Alan Calder on IT Governance, information security & ISO 27001

Apparently, Firefox has a bug.

It’s not the first. It won’t be the last.

Symantec do say, in their recently released Threat Report, that the Mozilla family of browsers had a higher number of vulnerabilities, in the first six months of 2005, than Internet Explorer – andthat a higher percentage of these were high-severity. So much for Mozilla and its supposedly ‘safe’ browsers.

What is clear is that there is more hype and spin around open source than many would like to admit. What isn’t clear is the extent to which it’s motivated by the software community’s jealousy of Bill Gates. I wonder if Mozilla’s failure is a leading indicator for the failure of the wider open source movement as well? If it is, there are significant governance and security implications for all organizations that have deployed open source software – as well, obviously, for anyone who has a financial stake in an open source-dependent operation of any sort.

Did I read, somewhere in the recent Symantec threat analysis report, that Firefox was reported as having had more reported vulnerabilities in the first six months of this year than did Internet Explorer?

Why am I not surprised?

I can’t resist noticing that Mozilla has a flaw (admittedly only rated as ‘moderately critical’) that is a mere seven years old.

Well, I guess that if Mozilla is serious about competing with Internet Explorer, it’s got to have a at least as serious a set of vulnerabilities – and be as slow to do something about them as Microsoft was in the early days……

The Firefox spin is getting slightly more desperate. In a story about the security holes in Firefox, Mozilla’s director of engineering is described as arguing that the feedback they get from their user community – and which helps them identify flaws – proves that security isn’t an afterthought.

Forgive my slowness but, if security was a pre-thought in Firefox, why would they need the feedback? Either they did think about it, and did it badly – which is quite scary if you’re a Firefox user – or they didn’t think about it. And if they need the feedback to identify the holes they failed to identify in the first place, why do they pretend they’re different from the other lot – who they accuse of treating security as an afterthought? I wonder if they know how to use the words pot, kettle and black in a meaningful sentence?

The other lot at least have a systematic, reliable method of patching the holes once they’re discovered.

Apparently, the cleaner-than-clean, secure and safe Firefox from Mozilla has the odd flaw!

According to a report today, some ‘critical’ flaws in Firefox emerged over the weekend – and Mozilla quickly slipped out an update to put it right.

It’s not the first time, and it won’t be the last that Firefox is proven to be flawed – it’s time to start looking at browser choices in terms of functionality, long term future safety, back up, those sort of things. When dealing with information security, it’s better to make informed cautious decisions rather than to follow the hype…..isn’t it always like that?

Like I said before, as Firefox gains market share, so the Malevolency will start targeting it – they may be proof of concept viruses and Mozilla may have issued updates a bit quickly – but, rather like the browser some of you love to hate, it’s ever clearer that Firefox has vulnerabilities that will be exploited as more of you take it up – you’ve just go to hope that Mozilla can do half as good a job as the other crowd at cranking out updates….

“Mozilla pays bug hunter $2,500 for Firefox flaw finds” is supposed to make any Firefox user feel happy? There’s an implicit admission that Mozilla can’t find the flaws itself – and an equally implicit recognition that the great open source model ain’t so hot. It’s not hard to imagine an enterprising bug hunter identifying flaws that Mozilla doesn’t want to pay for, and then blackmailing Mozilla….

It’s equally not hard to imagine Mozilla being overloaded with bug claims…at $500 a go, it’s worth trying to find some! And then how quickly will Mozilla fix them? And what’s the liklihood of someone else exploiting some of the identified flaws in the time during which Mozilla is fixing them?

We can certainly do with improvements to Internet Explorer – but let’s not pretend that Mozilla’s Firefox is the “safe alternative” – it’s a bit like claiming that Iraq today is a democracy.

Reports yesterday that Windows (specifically Windows Server 2003) trumped Linux on security issues is no real surprise – I’ve been saying for some time that the whole anti-Microsoft thing was just a combination of hype and jealousy, and it’s gratifying that more evidence is emerging that I was right!

Of course, the fact that Microsoft funded the research will be used to try and undermine the conclusions of the report – but that’s so obviously an ad hominem argument that I’m surprised anyone gives it much house room. The only meaningful response the open source community should be trying to make is to dispute the facts: it either is, or it isn’t, true that the Microsoft platform recorded 52 vulnerabilities against the Linux installation’s 174. (174? – wow!)

Once that claim is admitted or proved wrong, there’s then a possible discussion about the comparitive seriousness of the vulnerabilities – and that’s the arena this conversation should be in. Anything else is just pandering to spin and hype – and look where that got us in Iraq.

A sensible article on Firefox in an enterprise environment leads to the obvious conclusion that anyone who buys a product in its o.x or 1.ox versions ought not to be employed (or not for very much longer, anyway) in any organization that is even minimally risk aware.

And, frankly, you don’t have to be much of a contrarian to spot that Firefox isn’t much of a competitor for Internet Explorer. While the out-crowd hype has driven Firefox market share to 8.45% in a short space of time, IE still has 87.28% of the market. When Firefox started out, the IE share was about 96%. 1-0 for hype.

Now, ask yourself: if you were a criminal (hackers, crackers, and other malcontents included), and you wanted to attack websurfers, what would you target? The two or three browsers that, between them, have less than 5% of the market, or the single one that has about 96%? Ok, so, given that the both the professional and the amateur online criminal fraternities have been targetting IE for a few years, how many vulnerabilities do you think they may have found by now?

And, given our apparently insatiable mania for bigger, better, faster, cooler, NOW! – what’s the likelihood of new IE releases having new vulnerabilities?

In other words, browsers are always going to have holes, and the crooks are always going to focus on exploiting the holes. And they sure are – witness the flaw found last month in all browsers EXCEPT IE. Hmm.

So, on the one hand, we’ve got Microsoft – who’ve built a machine for cranking out updates and getting them to end users quickly and efficiently – and on the other, we’ve got Mozilla, who’ve got… how many guys actually working on fixes?

Of their nightly builds, Mozilla say this: “You will find bugs, and lots of them. Mozilla might crash on startup. It might delete all your files and cause your computer to burst into flames.”

Thanks. That’s a helpful warning.

Even Mozilla recognise that the hype is running out of steam.