I’ve talked about Internet Browser security briefly before, but I thought it might be best to follow up with a commonsense commentary on why I favor Firefox over other browsers.
On March 18, 2009, TippingPoint‘s Charlie Miller, for the second year in a row, hacked an Apple OS-X based laptop in mere seconds. The source was an unpatched vulnerability in Apple’s browser, Safari. Safari ships pre-installed on every Apple computer just like Microsoft’s Internet Explorer is pre-installed on every Windows based computer.
Since then, Apple has released exactly ZERO patches to their browser to address the vulnerability. A similar vulnerability in the Firefox browser was exploited at the same time at the Pwn2Own competition and, in contrast to Safari, Firefox was patched nine days later. Firefox has subsequently had a second security patch release less than a month later for other discovered vulnerabilities.
So why hasn’t Apple responded as quickly? It boils down to numbers: development resources and probably that the attack vector of the exploit can actually be used.
For the Safari exploit two things had to happen: the exploit had to be embedded on a Website that people would go to, and then the hackers had to actually get you to go to the site. The later is pretty easy to do because of all the Pavlovian-like responses hackers get through specially crafted emails. Actually installing the crack on a website without being caught is pretty hard to do. Servers have logs. Logs create a fingerprint of who did what to a server. Even if the hacker attempts to erase the logs, there are other ways to “sniff” who came from where to attack the server in the first place. In most cases, in order to get to a server the hacker has to jump through more hoops to remain masked than it is worth it: the risk isn’t worth attacking the server.
So back to Apple’s “arrogance” (as it has been called by others). Apple doesn’t see the risk as being high and they have limited resources. Patches generally take a while to fix when using limited corporate resources. If you dedicate resources to defects and vulnerabilities, then you taking them away from new innovations and making new products.
This is always a problem in closed-source software. In one past project I took over, the software had so many bugs in it, that we had problems turning out a new release with the much-needed critical mission-oriented functionality. All of my resources were too busy addressing software defects. The source of the software defects was poor configuration management and software quality testing practices by the incumbent development firm coupled with a corporate culture by the client that refused to allow the incumbent to swap-out resources that knew how to use automated testing tools… even though the tools were free.
Contrast the limited resources problem with Open Source Software (OSS) with thousands of developers/testers coupled with well managed testing and configuration management practices. The simple statistics are that OSS is only limited by the number of people contributing and the maturity of software development management practices being used.
Number of Apple OSX developers vs. number of Firefox developers. Firefox wins.
What Firefox can’t prevent is the risky end-user behavior… but that is another conversation for another time.