Zero-Day Browser Exploits, Part 2: The Continuing Debate

Part 1 of this two-part feature compared proprietary and open source browsers. Part 2 addresses some of the factors to consider when choosing a browser.

All browsers are vulnerable to attacks depending on the state of the computer running them and the interaction of other installed software. However, some experts proffer that open source browsers such as Firefox are inherently more secure, if for no other reasons than exploits are more quickly patched and the smaller installed user base makes them less likely targets of hackers.

"Microsoft is no slouch in addressing vulnerabilities. IE remains the target of choice. It is extremely valuable for users to see the time frame of fixes for discovered vulnerabilities. Open source browsers provide a tremendous amount of transparency in fixing problems. They have complete visibility," Sunil James, security researcher for Arbor Networks, told LinuxInsider.

Factoring Variables

Much of the discussion over whether open or closed source browsers are more secure resembles a religious argument, suggested Steven R. Gordon, professor of Information Technology Management at Babson College. Regardless of which browser type users choose to believe is safer, they should consider several key mitigating factors.

The first is market share. Anyone wanting to launch an attack would like to affect the greatest number of computers possible, he said. One could argue on the one hand that IE is more vulnerable because there is more incentive to attack it over any of the open source browsers.

"On the other hand, one could argue that it is better to fly under the radar and attack a browser such as Konqueror because the attack is less likely to be detected and can therefore be carried out over a longer period of time," Gordon told LinuxInsider. "Where does Firefox sit? Its market share is not as small as Konqueror nor as large as IE, but it is probably large enough to generate incentives similar to those generated by IE."

Further Factors

The second is source availability. On the one hand, the availability of source code gives attackers a head start in identifying possible avenues for attack. On the other hand, it allows thousands of good Samaritans to identify possible vulnerabilities and propose fixes before the vulnerabilities are exploited, Gordon explained.

The third factor is feature complexity. The more types of files a browser can handle, the greater the opportunity is for an attack because the code for handling each type of file is subject to different exploits, he said.

"For example, an April 2007 zero-day exploit that related to the way QuickTime files were read by Java affected Safari, Firefox and IE. Similarly, add-ins, which are accepted by most browsers but are probably used more by the open source community, provide another avenue of attack," he explained.

Reasons Exposed

One of the most prevalent arguments on the open versus closed source browser security debate is the eyeball factor. The argument states that since open source has far more eyeballs looking at code, the result is better code.

"But the counter-arguments are equally strong. If all the extra eyes are lazy and unschooled in security, then they are useless. Most look at code to tweak it, not to look for holes. Second, if code is kept secret, it is safer," Bob Walters, CEO of open source network gateway developer Untangle, told LinuxInsider. "If the code itself is security code, then the more eyes argument becomes more valid."

All tests fail to conclusively prove open source has fewer bugs. There is a similar bug count in both open source and proprietary browsers, according to Walters.

"Browsers are not security code. Writing browser code has been all about getting as much HTML code to display as possible. This is the opposite goal of security code writers," he explained.

No Silver Bullet

Vulnerability management solutions firm PatchLink sought a closer view of its customers' concerns over browser security issues in a recent survey. Responses from 250 customers revealed that the No. 1 security concern was zero-day vulnerabilities, Paul Zimski, director of product and market strategy at PatchLink, told LinuxInsider.

"An overwhelming majority of respondents -- 83 percent -- said that Internet Explorer was the application that they were most concerned about protecting. Yet IE is the de facto business standard," he noted.

Despite improved vulnerability management available through third-part products, the survey revealed that the inability to effectively control user behavior and the shrinking time from vulnerability to exploit are the most significant challenges to combating zero-day threats, according to Zimski.

As a result, IT managers are trying to gain control through an increasing number of security products and time spent monitoring and setting policies, PatchLink's survey analysis concluded.

Fire Drill Strategy

Since IT managers have high concern over browser security, they are changing their tactics in order to be more prepared for a zero-day attack, according to PathLink. For instance, 70 percent of IT managers completed fire-drill remediations within eight hours in 2007, compared to just 39 percent during the previous year.

In addition, 60 percent percent of the respondents supplemented their vulnerability management process to include both agent- and network-based vulnerability scanning, according to the survey. Half of the respondents said they have more than 10 agents currently installed to perform security and/or operations tasks. Sixty-six percent said they spend an hour or longer every day monitoring security and IT consoles, administrating agents and updating security policies.

The survey also revealed faster remediation and more comprehensive risk assessment and prioritization was helping organizations to proactively address browser and other security concerns. IT managers reacted much more quickly to emergency patches this year compared to last, as 29 percent of organizations deployed critical updates within two hours during 2007, compared to just 14 percent in 2006.

Zero-Day Browser Exploits, Part 1: Is Open Source Safer Than IE?