox 1.5 indicating more the opposite is true.

This image shows known remote code execution vulnerabilities per browser:

Vulnerabilities

However, when client honeypots with these browsers surfed to a list of about 30,000 known exploit servers, the URLs that resulted in a 0.5735% of successful compromises of Internet Explorer 6 SP2 did not cause a single successful attack on Firefox 1.5.0 or Opera 8.0.0.

[ GALLERY: How to use Internet Explorer securely ]

“Particularly the results on Firefox 1.5.0 are surprising, considering the number of remote code execution vulnerabilities that were publicly disclosed for this browser and the fact that Firefox is also a popular browser,” the Honeynet Project said, speculating that perhaps Firefox was never a target of those exploits.

We can only speculate why Firefox wasn’t targeted. We suspect that attacking Firefox is a more difficult task as it uses an automated and “immediate” update mechanism. Since Firefox is a standalone application that is not as integrated with the operating system as Internet Explorer, we suspect that users are more likely to have this update mechanism turned on. Firefox is truly a moving target. The success of an attack on a user of Internet Explorer 6 SP2 is likely to be higher than on a Firefox user, and therefore attackers target Internet Explorer 6 SP2.

[ GALLERY: How to avoid hacker attacks on Mozilla's Firefox browser ]

Citing browser distribution statistics from w3Schools.com, the study noted that Internet Explorer 6 is still used by more than 38 percent of Internet users worldwide.

Considering that Internet Explorer 7 has been pushed as a high security update by Microsoft for several months, there is an indication that a large number of these users probably do not have automatic updates turned on. Some portion of these 38.1% that do have automatic updates turned on have probably made a conscious decision not to update to Internet Explorer 7, but rather to just accept Internet Explorer 6 patches. Nevertheless, we suspect that many simply do not have automatic updates enabled.

The study, titled “Know Your Enemy: Malicious Web Servers,” is available for download (.pdf).

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 155 Talkback(s)
Imitation is the sincerest form of flattery
It's funny how, when you talk about Linux being more secure than Windows because it has (and has had for years) user-based permissions, people scoff... but more and more Microsoft is flirting with user-based permissions...... (Read the rest)
Posted by: over2sd Posted on: 10/19/07 You are currently: a Guest | | Terms of Use
Statistics explanation  NonZealot | 08/27/07
Read the Full .pdf  jfp | 08/27/07
Thanks, I missed that link  NonZealot | 08/27/07
Finally. A valid and insightful post. thanks  xuniL_z | 08/28/07
Concise analysis...  JCitizen | 08/28/07
Great Analysis  dbucciar | 08/28/07
"no conclusions can be made"  Ole Man | 08/28/07
IE has some systematic holes not shared by Firefox,  Resuna | 08/28/07
Explination Was Clear They're Compairning Old Corrupt Browsers  IceTheNet@... | 08/28/07
Oh Boy, here we go  Shelendrea | 08/27/07
Or it could happen that  xuniL_z | 08/27/07
Hmm?  zoroaster | 08/27/07
Don't know anything about IE6/XP  Azriphale | 08/28/07
Yes.  xxn1927 | 08/28/07
Another ~strange~ thing  Ole Man | 08/28/07
Lies... Damned Lies... and Statistics.  sbarman | 08/27/07
This info is of no use whatsoever...  BitTwiddler | 08/27/07
Close...  justanitguy | 08/27/07
There is no Firefox 1.8  Greenknight_z | 08/28/07
True but wasn't there a 1.7 for about a week before 2.0 came out?  maldain | 08/28/07
No.  Joel R | 08/28/07
Wonderful Post  spam_here | 08/28/07
Raisin confusion  Khun_Tilt | 08/28/07
Almost there...  mharr | 08/28/07
Why?  Antagonist | 08/29/07
So right  bonchi74@... | 08/27/07
FireFox with NoScript  Chad_z | 08/27/07
yet another microsoft spammer.  xuniL_z | 08/27/07
Right  Jambalaya Breath | 08/28/07
Sandbox it!  D-T-Schmitz | 08/27/07
They could also use ....  mrlinux | 08/27/07
SandboxIE also has a version for Firefox  NBSF | 08/28/07
Apparmor is a part of the next (k)ubuntu  tombalablomba | 08/27/07
Good News!  D-T-Schmitz | 08/27/07
I thought Apparmor was Novel Proprietary?  ITdaized | 08/28/07
From the Wikipedia link posted above  Azriphale | 08/28/07
Proprietary? Nope! AppArmor is FREE--I wouldn't kid you!!  D-T-Schmitz | 08/28/07
...or IE7 on Vista  mharr | 08/28/07
True...  D-T-Schmitz | 08/28/07
Precisely the way Unix systems (Linux, etc.) have been from the begining!  cheesyone | 08/29/07
Imitation is the sincerest form of flattery  over2sd | 10/19/07
Security is like sex.  Resuna | 08/28/07
Very crude analogy  D-T-Schmitz | 08/28/07
Stop quoting w3schools  nanobot@... | 08/27/07
One thing...  Azriphale | 08/28/07
The real fact is  No_Ax_to_Grind | 08/27/07
well...  zoroaster | 08/27/07
You are confusing email with web content/browsing.  B.O.F.H. | 08/28/07
2 points:  JDThompson | 08/28/07
Ok  KrUshPruF | 08/27/07
Safer by default  mlgoff_59 | 08/28/07
Exactly  Antagonist | 08/29/07
I don't care about that image. Firefox for me because IE is ugly.  D. W. Bierbaum | 08/27/07
Funny  itpro_z | 08/27/07
More power to you. grin  D. W. Bierbaum | 08/28/07
When all else fails...  xxn1927 | 08/28/07
Yeah  Antagonist | 08/29/07
We still use IE6 because...  Dr.C | 08/27/07
You dersparately need to stop using vertical market stuff (nt)  CobraA1 | 08/27/07
Sure  itpro_z | 08/27/07
Issue an ultamatum to your bank.  ITGuy04 | 08/28/07
That might work with local banks...  itpro_z | 08/28/07
Alot more still use ie6 because of:  Suicida| | 08/27/07
This was the first thing  Azriphale | 08/28/07
Another Reason  pj_mouse | 08/28/07
Oh I see  Antagonist | 08/29/07
The same thing happened when...  itpro_z | 08/27/07
IE7 incompatibilities  tmcsweeney@... | 08/28/07
Why was this article even written?  CobraA1 | 08/27/07
Excellent point-Why, Ryan?  justanitguy | 08/27/07
Doesn't take Rocket Science  frgough | 08/27/07
Why IE6/FF1.5?  JDThompson | 08/28/07
Yes-- why?  Carol@... | 08/28/07
You are absolutely correct  okpj | 08/28/07
Upcoming interesting articles:  martin_l_77084@... | 08/28/07
HA HA HA HA HA  Antagonist | 08/29/07
Agree  Paul4 | 09/12/07
IE 6 & 7  wsamuel3 | 08/27/07
Why would anyone buy a flawed app like that?  Suicida| | 08/27/07
That's a naive statement.  itpro_z | 08/27/07
IE or FX  swathingscientist | 08/27/07
Safari Is crap  Antagonist | 08/29/07
Uh? FF 1.5 ?? how about FF 2.0  Uralbas | 08/27/07
Ha, you puny ff and ie users.  kraterz | 08/27/07
All five of you?  soonerproud | 08/27/07
As Confucious put it...  ITdaized | 08/28/07
Well, duh...  PB_z | 08/27/07
IE vs FF  Gpa's | 08/27/07
1.5 was immediately updated.  davidsarmstrong | 08/27/07
IE vs FF with Vista  joep1701 | 08/27/07
Nice story for Opera.  Scrat | 08/28/07
FF with Adblock and no script  soonerproud | 08/28/07
Care to supply any evidence to that fact?  Scrat | 08/29/07
Opera faster?  Skullet | 08/28/07
Strange, when tested, IE7 seems to be slower. I guess YMMV...  Scrat | 08/29/07
The Best Damn Browser Period  allenhossler | 08/28/07
That's Nothing  rkuhn040172@... | 08/28/07
Doesn't matter. IE 7 is a mess!  scoobyJ | 08/28/07
Trainwreck??  Techknowledgie | 08/28/07
Apples with year old Oranges  paul.weis@... | 08/28/07
Where do the "known vulnerabilities" come from?  Matt.Fahrner@... | 08/28/07
Firefox has friends, Micro$ has competitors (read enemies)  dsilvia | 08/28/07
Firefox over IE  tefox@... | 08/28/07
I've been seeing that lately too  voska | 08/28/07
Flash problems on IE  soonerproud | 08/28/07
Known exploit sites??????  erm@... | 08/28/07
Adblock  soonerproud | 08/28/07
Whats weak is I use Fedora 6  astawerksdotcom | 08/28/07
First of all  ITdaized | 08/28/07
Install FF 2.0 maually from getfirefox.com. (NT)  soonerproud | 08/28/07
Outdated and missing the point  rolf.ernst@... | 08/28/07
Agree on 2 points  other_native | 08/30/07
Browser Security  pitchthunder@... | 08/28/07
Useless?  wrecker69 | 08/28/07
Honeynet Project Funding  chas@... | 08/28/07
Don't give away military secrets  Ole Man | 08/28/07
Agreed  erikmidtskogen | 08/28/07
What the...?  erikmidtskogen | 08/28/07
When software companies make it illegal to read their source code...  Absolutely | 09/08/07
IE vs Firefox  jtsylvanis@... | 08/28/07
FF2.x is better than FF1.5, incidentally.  Raymond Danner | 08/28/07
In other breaking news, Dinosaurs Die by the Millions!  critic-at-arms | 08/28/07
Because it's used so much  voska | 08/28/07
"Read the article: Firefox or IE? Strange answer to security question"  Absolutely | 09/08/07
IE takes forever to come up and crashes  chuck_gregory@... | 08/28/07
Fook Firefooks.  XweAponX | 08/28/07
Clueless  soonerproud | 08/28/07
Ignorant or a troll?  bmerc | 08/28/07
IE still sucks.  3dtodd | 08/28/07
huge tabs??  cymru999 | 08/28/07
Sure IE sucks  XweAponX | 08/28/07
You are incompetent.  Jambalaya Breath | 08/28/07
Wate of time!  John.Wilkinson | 08/28/07
(NT) Note: That was February 1st **2006**  John.Wilkinson | 08/28/07
Oh yeah, by the way...  aussiedawg | 08/28/07
This is news?  Ginevra | 08/28/07
Why all the down-thumbs?  mcc99@... | 08/28/07
apologies I see it was ie 6.....  cymru999 | 08/28/07
One overlooked point  Mitch 74 | 08/28/07
Again - Why was this article written?  kevster25 | 08/28/07
Deliberate decision  ds5929 | 08/28/07
about:config  soonerproud | 08/28/07
Twisted Argument  BillAlexander@... | 08/28/07
Article a bit convoluted  griz326 | 08/28/07
THIS IS LIKE NEIGHBORHOOD PROTECTION  BALTHOR | 08/28/07
keep up  atoronz@... | 08/28/07
Not all vulnerabilities are equal.  Resuna | 08/28/07
Why The Experiment was Unsuccessful  MasterJoe | 08/28/07
old and useless news  TiggerTom | 08/28/07
Now for some real facts  barry1936 | 08/29/07
Firefox Vs IE?  as901 | 08/29/07
Real Solution is Linux  despil | 08/29/07
Stupid study  Antagonist | 08/29/07
real world experience  boguscomputer | 08/30/07
turn off tabs???????????  rman56 | 09/10/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here