Security Blog Log: Dissecting Firefox 2.0

A couple of weeks ago, security bloggers picked apart the security features of the new Internet Explorer (IE) 7 and came a way with mixed reviews. This week, IE's biggest rival got the same treatment.

Last week, Mozilla released its first big overhaul of Firefox in nearly a year. As Microsoft has touted the security upgrades of IE 7, Mozilla has boasted about the extra security muscle of Firefox 2.0.

Firefox users interviewed by SearchSecurity.com in the past week still believe it's a better browser than IE 7. But not all bloggers were impressed after downloading and dissecting Firefox 2.0.

The downside
For some, the biggest strike against Firefox 2.0 so far is that it already has a security flaw.

Making note of the flaw, a blogger with the online name "PeterWeter" wrote, "It looks like poor little FF 2.0 is really a step back, while IE 7 is not seeing anything as severe … Better to hide FF's failings lest people get the idea it is not a better alternative than IE 7."

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected]. Recent columns: The never-ending PatchGuard debate IE 7 arrives, but does anyone care? Taking Google Code Search for a spin

Given the blogger's comment, it should be noted that three security flaws have been reported in IE 7 since its release two weeks ago.

Meanwhile, the Listvine blog listed nine reasons not to upgrade to Firefox 2.0. Among the reasons to skip it, the blog said, "Antiphishing technology is both weak (blacklist based) and a potential privacy problem. The privacy issues are raised because Firefox 2.0's antiphishing features employ an engine previously released by Google, which has been shown to potentially cause privacy risks."

The antiphishing feature is also in the crosshairs of the hacking community. One flaw finder who goes by the online name Jungsonn used the SLA.CKERS blog to outline how IP encoding can be used to evade the phishing filter. He wrote that he found "some interesting things" about the feature, "some serious flaws IMO."

The upside
Of course, plenty of bloggers were there to give Firefox 2.0 rave reviews.

One blogger with the online name Pasta2000 seized on reports of the security flaw and compared the total number of Firefox flaws with those in IE, using the tally kept by Danish vulnerability clearinghouse Secunia.

As of Oct. 27, he said Secunia had reported zero Firefox 2.0 flaws and two in IE 7. [Secunia raised the IE 7 number to three this week.] Comparing Firefox 1.5 with IE 6, he noted that Secunia had logged many more flaws for IE 6 than Firefox 1.5.

"As you can see, Firefox kicks butt over Internet Explorer when it comes to security," Pasta2000 wrote.

The Gizmodo blog offered a detailed comparison between Firefox 2.0 and IE 7 and Firefox 2.0 came out on top in most categories.

"In one corner we have IE 7. After 18 months of development and a shiny new set of tabs, he's in top shape and looking better than his predecessor ever did," the blog said. "That is, before he entered the ring with Firefox 2.0. Now he's just a cripple with fancy RSS reading."

Here are various points the blog made about the security features:

• A welcome new addition in Firefox 2.0 is a dialog box informing users of cross-domain scripting, a tactic used by criminal hackers to link non-related sites to sites users think may be legitimate.
• Firefox's default protection stops at comparing sites against a known blacklist of phishing sites, while IE 7 includes site analysis that will try to warn you about a suspicious site even if it's not yet on a blacklist.
• IE 7 consistently failed to catch phishing sites less than an hour old, although it caught all phishing sites known for at least an hour or more.
• Overall, the new IE has many more security fixes than the revised Firefox, but such fixes were necessary to address IE 6's vast array of holes.
• With IE7, the default security level has been raised from medium, which is the IE 6 default, to medium-high. There are now no lower security levels than medium.
• The most important new security feature in IE 7 -- Protected Mode, which stops Web sites from changing a computer's important files or settings -- will work only in Windows Vista.

"The new IE is a solid upgrade, but it's disappointing that after five years, the best Microsoft could do was to mostly catch up to smaller competitors," the reviewer concluded. "Of the two rivals, Firefox remains the better application."