Yesterday and today we’ve got a blizzard of web browser security updates:

Microsoft zealots are taking this as an argument to argue that all browsers are equally insecure, and therefore there’s no reason to switch (from IE) for security purposes (an advice which, on the other hand, starts spreading even on mainstream media).
This is quite a debatable statement, if you think about it.
IE’s vulnerability, being a zero day, is actively exploited in the wild by thousands of compromised web sites and puts several millions of users worldwide at risk, while both Firefox’s and Opera’s are still embargoed.
Firefox will be automatically updated for its users before bad guys can analyze and exploit the patched vulnerabilities. That’s effective patching. Opera is in a slightly worse shape, since its update mechanism is not fully automated (it requires user to manually download and install the new version). Microsoft already failed this time, because the vulnerability has been already known and exploited for more than one week.
Right, zero day situations can happen to any software product, and Opera and Firefox might face a similar shitstorm tomorrow. But, even so, there are some interesting differences:

  1. Patching policies: Microsoft implements a predictable monthly patching cycle. This is probably good for corporate IT departments, which can carefully plan the so called “black Tuesday” to minimize their troubles, but it’s also good for evildoers and security attention-bitches, who can carefully plan their exploits or disclosures to maximize their impact. Zero day critical vulnerabilities in three different Microsoft products have been disclosed immediately after last “black Tuesday”: is this really a coincidence?
    Firefox and Opera, on the other hand, issue security updates whenever they’re ready and tested.
  2. Agility: as everybody knows, Internet Explorer is tightly coupled with the underlying Windows OS platform, and this makes both mitigation and fixing more difficult. In this case, for instance, the suggested work-around required not just hardening the browser itself by blocking scripts and plugins, but also disabling a system-wide data access component (OLEDB): this affected not just surfing the web, with many sites inaccessible or malfunctioning, but also most Windows applications relying upon databases.
  3. Viable ad-interim mitigation: even if a browser vulnerability doesn’t involve system-wide components, mitigation until a patch is available almost always requires disabling JavaScript and/or plugin content (the latter is often used to circumvent security features like Vista’s DEP). On IE, such a work-around is hardly acceptable, since “Security Zones”, the mechanism available to selectively change the security level of certain pages, is very obtrusive and almost unusable (yes, way worse than UAC). Opera is friendlier, thanks to its “Site Preferences” which let user quickly change site permissions for JavaScript, Java, Flash and so on. Of course, only a minority of Opera users actually configure a default-deny policy, to selectively allow active content on trusted sites only. However, even those savvy users are suddenly out of luck, if they grant permissions to a site which is vulnerable to XSS: an attacker could circumvent script and plugin blocking by injecting his malicious code there, where it’s allowed to run. But if you use Firefox and you install NoScript, you get a safe default-deny policy configured out of the box and your trusted whitelist is effectively enforced notwithstanding site flaws, thanks to Anti-XSS Protection: JavaScript and other active content will run only where you want it to run.

To summarize: all the browsers can have vulnerabilities and equally need timely patching, but not all the users are equally vulnerable.

10 Responses to “Opera, Firefox and IE Security Updates: All Together, All the Same?”

  1. #1 Wladimir Palant says:

    It is worse than that. Internet Explorer is embedded in a number of applications. So for one, changes to Internet Explorer settings affect those applications (I remember reading that the recommended work-around of setting the security level to "High" breaks Secunia Psi). But this also means that any Internet Explorer patches might break those applications - which partly explains why it is so hard for Microsoft to release patches in a timely manner. I can really understand why MoCo isn’t too keen on opening this can of worms with a shared XULRunner runtime.

    PS: Interesting how one cannot comment in your blog without turning JavaScript off. Guess it helps keeping unwanted commenters out…

  2. #2 Giorgio says:

    @Wladimir Palant:

    PS: Interesting how one cannot comment in your blog without turning JavaScript off. Guess it helps keeping unwanted commenters out…

    Eh eh, it actually keeps out just people who insist in using AdBlock Plus as an improper script blocker :P
    Recaptcha (this popular captcha system, which is not a creation of mine) provides an IFRAME-based fallback for people with JavaScript disabled, and uses an AJAX API for those who have it enabled.
    Unfortunately, if you’ve got a mixed situation (i.e. inline scripts enabled and Recaptcha’s own scripts blocked), you’re treated quite harshly.
    That’s exactly what happens if you’re using AdBlock Plus’ 3rd party scripts rule. If you used NoScript, instead, you would probably have a better time and you would surely be safer ;)

  3. #3 Alan Baxter says:

    Microsoft zealots are taking this as an argument to argue that all browsers are equally insecure

    It’s worse than that. Ryan Naraine is even posting on his zdnet blog that Firefox tops list of 12 most vulnerable apps. He misrepresents the article he’s referencing.

  4. #4 Paolo says:

    "…disabling JavaScript and/or plugin content (the latter is often used to circumvent security features like Vista’s DEP)…"

    Hi,

    how does plugins bypass DEP feauture? Is DEP useless?
    Can you explain it?

    Thanks! (Ciao)

  5. #5 Giorgio says:

    @Alan Baxter:
    that’s a different (but equally ridiculous) story.
    See Johnathan Nightingale’s take on this matter.

    @Paolo:
    No, DEP is useful when it works. But each loaded component must opt-in for this kind of protection work in the browser, and many plugins are incompatible, sometimes for lazyness and sometimes for objective reasons: Sun’s Java Plugin and Adobe’s Flash Player, for instance, implement dynamic just-in-time compilation for Java and ActionScript, which couldn’t work if memory was protected (for obvious reasons, since they output executable code at runtime).

  6. #6 Ashok Koparday says:

    Hi Georgio,

    I am not sure what happened, but what I had typed vanished as the page changed. I am writing the comments again.

    In ‘Motivation’, you mentioned "_ _ _ Since I switched from MS Internet Explorer to a serious browser _ _ _". I presume it is FireFox, but I would like to confirm.

    Which OS do you use/prefer?
    I wish to shift from Windows XP to opensource OS. I have had persistent difficulty in intalling Ubuntu. Which free OS would you recommend?

    My experience with ‘NoScript’.
    I had uninstalled ‘NoScript’. It appeared to intefere in working and opening pages. You being a security pro I now believe that the permissions for pop ups, XSS have to be personally manually minded. Things ought not to be left for antispam/anitvirus to take care. Taking precautions at the entry point makes sense. I will have to become adept at using NoScript.

    The Geek Species
    Your interest ‘elegant software design’, I believe does not include elegant web design. Flashgot.net affirms that. It appears like a thrilled boy loading all that he has on a table (Cluttered). No offence meant, please.

    I wanted to see the hunan side of the Geek, a fascinating species, and enviable because of the magic they make.

    Free
    I was interested in the ‘Motivation’ topic also because you have kept your precious extensions free. I have been ridiculed for offering free (instead of fee) medical expertise ‘ASK DOCTOR’. I do not see donate and paypal icon on your site.

    The ‘free’ aspect is inspiring and if you can share more about it, I am keen to know.

    World Wide Web is relatively new to me. I have simple aim of giving to maximum people what I have in form of medical expertise. Web development, SEO, were words that I had not anticipated and I have been plodding without partnership with web developer. Where ever I peeped, I found loads of knowledge that I could use, until I realized that I was working more with the web technology aspect and my time for enriching medical content had become lesser. I must admit that by now it has become ‘default’ system of my work, and perhaps will stay till I get some help from a web savvy person.

    It has been pleasure meeting you.
    Have a great day, each day.

    Dr. Ashok Koparday
    December 19, 2008

  7. #7 Aerik says:

    Onboard the USS Mozilla: "Captain! We’ve detected some possible weaknesses in the hull in sections, x, y and z. We’ve already re-enforced it, should we tell the passengers how much we just saved their asses with a report?" "oh, why not. Thanks for telling me via the ship comm and not walking up here and wasting time."

    Mean while, on the P.O.S. Microsoft: "Captain, we just went through shallow waters and have a huge gaping hole near the keel from some rocks. What should we do?"
    captain: "Let’s wait and see how it really affects us. By the way, how long ago did this happen?"
    crewman: "Almost a week ago, sir. You would’ve been alerted immediately, but first we had to decide who’s job it was to acknowledge that it was a problem in the first place, then we argued about whose job it was to tell you. And I’d use the ship comm but it wasn’t cost effective, so I walked up here personally, but I had to stop and write graffiti on other people’s projects about how people in other projects suck at coding and making my job harder. Also, Wladamir Palant is a nazi."

    captain: "ah. Business as usual. Does anybody know?"

    crewman: "A guy who almost drowned got away and told everybody. Luckily we have them convinced that if you don’t say it’s true, it can’t be. 10 have died, but we managed to put the blame on the bleeding heart propaganda of the USS Firefox."

    "excellent"

  8. #8 Giorgio says:

    @Aerik:
    ROTFLMAO

  9. #9 GonzoHunter says:

    Re: the Firefox/IE/Opera smackdown, (Nice article, btw!), I am just the family’s computer maintainer, not a pro by a long shot. BUT, after a re-install of XP, it seems that IE (naturally making itself the default browser) will NOT let any others replace it.

    I used Firefox for yrs. without much problem (just some unruly add-ons & incompatibilies and the occasional whine from IE when I’d update Firefox as in "Are you SURE you don’t want IE as your default…bla-bla-bla..?). NOW, EVERY freaking time I re-install it (after several "Unable to load") messages, and though it’s listed as my default browser, I’m getting suspicious. Could Windows or IE block other browsers? I just dl’d and tried out Opera and liked it, before all this happened. Oh, my ‘net connection is through Verizon DSL.

    P.S. The reinstall of XP was necessitated by my huge mistake: I had uninstalled my Comodo firewall due to an update error,then stupidly forgot, fell asleep & left the computer on and connected to the Internet all night! The whole partition was corrupted.

  10. #10 botted says:

    What about a NoScript IPS feature specifically for the few critical- and high-risk zero-days that may be active and unpatched at any given time against Firefox and/or plug-ins thereof?

    Some content requires scripting, most external IPS catch-rates are far below 50%, and the Firekeeper project has not been progressing to even a beta version. Given certain recent enhancements to Firefox, would it be that hard for NoScript to check for a half-dozen, or less, exploits?

    PS Take the browser security test on the bcheck.scanit.be site and then check your computer’s software firewall log for a hint of how bad your external IPS is–unless your’s is from the one or two companies that make very expensive somewhat effective ones.

Bad Behavior has blocked 7086 access attempts in the last 7 days.