When FireFox was becoming very popular around the 1.0 release, all of a sudden spyware started appearing specifically for FireFox. I’m sure a lot of those people who could not be convinced were shocked, especially since FireFox was said to be vastly more secure than Internet Explorer. I know people who installed and were using FireFox specifically because they were led to believe that FireFox’s security was superior to IE. Most of them realize today that this was a dangerous assumption to make, and that FireFox gave them a false sense of security. Especially considering the security vulnerabilities being frequently reported these days for FireFox. I’ll come back to this later.
Another thing people were saying was that Linux by design was more secure because the user never runs his computer as root, while on Windows users are administrators by default. I think they are forgetting that a virus or spyware program does not need root access or administrator access to cause harm to the user. It does not matter under what account the user is running, if he is able to visit websites and download software containing spyware onto his computer, his computer will get infected. If the user has full access to his files, so does a virus designed to delete his files. And it will not matter to that user if the damage to his computer is limited only to his files and not the operating system itself, or other users using that same computer. What will matter to him was that somehow a virus got on his PC and deleted his files. And that will be enough for him to blame everything on the lack of security of the OS or browser he is using. Even if it is Linux or FireFox.
These days I think people are beginning to understand what Microsoft was saying all along. The security issue is not just a problem with Microsoft and its products. It is an issue with software in general. It seems no matter how well you write software, you cannot always eliminate every single vulnerability. Yes, even FireFox and Linux have vulnerabilities, even though some people would want you to believe that they don’t because open source software development is superior. In fact, I’m sure you know by now that Windows Server 2003 won at the RSA conference a few months ago for having less vulnerabilities and for faster availability of security fixes compared to Linux! I’m sure that was a shocker for quite a lot of people.
The fact that it seems that Windows and IE have a lot more vulnerabilities is because of their popularity and large userbase, and as a result of that, large amount of attacks. And ofcourse the fact that Microsoft likes to warn users and publish info about these vulnerabilities, which is a good thing. Being transparent about these things is a step in the right direction of caring about, and keeping your users safe. Would you want a company to remain silent about the security holes in the software you are using, or would you rather have them tell you about it?
The organization released FireFox 1.0.1, which fixes 17 security flaws in the popular Web browser. The most serious flaws could allow an attacker to gain full control over a victim’s PC, the Mozilla Foundation says in a statement. Firefox 1.0 was released in November and has since been downloaded more than 27 million times.
False Sense of Security?
The public warning of the security vulnerabilities is evidence that the Mozilla Foundation’s products give a false sense of security, says Thor Larholm, a senior security researcher with PivX Solutions in Newport Beach, California.
“The only reason Mozilla and Firefox have a good track record in security with a low number of security vulnerabilities is simply because they don’t tell anyone about them,” Larholm says via e-mail.
“The Mozilla Foundation has fixed hundreds if not thousands of security vulnerabilities over the last few years without notifying the world and without providing security patches, instead they have simply just told their users to upgrade,” he says. “We have to remember that all software has security vulnerabilities, the only difference is in how we anticipate them and inform the world about their existence.”