Zero-Day Browser Exploits, Part 1: Is Open Source Safer Than IE?
True believers will tell you that open source browsers are much less likely to be exploited by hackers. Microsoft evangelists will just as vehemently argue the easy availability of open source browser code actually encourages tampering. Now that Firefox is gaining popularity, obscurity is no longer a defense, insist fence-sitters.
Are open source browsers such as Firefox and Konqueror more secure than Microsoft Internet Explorer (IE) 7.0 and proprietary browsers like Opera? That is an age-old question, security experts say, with no clear-cut answer.
"In my opinion, you will never get a good answer to this question. This is a religious argument, especially as the statistics anyone cares to trot out apply only to the past," Steven R. Gordon, professor of information technology management at Babson College, told LinuxInsider.
Essentially, both browser types are free, making traditional budget-based purchase decisions void. However, more is at stake than free versus paid when it comes to browser security. Running a browser that is more susceptible to zero-day attacks and other vulnerabilities can cost users untold amounts of money in compromised computers and stolen documents and personal information.
Pro and Con
True believers will tell you that open source browsers are much less likely to be exploited by hackers. They will inevitably cite two primary reasons. One, the source code is readily available, so any vulnerabilities are plain to see and fix sooner. Two, open source browsers such as Firefox and Konqueror have far fewer uses, so hackers have much less incentive to go after exploits to make money.
Microsoft evangelists will just as vehemently argue the easy availability of open source browser code actually encourages tampering. Now that Firefox is gaining popularity, obscurity is no longer a defense, insist fence-sitters.
"Microsoft has made major improvements in its security. It is not perfect and never will be. Neither will open source browsers," Paul Zimski, senior director of product and market strategy at vulnerability management solutions firm PatchLink, told LinuxInsider. "Zero-day attacks will continue to change. It is definitely an arms race. It comes down to using safe business practices to defend against zero-day attacks."
Chicken or Egg Quandary
A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. Zero-day attacks, however, are not native to specific browsers in isolation. Often, vulnerabilities in programs that tap into Web browsers for video and audio functionality are the culprits.
Compiling a definitive chronological list of the major instances of active (zero-day) attacks that exploited vulnerabilities in Firefox, Konqueror or other open source browsers, compared to the number and scope of attacks on Internet Explorer, is as reliable as a plan to accurately predict the future of computing.
The exploits are usually quite similar. The attacks on vulnerabilities of related programs typically found the same weaknesses in Internet Explorer, Opera and open source browsers, according to security experts.
"Open source versus closed source browser vulnerabilities are not easy to compare item for item. There is no one compilation tracked anywhere," Sunil James, security researcher for Arbor Networks, told LinuxInsider. "A study by Secunia found that IE had three times as many zero-day vulnerabilities reported over four years. But getting into numbers is a gray area." Secunia is a vulnerability intelligence and security software provider.
Most zero-day attacks go against normal computing activities, suggested Zimski. Those caught off guard in such attacks usually have not applied the latest upgrades and patches.
"Attacks on both types of browsers are essentially the same," Zimski said.
The most recent example of this zero-day attack commonality is two vulnerabilities discovered this summer involving an exploit in the IE handler that made both IE and Firefox susceptible to attack. It was mostly a problem when both browsers existed on the same machine, according to Zimski.
The two flaws involved conflicts with Internet Explorer. The vulnerability allowed attackers to execute arbitrary commands when users directed the Firefox browser to visit malicious Web sites that contain a specially crafted "mailto" URI (uniform resource identifier) containing a "percent" character and ends in a certain extension, such as ".bat" or ".cmd."
Typically, attackers use vulnerabilities to trick browsers into misunderstanding the intent of the requested action. The goal in making browsers secure is to have browsers fetch code and save it so outside influences cannot get to run it, Zimski explained.
The Sans Institute tracks Internet security issues. Earlier this year, the research company issued a report on the top 20 Internet security vulnerabilities in 2006.
Research conducted by the institute found that multiple zero-day vulnerabilities in Internet Explorer were continuing. The report also said that a rapid growth in critical Firefox and Mozilla vulnerabilities was taking place.
One of the biggest problems with IE's zero-day vulnerabilities, according to the Sans Institute, is its susceptibility to drive-by attacks when users visits Web sites set up to exploit vulnerabilities in IE that Microsoft hasn't yet patched or for which the user failed to install the patch. These vulnerabilities are responsible for many thousands of computers being infected with spyware and adware.
IE suffers from so many vulnerabilities -- some that Microsoft may never have publicly disclosed -- that the company had to issue separate Cumulative Security Updates for its browser February 2006 and April 2006, the Sans Institute reported.
By comparison, Firefox and Mozilla users had to patch eleven vulnerabilities that can be exploited by a malicious Web page to execute arbitrary code on a user's system as well as several more critical vulnerabilities, according to the Sans Institute.
Which One Safer?
"Exploits on browsers date back to the start with Netscape and Mosaic. As far as IE is concerned, there have been a ton of them. But now IE 7 is stabilizing," Robert Hansen, CEO of security consulting firm SecTheory, told LinuxInsider. "Firefox is much better than IE with the speed of fixes. Also, people who use it are more knowledgeable [about security issues]."
The Sans Institute gives Firefox an edge over other open source browsers and IE.
"Firefox continues to be seen as somewhat safer than Internet Explorer, but it is no panacea," the report states.
Another viewpoint also supports the notion that open source browsers in general are safer, and Firefox in particular is better than Microsoft's proprietary browser.
"Open source browsers are inherently safer. They are not as widely adopted, and they are faster in being patched," Roger Thompson, CTO of Exploit Prevention Labs, told LinuxInsider. "Eventually, Firefox will become key. But it is wishful thinking to assume that Firefox will supplant MSIE. Redmond is too strong in marketing for that to happen."