AlbertPacino
Skilled
We test Internet Explorer and Firefox for business security issues.
Don't go ripping out Microsoft's Internet Explorer just yet.
IE certainly has proven vulnerable to attack in the past, and the constant patching to add the latest security updates can be a nuisance. The CERT coordination center last year even warned people to stop using Internet Explorer. And the Mozilla Foundation's Firefox has been getting a lot of buzz lately--to the tune of 25 million downloads in fewer than 100 days on the market.
But our testing of both browsers shows that choosing one is not an easy decision--particularly in an enterprise environment. IE's vulnerability to attack might in part be because it's rich in features and thereby presents a larger "attack surface." On the other hand, Firefox's perceived edge in security comes with a price: fewer features and a possible inability to access some Windows-based Web applications.
So before you make a decision about ditching IE, weigh the trade-offs. One compromise to consider is using IE internally and Firefox for pure Web browsing.
Security Testing
Our hands-on test focused on security rather than ease of use. Our IE 6.0 implementation ran on a Windows XP client (a WinBook Pentium 4 with 512MB of RAM) with Service Pack 2 and the latest Microsoft updates. With the help of VMware Workstation, we installed Mozilla Firefox 1.0.1 on the same system inside its own virtual machine. This test machine was connected to the Internet through a 384-kbps DSL line.
We used the browsers side by side for a variety of tasks such as reading public Web sites, checking e-mail with Microsoft Outlook Web Access, and accessing our Apache-based Web server to reach internal resources and management tools. Additionally, we tried surfing to known hacker Web sites to see how the browsers would behave when under attack.
Accessing conventional Web sites, such as CNN.com or Yahoo, gave similar results. Both browsers block pop-ups and offer a variety of plug-ins to support additional forms of data such as Macromedia Flash or Adobe PDF files.
However, the key difference is that because IE contains Windows-related features that are not available in Firefox--ActiveX, .Net, Active Server Pages--using some Web-based applications with Firefox is difficult, if not impossible.
Both IE and Firefox have facilities to digitally sign plug-ins. However, the signature feature is not ubiquitous, and users are quite likely to accept and execute unsigned and potentially dangerous code.
This is why you should back up your browser with an intrusion-prevention system or adequate antivirus software (ours was running F-Secure's Anti-Virus Client Security) that can detect, send notifications of, and/or block malicious code that arrives through the browser.
Firefox Fundamentals Better?
So does Firefox's architecture make it fundamentally more secure? We found that Firefox is not necessarily a more secure browser implementation. It simply has fewer features to attack.
It supports fewer and less-complex scripting mechanisms, so writing powerful, dangerous code inside a Web page that can attack it is not as easy.
It is not tightly integrated with any particular operating system--there are fewer ways the browser uses operating system-specific features. That means less of a chance for an exploit to use the browser as an interface into the underlying OS.
Also, the open-source nature of the code sometimes, but not in a guaranteed manner, provides more peer review of the code and faster turnaround for fixes to vulnerabilities.
Business Needs IE
It's not realistic to think that your organization can totally stop using IE, especially if your users must access servers that employ the rich features it supports over an internal network or through the public Internet.
Can you start selectively using Firefox? If you have a purely browser-based environment, with standards-based scripting and plug-ins, then you can consider this.
Will it make your environment perfectly secure against browser-based attacks? No. Firefox--like other browser alternatives--is not perfect, but the attack surface can be reduced significantly if you use fewer complex features, such as sites that deliver ActiveX through Web pages.
If your network comprises thousands of users, then this can be a difficult change to execute. On the other hand, it makes sense to compare the cost of securing IE with add-on client security products or intrusion-prevention devices with the cost of simplifying/standardizing your browser-based infrastructure.
What to Do?
The risk of a browser-based attack against an enterprise network is significant. From a risk management point of view, it is definitely a good idea to look at alternatives to IE purely based on the sheer number of clients running that browser. But the environment might not let you remove it, as your organization may have built up access to necessary internal resources using Microsoft's technology based on IE.
One possible solution would be to mandate the use of Firefox for external access and to reserve IE for inside-the-enterprise use. Policy-enforcement tools can help implement this sort of a mandate.
Security measures external to the browser, such as application firewalls, intrusion-detection and prevention systems, and the use of policy enforcement systems to ensure that clients access only trusted Web sites, are also considerations for addressing the browser risk.
Common Attack Scenarios
Attacks against browsers generally fall into three categories. Round 1: protocol attacks against content processed directly by the browser. Round 2: attacks against active scripting language running within the browser environment. Round 3: attacks against data delivered through the browser but processed by a plug-in or other component, such as a Dynamic Link Library that provides image display services.
Round 1: Slight advantage: Internet Explorer. IE and Firefox are both potentially vulnerable to attacks via Web site content they process directly. IE is less vulnerable in this area, probably because Microsoft has put so much work into securing its browser in response to all of the hacker activity targeting it. But theoretically, because they both process essentially the same HTML datastream format, either browser could be attacked in this manner.
Round 2: Advantage: Firefox. In the second category, IE provides ActiveX, JavaScript, and many other mechanisms to execute code delivered through Web pages, such as Visual Basic scripts or Active Server Page and .Net content. Because there are more ways to write programs for delivery through the browser, Explorer is more susceptible to attacks in this manner. This is the downside of all those sophisticated features that work in a pure Microsoft Web environment.
Round 3: No advantage.Both browsers support plug-ins, which, independently of the browser, can be vulnerable to attack. A recent example is the RealOne plug-in vulnerability. While this vulnerability was specifically found within Explorer, the problem lies in the plug-in, and there is no technical reason to assume this sort of problem will not happen someday with Firefox.
Source
I may disagree with the writer of this review on some points,but then lets not forget that IE on a business level & a personal use is still not the browser of choice,at the end its the consumer who makes the choice and we have seen that alot are forced to use it as there is no better alternative to it.
Don't go ripping out Microsoft's Internet Explorer just yet.
IE certainly has proven vulnerable to attack in the past, and the constant patching to add the latest security updates can be a nuisance. The CERT coordination center last year even warned people to stop using Internet Explorer. And the Mozilla Foundation's Firefox has been getting a lot of buzz lately--to the tune of 25 million downloads in fewer than 100 days on the market.
But our testing of both browsers shows that choosing one is not an easy decision--particularly in an enterprise environment. IE's vulnerability to attack might in part be because it's rich in features and thereby presents a larger "attack surface." On the other hand, Firefox's perceived edge in security comes with a price: fewer features and a possible inability to access some Windows-based Web applications.
So before you make a decision about ditching IE, weigh the trade-offs. One compromise to consider is using IE internally and Firefox for pure Web browsing.
Security Testing
Our hands-on test focused on security rather than ease of use. Our IE 6.0 implementation ran on a Windows XP client (a WinBook Pentium 4 with 512MB of RAM) with Service Pack 2 and the latest Microsoft updates. With the help of VMware Workstation, we installed Mozilla Firefox 1.0.1 on the same system inside its own virtual machine. This test machine was connected to the Internet through a 384-kbps DSL line.
We used the browsers side by side for a variety of tasks such as reading public Web sites, checking e-mail with Microsoft Outlook Web Access, and accessing our Apache-based Web server to reach internal resources and management tools. Additionally, we tried surfing to known hacker Web sites to see how the browsers would behave when under attack.
Accessing conventional Web sites, such as CNN.com or Yahoo, gave similar results. Both browsers block pop-ups and offer a variety of plug-ins to support additional forms of data such as Macromedia Flash or Adobe PDF files.
However, the key difference is that because IE contains Windows-related features that are not available in Firefox--ActiveX, .Net, Active Server Pages--using some Web-based applications with Firefox is difficult, if not impossible.
Both IE and Firefox have facilities to digitally sign plug-ins. However, the signature feature is not ubiquitous, and users are quite likely to accept and execute unsigned and potentially dangerous code.
This is why you should back up your browser with an intrusion-prevention system or adequate antivirus software (ours was running F-Secure's Anti-Virus Client Security) that can detect, send notifications of, and/or block malicious code that arrives through the browser.
Firefox Fundamentals Better?
So does Firefox's architecture make it fundamentally more secure? We found that Firefox is not necessarily a more secure browser implementation. It simply has fewer features to attack.
It supports fewer and less-complex scripting mechanisms, so writing powerful, dangerous code inside a Web page that can attack it is not as easy.
It is not tightly integrated with any particular operating system--there are fewer ways the browser uses operating system-specific features. That means less of a chance for an exploit to use the browser as an interface into the underlying OS.
Also, the open-source nature of the code sometimes, but not in a guaranteed manner, provides more peer review of the code and faster turnaround for fixes to vulnerabilities.
Business Needs IE
It's not realistic to think that your organization can totally stop using IE, especially if your users must access servers that employ the rich features it supports over an internal network or through the public Internet.
Can you start selectively using Firefox? If you have a purely browser-based environment, with standards-based scripting and plug-ins, then you can consider this.
Will it make your environment perfectly secure against browser-based attacks? No. Firefox--like other browser alternatives--is not perfect, but the attack surface can be reduced significantly if you use fewer complex features, such as sites that deliver ActiveX through Web pages.
If your network comprises thousands of users, then this can be a difficult change to execute. On the other hand, it makes sense to compare the cost of securing IE with add-on client security products or intrusion-prevention devices with the cost of simplifying/standardizing your browser-based infrastructure.
What to Do?
The risk of a browser-based attack against an enterprise network is significant. From a risk management point of view, it is definitely a good idea to look at alternatives to IE purely based on the sheer number of clients running that browser. But the environment might not let you remove it, as your organization may have built up access to necessary internal resources using Microsoft's technology based on IE.
One possible solution would be to mandate the use of Firefox for external access and to reserve IE for inside-the-enterprise use. Policy-enforcement tools can help implement this sort of a mandate.
Security measures external to the browser, such as application firewalls, intrusion-detection and prevention systems, and the use of policy enforcement systems to ensure that clients access only trusted Web sites, are also considerations for addressing the browser risk.
Common Attack Scenarios
Attacks against browsers generally fall into three categories. Round 1: protocol attacks against content processed directly by the browser. Round 2: attacks against active scripting language running within the browser environment. Round 3: attacks against data delivered through the browser but processed by a plug-in or other component, such as a Dynamic Link Library that provides image display services.
Round 1: Slight advantage: Internet Explorer. IE and Firefox are both potentially vulnerable to attacks via Web site content they process directly. IE is less vulnerable in this area, probably because Microsoft has put so much work into securing its browser in response to all of the hacker activity targeting it. But theoretically, because they both process essentially the same HTML datastream format, either browser could be attacked in this manner.
Round 2: Advantage: Firefox. In the second category, IE provides ActiveX, JavaScript, and many other mechanisms to execute code delivered through Web pages, such as Visual Basic scripts or Active Server Page and .Net content. Because there are more ways to write programs for delivery through the browser, Explorer is more susceptible to attacks in this manner. This is the downside of all those sophisticated features that work in a pure Microsoft Web environment.
Round 3: No advantage.Both browsers support plug-ins, which, independently of the browser, can be vulnerable to attack. A recent example is the RealOne plug-in vulnerability. While this vulnerability was specifically found within Explorer, the problem lies in the plug-in, and there is no technical reason to assume this sort of problem will not happen someday with Firefox.
Source
I may disagree with the writer of this review on some points,but then lets not forget that IE on a business level & a personal use is still not the browser of choice,at the end its the consumer who makes the choice and we have seen that alot are forced to use it as there is no better alternative to it.
