Welcome | Sign In
MacNewsWorld.com
Network Security

Is Firefox Fit for Enterprise Duty?

Print Version
E-Mail Article
Reprints
Is Firefox Fit for Enterprise Duty?

By Chris Maxcer
LinuxInsider
Part of the ECT News Network
12/18/08 3:50 PM PT

Browser security seems to be a big issue this week. First we had the IE patch drama, then comes a dust-up over whether Firefox is fit for enterprise use. The Mozilla browser topped enterprise app whitelister Bit9's list of popular apps with security vulnerabilities. Why? One major reason was because Firefox typically relies on the end-user to allow updates and new patches.


Rewriting the Startup Handbook
Starting up a new software company is not very hard, but making it successful requires a willingness to remake old rules to fit the Internet age. Getting venture capital or angel investor funds starts with nailing your story. [Download PDF: 5 pgs | 162k]

Enterprise application whitelisting company Bit9 launched an attention-getting press release last week, a document which merely bubbled for a few days until the recent Internet Explorer flaw took center stage and Mozilla pushed out a few Firefox updates.

Eventually, the heat under the issue boiled over, prompting Mozilla to tackle the Bit9 report on its Mozilla Security Blog.

Beep Beep Beep

Backing up the truck, Bit9 revealed its annual ranking of threats in plain sight -- "The Dirty Dozen" of 2008's most popular applications with critical security vulnerabilities.

Bit9 held itself to a few criteria: The applications it chose had to be real applications used frequently by end users -- as opposed to malware or esoteric applications.

Often running outside of the IT department's knowledge or control, these applications can be difficult to detect, Bit9 reported, saying they create a data leakage risk in endpoints that are otherwise secure.

The five apps topping off Bit9's Dirty Dozen:

  • Mozilla Firefox, versions 2.x and 3.x
  • Adobe (Nasdaq: ADBE) Acrobat, versions 8.1.2 and 8.1.1
  • Microsoft (Nasdaq: MSFT) Windows Live (MSN) Messenger, versions 4.7 and 5.1
  • Apple (Nasdaq: AAPL) iTunes, versions 3.2 and 3.1.2
  • Skype, version 3.5.0.248

More specifically, Bit9 reported that each application on the list has the following characteristics:

  • Runs on Microsoft Windows.
  • Is well-known in the consumer space and frequently downloaded by individuals.
  • Is not classified as malicious by enterprise IT organizations or security vendors.
  • Contains at least one critical vulnerability that was first reported in January 2008 or after, or registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database, and given a severity rating of "high" (between 7.0 and 10.0) on the Common Vulnerability Scoring System (CVSS).
  • Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
  • The application cannot be automatically and centrally updated via free enterprise tools such as Microsoft SMS or WSUS (Window Server Update Services).

"Year after year, we see a growing number of applications within the enterprise creating security vulnerabilities that are easily prevented through better visibility across endpoints, and a more centralized patch-management process," noted Harry Sverdlove, chief technology officer at Bit9.

The last two criteria -- the app relies on the end user and can't be automatically or easily centrally updated -- seems to the be the biggest issue. Mozilla's Firefox pushes out security updates to end users directly via the Internet, which makes it difficult for an IT department to control security patches or ensure that all desktops running Firefox, for example, have been patched.

So What's Really Wrong Here?

"While we're always happy to see stories that focus on educating our users about security, there are some problems with Bit9's methodology that hinder its ability to draw any meaningful conclusions," noted Johnathan Nightingale, Mozilla's Human Shield, on the Mozilla Security Blog.

"Bit9 says it drew up this list by identifying popular applications that have had a critical vulnerability reported in 2008. This is an ineffective test, as it rewards software companies that conceal their security vulnerabilities," he added.

Furthermore, Nightingale noted, "Bit9 seems to understand this in its focus on application support for updates, but again it fails to account for the real world experience. Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90 percent adoption within six days of a new update being released."

Still, in the enterprise, is end-user patching a security risk?

"Central management and reporting is almost always more secure than end-user driven updating. End-user updating works well for knowledgeable, security-conscious users, but any mid-to-large organization should be looking to manage vulnerabilities and patch centrally," Michael Argast, a security analyst at Sophos, told LinuxInsider.

"You can only count on a very small proportion of your user base paying attention to and caring about security," he added.

What about the recent IE security brouhaha? IE patches can be applied centrally.

"The recent IE situation was a bit of an anomaly insofar as there was a known vulnerability with exploits active in the field before there was any form of patch available," Argast said.

"In those cases, you need to either switch to a non-vulnerable system, change behaviors -- restrict access to browsing -- or use other mechanisms to provide protection. A good example of an alternative mechanism would be behavioral protection from an antimalware company, which could block an exploit prior to a patch being available," he explained, noting that in the case of Sophos, his company had behavioral protection out several days prior to a patch being available from Microsoft.

Still, "In almost all cases a company will get better broad protection by managing this centrally rather than depending on activities driven by the end-user. The application itself is important, but there are so many different avenues of attack these days -- operating system, browsers, browser helper applications such as QuickTime. Relying on the end-user to maintain even relatively secure applications is placing too much burden on users," Argast added.

No Single Answer

Not everyone believes that central control of the update process is the best or only method, and even with Firefox, enterprises can disable the automatic update process and send out their own update packages via their own IT infrastructure.

"Since central IT can turn it off [automatic updates], I don't see the problem," Rich Mogull, a security consultant, told LinuxInsider. Mogull did disclose, however, that he is currently working on a security metric project with Mozilla.

What does Mogull think about the IE vulnerabilities? Can a company get better, faster protection via end-user rollouts rather than via central, IT-driven rollouts?

"Often they can, at the risk of having patches that haven't been tested for their environment," Mogull said. "We do see some organizations trust vendor updates for some of their software, but generally enterprises want to do at least a little testing on major apps before deployment," he added.

Print Version E-Mail Article Reprints More by Chris Maxcer

Talkback: Be the first to comment on this story.

More by Chris Maxcer

Clicker Cuts Through Web Video Chaos
November 23, 2009
Clicker is a new Web site that makes it easier to find the full-length, broadcast-quality TV shows and movies available around the Web via streaming. The interface is clean and easy to use, and if you sign up for a free account, you'll be able to make playlists of shows you'd like to follow. Most of Clicker's shortcomings are really due to the byzantine rights arrangements surrounding online show distribution. 		The Gphone That Could Catch My Eye
November 20, 2009
Rumors are cropping up that Google is preparing to sell its own Gphone -- an Android handset using Google-branded hardware. There are some reasons to doubt it will happen, of course, but the possibility is intriguing. What would Google have to build to make something worthy of an iPhone fan's attention? 		Apple's House Rules Won't Be the Death of App Development
November 13, 2009
Facebook's iPhone app is one of the most popular wares the App Store has ever carried. But its developer, Joe Hewitt, says he's through with it, stating that Apple's review policies are starting a bad precedent for other platforms. However, good apps from talented developers will always find platforms, and Apple's policies won't prevent that from happening. They may even help.
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> WiFi Hotspot Locator
> Inside MacNewsWorld
MacNewsWorld
E-Commerce Times
TechNewsWorld
LinuxInsider
CRM Buyer
Today's MacNewsWorld Sponsors
Data Deposit Box Online Storage
Sign up for a 2 week free trial and start earning recurring revenue today.
Entrust Extended Validation SSL
Entrust EV SSL certificates -- "go green" for less. Now from only $199 per year.
Trend Micro Smart Protection Network(TM)
Lower your content security management costs by up to 40%.
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2009 ECT News Network, Inc. All Rights Reserved.