Wednesday, November 26, 2008

Security and Internet Browsers – Firefox vs. Internet Explorer

by: Igor Pankov

Introduction

The Internet is becoming a more and more dangerous place to be, due in no small part to the inherent security risks posed by viruses and spyware. Additionally, applications that access the Internet as part of their normal operations may have errors in their code that allows hackers to launch attacks against the computer on which those applications are running. The safety and integrity of digital assets is further compromised by the fast-growing threat of cybercrooks who devise and implement large-scale hoaxes such as phishing and ID theft.

In the light of all this, it’s clear that users need a reliable and secure web browser between them and the Internet, which will be free of these problems and won’t let harmful content invade the computer.

The web browser industry continues to be dominated by the Windows-bundled Internet Explorer, with an 85% market share, but in recent years a new breed of free, more functional and resilient browsers has appeared – the most popular being Mozilla/Firefox and Opera. All have received serious security upgrades to help protect against recent scares and safeguard users online.

Internet Explorer is at version 6.0, essentially the same product that was included with Windows XP in 2001. Eighteen months ago, the release of Windows XP Service Pack 2 substantially increased IE safety; however, it did not eliminate many of the loopholes exploited by hostile program code. At present, Firefox is at version 1.5, but its very different development history (see next section) means that it can be considered at a similar level of maturity as Internet Explorer.

Currently, Microsoft is preparing its next-generation browser, Internet Explorer 7.0, which it plans to introduce sometime during the first half of 2006. The company has stated that it intends to make the browser stronger and more secure to help protect its users against the many problems that have dogged the software over the years.

We, along with Internet users everywhere, await the final results with interest. In the meantime, we decided to undertake our own security evaluation of both IE 7 (beta) and its closest rival, Firefox 1.5.

History and overview

Internet Explorer is a proprietary graphical web browser developed by Microsoft. In 1995, the company licensed the commercial version of Internet Explorer 3.0 from Spyglass Mosaic and integrated the program into its Windows 95 OSR1 edition. Later, it included IE4 as the default browser in Windows 98 – a move which continues to raise many antitrust questions.

Firefox is an open-source browser developed by the Mozilla Foundation; anyone who is proficient enough can collaborate in writing and improving its program code. Mozilla is known for its stringent approach to security, promising a bounty of several thousand dollars for any major vulnerability found in the product.

Security incidents and threat response

While no browser is perfect, major security lapses happened rather more frequently with IE than with Firefox. To be fair, Firefox has less than a 10% market share and is thus a rather less enticing target than IE; that’s probably also why security researchers focus much of their attention on the vulnerabilities of Microsoft’s browser, not Firefox’s. Some people have argued that if the market shares were reversed, bugs in Firefox would start appearing on a more frequent basis, as has recently been the case with Internet Explorer.

The open-source architecture of Firefox contributes to the overall safety of the browser; a community of skilled programmers can spot problems more quickly and correct them before a new release is available for general use. It’s been said that threat response time for Firefox averages one week, while it may take months for Microsoft engineers to fix critical bugs reported by security analysts – an unacceptable situation for users who remain unnecessarily vulnerable to exploits (hacker attacks) during that time.

>From the threat response standpoint, Firefox is clearly the winner.

Security features

Phishing safeguard

New protection against financial fraud and identity theft has been incorporated into the new IE. A so-called “phishing filter” now appears on the Internet Options menu, which is intended to protect users against unknowingly disclosing private information to unauthorized third parties. Here’s how it works:

If a user visits a spoofed site which looks exactly like a genuine one – usually as a result of clicking on a link in a fraudulent email - the browser senses a phishing attempt and compares the site against a list of known phishing sites. If the filter finds the site is a phishing culprit, it blocks access to the site and informs the user of the danger of leaving his/her personal details on sites like this. The database of known phishing sites is updated regularly, and users have an option to report a suspected phishing instant to Microsoft for evaluation.

We’re pleased to report that, even in beta, the filter appears to work quite well, correctly identifying half of the test sites we visited as phishing sites.

In Firefox, phishing protection is delivered through third-party extensions such as Google Safe Browsing (currently in beta for US-based users only (see http://www.google.com/tools/firefox/safebrowsing/index.html); this can be plugged into the browser’s extension menu.

As additional protection against accidental phishing, the authors of IE have stated that they plan to make their product display the URL of every visited site. With IE 6, this capability was not available and many pop-ups appeared without displaying an address in the previously non-existent address bar. Unfortunately, in neither browser were we were able to achieve more than a fifty percent URL display ratio; we trust that this percentage will increase as the release of IE 7 approaches and Mozilla continues to work on improving its functionality in this area.

Restriction of executable Web content

In the current version of IE, suspect websites have been free to install almost any software they want on visitors’ machines. While XP SP2 has dramatically reduced this possibility, many unnecessary add-ons and toolbars can still be easily installed by inexperienced users. IE 7 should provide more protection for naïve users, as it will offer to run in protected mode, thus restricting access to the host OS files and settings and making these critical elements of the computer inaccessible to malware.

The default setting for Firefox 1.5 is to have installation of extensions and add-ons disabled; the user must manually change settings in order to enable adding extensions to the browser.

There will always be a tradeoff between security and functionality, but security experts always maintained that letting websites unrestrictedly launch executable code within the browser creates unlimited potential for exploitation. IE 7 will offer much greater flexibility in configuring which external code will be permitted to run within the browser and what impact it would have on the OS.

ActiveX restrictions

Aside from some graphics enhancement of web pages, in most cases ActiveX is more damaging than beneficial. Many sites that serve up spyware and pop-up ads use ActiveX scripting technology, and ActiveX scripting in the Windows environment can be allowed to run unrestrictedly with administrator (root) privileges. Firefox 1.5 does not support Microsoft’s proprietary ActiveX technology and so the Firefox browser is more resilient against spyware infection.

In IE6, even with SP2, ActiveX is allowed to run by default, which automatically renders IE users less protected against the threat of spyware. In the upcoming IE 7, it is not yet known whether Microsoft will continue this approach, but early indications point to this being the case. This would be unfortunate, since the current approach is a clear security vulnerability.

Of course, IE users can manually disable ActiveX scripting on a particular website and let ActiveX be started automatically on all other sites visited. Or, vice versa, they can disable ActiveX scripting on most of the sites visited and permit it to run on a particular site. All this can be configured under the Security tab in IE’s Options menu. However, it is hardly realistic to expect Internet novices, who need the most protection, to do this.

Java, JavaScript and Visual Basic components

Java and JavaScript can be enabled and disabled by both browsers. Firefox allows users to specify permissions for particular actions performed by these scripts. IE 6 allows users to create a group of trusted sites to which global limitations on these scripts will not apply. In IE 7, more flexibility will be added that will lead users toward a more customized display of web pages belonging to a particular site; it appears Firefox also plans to introduce more flexible parameters.

Internal download manager

IE 7’s download manager will be revamped, and feature an option to pause and resume downloads - a feature not available with the current version. Specific actions will be able to be defined following the completion of a download, and users can check the newly-downloaded file with their anti-virus before running it. This approach is already in place with Firefox, so Microsoft appears to be playing catch-up here.

Encryption of data on protected sites

When you submit sensitive information, such as transaction details to a bank or financial institution, it travels in an encrypted form through a secure HTTP (SHTTP) connection. The information is encrypted by your browser and decrypted at the receiving end. The new version of IE will use stronger encryption algorithms to reliably transfer your data without the risk of being intercepted and deciphered by someone in transit. A padlock icon indicating that a user is on a secure site will be placed in a more obvious place than currently, and more detailed information will be provided to help visitors check the authenticity of such sites.

Firefox currently has a better-organized display of security certificates for its users, so clearly Microsoft has a room for improvement.

Updating

Both browsers are updated automatically when new code is ready. Firefox has this update mechanism already in place, and for IE 7, it is expected that updates will be provided through Windows update technology.

Privacy enhancements

IE 7 will have the ability for users to flexibly set what private data will be saved and can be applied to different sites; users will be able to easily remove browsing history and other private details such as passwords, cookies, details submitted on web forms, download history, and temporary files. In IE 6, these files were stored all over the place and users have complained that there is no clear way to delete this information. Firefox 1.5 already provides this capability.

Conclusion

IE 7 promises a lot of interesting security and privacy enhancements that will help users stay more secure. With the final release users will receive a good, solid browser that, if Microsoft promises are fulfilled, will help it to compete well on the security front. As we have seen, Firefox 1.5 is already a role model, and it will be interesting to see what lies ahead for this talented challenger.