We’ve got two bits of good news, and one bit of bad news about Mozilla’s Firefox web browser. Starting with the bad news – in 2008, Fiefox suffered from considerably more security holes than Internet Explorer and Safari. However, the first bit of good news is that Mozilla was much faster at patching zero-day exploits, according to a report by Secunia. The zero-day flaws of Firefox were also less severe than those of IE. The other bit of good news is that Firefox’ upcoming Tracemonkey JavaScript engine is so good, the next Firefox release has been bumped from 3.1 to 3.5.
In 2008, Firefox faced 115 reported security flaws, which is nearly four times as many as any other popular web browser. Microsoft, Apple, and Opera respectively reported 31, 32, and 30 security flaws in their browser. It is valuable to note, though, that Firefox is an open-source product, and therefore, security flaws may be be dragged kicking and screaming into the light of day easier than with its closed-source brethren. Still, if that can account for such a major difference is debatable, at best.
Like I said, there is good news on the security front as well for Firefox. In 2008, Internet Explorer faced 6 zero-day flaws, two of which were rated “moderate” or “high” in severity. Firefox faced only three zero-day flaws in 2008, and none of them were labelled moderate or severe by Secunia. Mozilla also responded much, much faster to these zero-day flaws than Microsoft did, with three of them still unfixed in Internet Explorer (the higher-rated flaws were fixed, though).
The other bit of good news is Tracemonkey’s excellent performance, which, according to BetaNews, approaches that of Safari 4. Betanews believes that further down the development line of Firefox 3.1 3.5, it will be a neck-and-neck race. As a consequence, Mozilla will bump the version number from 3.1 to 3.5 for the next Firefox release.
Does anyone have a release date for Firefox 3.5? I’m liking the betas in that they are faster but I have ran into a few problems. Give me that faster script engine!
About java script parsers, In an enterview with one of the main java evangelist (sorry, I don’t remember the name) he gave his opinion about the optimization of JS in browsers, his answer was that it was a good thing, but it wouldn’t really make much of the difference because the botleneck is in the DOM and is in the DOM optimizations where users would note the difference in speed.
Edit: I don’t remember the name but he is the creator of JSON.
Edited 2009-03-06 16:28 UTC
Douglas Crockford. http://www.crockford.com/
It still makes a big difference for javascript as a platform, rather then javascript as a front end. The new engines make things like sproutcore and cappucino seem like the way web development is going, rather then stuff like flash, java, or silverlight.
Remember guys….
Firefox is also Open Source (yes, safari’s engine is, but it’s still proprietary). Firefox’s all know vulnerabilities are announced publicly, without hesitation. The same cannot be said about Microsoft or Apple and that has been proven.
I really don’t like these types of ‘reports’, as they generally reward closed applications, *ahem* Microsoft products, who enjoy hiding known vulnerabilities and patch the ones THEY deem appropriate. At least the report wasn’t totally in Microsoft/Apple’s favor, but still seems one-sided to me.
Yeah, I totally agree. And I’m sorry, you could throw all the numbers at me you wanted about how many security flaws were found, and blah blah blah, but it will be a cold day in hell when I actually FEEL or BELIEVE I am more secure browsing in IE than Firefox (or Opera, Safari, Chrome, Konqueror, …, for that matter).
I specifically mentioned the open source argument and what it could mean for the skewedness of the report. What more you have me do?
read this: http://blog.mozilla.com/security/2009/03/06/beware-the-security-met… .
The main takeaway is that Mozilla publishes every security problem that they fix, whereas the other players only release the ones that are discovered and published by third parties. So that’s 115 security issues discovered by mozilla compared to 35 (or whatever) issues discovered and published by secunia/white hats/etc.
It’s an absurd metric and should only be brought up to be disparaged.
somehow i have a hard time to believe that just because something is opensource only good people are searching for bugs in it…
somehow i have a hard time to believe that just because something is opensource only good people are searching for bugs in it…
Exactly, and the speed of reaction doesn’t really do nothing for the whole time the hole was there undetected.
Edited 2009-03-06 18:39 UTC
As time goes on, and more and more faults float down the OSS stream, I find myself starting to come around to Daniel Bernstein’s way of looking at things. The authors shouldn’t get off the hook for fixing it fast. They should get a big black eye for having released the flawed software in the first place. The situation will not change as long as they can release crap and then get a big public pat on the back for fixing those things that happen to be found and reported to them. How about the stuff that doesn’t get reported to them? Remember when, years after we had been bragging about how “many eyes make all bugs shallow”, Michal Zalewski demonstrated just how unbelievably poorly Firefox was actually doing?
http://www.securityfocus.com/archive/1/378632
http://it.slashdot.org/article.pl?sid=04/10/19/0236213&tid=113
It took literally *years* to patch that one, because it was the result of a general problem with their process and focus, and not some particular detail that could be patched.
And yet the steady flow of FF exploits continues; The process and focus have, apparently, not changed.
Edited 2009-03-06 19:16 UTC
Yeah, except all browsers but IE failed that test which means what? That lazy, inept web designers can go on putting out their broken HTML because IE will permit it rather than making these idiots get it done right.
It means that only Microsoft’s browser was doing proper input validation on data originating from untrusted sources. Presumably, the devs of the other browsers did not know that they were supposed to do that, or did not care enough to do it.
Edited 2009-03-06 19:48 UTC
I ran across this one reading a gnome article awhile back, blew my mind. It was a non trivial fix for a highly visible, very annoying issue, and it took 7 years for the gnome team to fix it.
http://bugzilla.gnome.org/show_bug.cgi?id=56070
I would like for everyone to know that just because there is a flaw in the code and the code is open, doesn’t mean you will ever find it viewing the code casually. First you must understand the code and be able to successfully look for flaws. And you need to find them before the good guys that do know the code do!
As an example check out the 25 year old UNIX bug!!!
http://osnews.com/story/19731/The-25-Year-Old-UNIX-Bug
So I wouldn’t get all paranoid yet!
If they can find holes in closed source, then they will more likely to find them in open source, don’t understimate those guys.
As soon as any attack actually surfaces (meaning that someone “nasty” has found a bug, and written an exploit) … there are literally thousands upon thousands of people who can see and test the source code of Firefox, who know how it works, and who can see how it was attacked, and whose own strong self-interest is to find a way to fix the vulnerability.
It wouldn’t surprise me if tens of solutions were offered overnight, in many cases. It would than be a matter of testing to decide which of them was the best one.
there are literally thousands upon thousands of people who can see and test the source code of Firefox, who know how it works
Where do you get those stats? those aren’t even the number of commiters to the source manager three, most of them are translators and not developers.
There are an estimated 1.5 million OSS developers worldwide.
Many of them are testers, and as you say translators, or artistic designers, not all of them commit code.
The figure of thousands for firefox is a guesstimate … but not at all an unreasonable one for firefox to have input from say 0.3% of those 1.5 million OSS developers.
And across how many open source projects are they spread?
Good question.
Debian has something like 23,000 (or so) packages.
Mind you, there is no reason why any given developer couldn’t be involved in several projects at the same time.
So where were they during the years of Mozilla development, and later Firefox development, before Zalewski’s simple random mangling demonstration showed just how unbelievably chock-full of buffer overflow bugs the codebase was? And for all those years, none of the devs had a clue. Everyone was too busy bragging about how “secure” Firefox was to notice.
Here we have what is likely the most well known FOSS project in the world. (As many eyes as you’re going to get.) And we also have pretty much the ultimate evidence debunking the whole “many eyes makes all bugs shallow” myth.
In the pattern of many myths, it sounds reasonable on the surface. And people have certainly parroted it quite a lot. But upon closer inspection, the actual evidence reveals it to be false.
New Flash! Reliable sources report that the Emperor has been arrested on charges of indecent exposure on the palace grounds.
P.S. There’s no point in directing me to the CaTB site yet again. I read it back when it was new. And the parts of it that were crap then are still crap now.
Edited 2009-03-07 17:01 UTC
To call this a myth is to be completely and utterly blind to the track record of open source.
It is more than just “many eyes makes all bugs shallow” also … open source brings far more benefits than that over closed, proprietary, written-for-big-business-interests software.
Here are some of them:
http://www.linfo.org/reasons_to_convert.html
Having many eyes on the code does a heck of a lot more than just make bugs shallow.
“Firefox’s all know vulnerabilities”
I read that to mean “known to the project” or “posted to the bug reports site”. Exploitable vulnerabilities found by those with criminal intent kinda remain unknown vulnerabilities until they choose to make use of them. I’d give all platforms and software that same grace; if it’s only known by the criminally inclined then it’s still an unused 0day.
wow.. seems this comment was not liked by the masses.. anyone spot the specific reason. I’m not here counting thumb-ups, just curious as to why pointing out that developers can not fix bugs they are not aware of (hence, 0day and stockpiled bugs) is so off topic or offensive to others.
I extend the same opinion to any other software branding as I did here with Firefox; If the bug is not known to the publisher (eg. not reported by malicious cracker saving it for criminal intent), why is it not an unknown vulnerability still?
The vulnerabilities that concern me are the ones known by the people with the skill or access to correct the flaw but are left unpatched for whatever reason the software developers believes justifies such negligence.
I guess we’ll see with the IE/Firefox vulnerabilities sprayed across Ebay over the last few weeks. FF hasn’t a once-a-month release schedule and MS patch Tuesday is tomorrow; Let’s see who corrects the issue first.
Anyhow, thumb-down the comment all you like. I’d just be curious to know why so as to at least be given the chance to defend my opinion.
I did like that it accounted for patch times. I think a higher reported number of bugs patched faster is well within the expectation.
Its the arguments where the only consideration is announced bug counts that completely ignore any real value.
The “so good” link is broke
Can someone please fix it?
Tom
I believe this was a typo. “so good” should actually read “so late”.
For those interested,
http://www.betanews.com/article/Firefox-31-could-catch-up-to-Safari…
Any flaws found my anyone who would want to share the information about it was fixed fast and updates by users were installed very fast as well.
Just take a look at a graph showing browser share of Firefox 2 and Firefox 3, something like 85% changed from Firefox 2 to Firefox 3 less then a month’s time. IE takes 2 years to get people from IE6 to IE7, just imagine how fast updates are being installed as well.
Here is what “Auzy” was saying about Safari in a forum related to a different story, just yesterday (http://www.osnews.com/comments/21089):
“Safari isn’t really known for its stability.. ”
Its seems that the reality is quite different, isn’t it? So any comment Auzy or shall we just consider that you were just really trolling?
“Firefox is also Open Source (yes, safari’s engine is, but it’s still proprietary). ”
Wait, why proprietary? It is not because Apple represents 81% of the contribution to the code of webkit that it makes it proprietary. What are you talking about? The development is totally open, the source code is totally open and the contribution is totally open. Where does the proprietary comes in here?
I mean check the fact before you say something.
http://webkit.org/coding/contributing.html
http://webkit.org/building/checkout.html
http://trac.webkit.org/browser
Edited 2009-03-07 04:21 UTC
I believe he means safari, not webkit.
Webkit is open, and I doubt 81% of the code is from Apple. I believe KHTML was very usable when Apple took it.
But Safari is not Webkit, like MacOS-X is not BSD. They take open source software with a weak license and they proprietarize it.
It appears here, sadly, that the focus is on the count of newly discovered flaws rather than the total outstanding flaw count.
Of course, I can’t really find much compiled information regarding total counts of open exploits :-(…
If anyone could come up with this information, it would certainly be more important than newly discovered non-critical exploits.
Of course, I’ll take a dozen minor flaws that allow crashing the browser ( virtually all Firefox flaws have been of this nature, or merely reading bookmarks or the like ), over one critical flaw that allows crashing Windows… or hijacking the machine… or installing a virus… or whatever an evil heart should so desired ( like virtually every IE bug of which you may hear ).
This brings me to a unique little observation… how is it that IE has so many critical flaws and so few minor ones? I don’t see how a bias would exist here, and I don’t think Microsoft would have the sway to hide it…
I simply think it MUST be that Firefox is open source, has many eyes on the code, and is gaining in popularity to the point that it has become a large enough target for the ‘big boys.’
Just my thoughts…
–The loon
As far as I know, many security flaws in closed source software are mainly discovered by security researchers and/or people with malice intent, apart from the company itself that develops the software in the first place. Such work is relatively difficult, and it is generally (but not impossible, see http://it.slashdot.org/article.pl?sid=09/02/24/0032201) difficult to fix these problems unless you have the source. Such work by external parties is usually done *only* because of the malicious aspects/impact of the bugs.
Minor ones are therefore not that interesting.
Open source essentially lowers the bar for finding such bugs, but it also invites people to find non-security related flaws as well; this broadens the spectrum of interest immensely (you’ll attract more than only the evil exploiters and researchers trying to beat those, but also developers that want to improve things in other ways), and (last but not least) you can fix problems yourself relatively easy by submitting a patch: helping out really matters in that case.
The severity (impact) of the bug is usually not related to the difficulty of finding or solving the bug in question: you can make simple mistakes with a huge security impact, and seemingly subtle mistakes can crash a program when you press some buttons in a weird way but such flaw is not really exploitable. This goes the other way around as well, ofcourse.
The question, indeed. is how many flaws there are in some program (this is difficult to tell), and not how many flaws are *known and reported*. This depends on the intent of the audience that finds those bugs, and the fact that there are many minor/medium issues found in Firefox tells something about the audience of reviewers.
Edited 2009-03-07 08:20 UTC
The more popular it becomes, indeed, the bigger target it becomes (particularly the version that runs on Windows, and hence has a softer infrastructure beneath it) … but also, in turn, the more popular it becomes, the more people (many times more) who have a strong interest in using it, protecting it, and hardening it to be even more secure.
The first effect is common to all software, but that latter effect is unique to open source, by its very nature.
Edited 2009-03-07 13:20 UTC
Are these Firefox vulnerabilities purely on Windows ?
I dont mean to start a troll about Linux/BSD/Solaris/OSX being secure when Windows is not…..
But,
If Firefox on these platforms is not suffering from the same flaws, then surely the fault is not with the application itself, but with the underlying infrastructure it has to work with ?
The more different browsers, the harder it is to attack.
It’s like virii. The more different systems there are, the more difficult it is to propagate.
I think what most people take issue with is demonstrated simply by reading the title of this news piece. It should really read:
“Firefox Reported More Flaws in 2008 and Fixed Them Faster”
Its impossible to say who actually “Faced” more bugs, especially when the other browser dev teams don’t report internally discovered ones. Maybe it was supposed to read “…Faced-Up to More Flaws…”?
Its like two farmers reporting how many apples they picked to the tax man. The first farmer says “I picked 1000 and here they are”. The second says, “Well my neighbors say they saw me pick 500 and there are 500 in these bins here. The tax man says “what’s in that big barrel behind you?” “Barrel?” replies the 2nd farmer. “Oh, that barrel! Nothing…at least no apples I mean.” “Smells like apple juice” says the tax man. “Must have taken a lot of apples to make all that juice.” “Hard to say for sure”, says the 2nd farmer.