For instance, last August, Microsoft issued a patch that fixed a hole that the company described this way: “It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user’s system. If a user visited an attacker’s Web site, it would be possible for the attacker to exploit this vulnerability without any other user action.”
“IE is a buggy, insecure, dangerous piece of software, and the source of many of the headaches that security pros have to endure…”
A little over a week ago, the SecurityFocus Vulnerability Database reported the “Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability,” which “may permit cross-zone access, allowing an attacker to execute malicious script code in the context of the Local Zone.” That was just one of the six reported so far this month – and we’re only halfway through!
In fact, it’s gotten so bad that now spyware creators (AKA, scumbags) are using flaws in IE to surreptitiously install the I-Lookup search bar (or one of several others) into the browser. Again, the user doesn’t need to do anything – just visit a Web site or click on a URL in an email. Your home page is changed, a bunch of new bookmarks show up in your Favorites, and popup windows for porn sites open constantly.
On Monday, the Mozilla Foundation released its latest preview release of Mozilla Firefox, available for download and ready to run.
As most of you probably already know, the Mozilla browser is great, but it’s also a huge software project, encompassing a Web browser, an email program, an address book, a Web page editor, and much, much more. Mozilla Firefox is an effort to pull out the browsing component, resulting in a faster, more focused, and more innovative Web browser. Its feature set is enviable: pop-up blocking, tabs, integrated search, an awesome level of customizability, and excellent support for Web standards.
But it has really shone (as has the Mozilla Project as a whole, actually) in the area of privacy and security. All software has bugs, and none is totally “secure”. As has been said so many times, security is a process, not a product. So I’m quite aware that Firefox has had security issues, and will have more in the future as sure as the sun rises.
In addition to a good track record in the past, Firefox and the Mozilla Foundation are taking a proactive approach to securing the Web browser in the future. The privacy and security settings available in Preferences are intelligent and effective, and the browser itself does not accept ActiveX controls, a key vulnerability in IE. Firefox uses XPI files to install themes, extensions, and other add-ons.
As people who care about security – and who so often work with people who care nothing about security – it’s our responsibility to spread the word about a better Web browser that does not constantly compromise the basic security of our computers and networks.
More info: http://www.securityfocus.com/columnists/249