Friday, December 09, 2005

Target: Firefox?

By Dan Dinicolo

This year will almost certainly go down in Web history as the Year of the Firefox. The open-source browser ended up the greatest beneficiary of the barrage of bad press aimed at Microsoft Internet Explorer and its various security vulnerabilities. With the ever-present threat of spyware, it's little surprise that so many users have made the switch to what is now widely considered to be the "safe" Web browser, at least compared with IE.

Alas, "safe" is relative. There's little question that IE has taken many people for a bad ride. Malicious ActiveX controls and various security holes have resulted in dangerous toolbars, keyloggers, and dialers being installed on millions of PCs. Unfortunately, many users believe that switching to Firefox is enough to keep them safe. That's just not the case.

As of October, there are approximately 86 known security vulnerabilities targeting IE 6.x users and 25 facing those running Firefox 1.x, according to the security firm Secunia. While Firefox does a better job of protecting against current spyware threats—a result of its lack of support for ActiveX—the browser-security landscape is ever-changing. Dig into the details of existing Firefox issues and you'll find threats that allow remote users to access and control your system, launch denial-of-service attacks, leave you vulnerable to phishing, and even spoof dialog boxes to trick you into performing unintended actions. These are similar to the issues that have put IE users at risk for years.

Though Firefox doesn't expose your PC to many current spyware threats, you can expect that to change. The year 2005 saw the birth of the first malware threats designed to infect Microsoft Windows systems via any Java-enabled Web browser, including Firefox. In one case, visiting an infectious Web site (with Sun's Java Virtual Machine running) launched a Security Warning dialog box prompting users to install a "signed" applet from Integrated Search Technologies (the developers of spyware known as Istbar). If the user clicked Yes—as required to gain access to the site's content—a whole range of pests was installed on his or her system. Interestingly, these exploits didn't infect Firefox directly; instead, they lodged themselves in the user's IE browser, regardless of whether it was actually running.

Blaming Firefox in this particular case would be an injustice—other browsers running Sun's JVM were equally at risk. But the exploit does show that any Web browser—especially when combined with careless surfing and "active" technologies like ActiveX or Java—can be used by malicious software developers as a gateway to infecting user PCs.

The Firefox development community does a speedy job of addressing threats as they're discovered, and that gives cause for hope. But Firefox users are still well advised to plan for the worst. The more popular the browser becomes, the more likely it is to become a major target.

Users should commit to keeping Firefox properly updated. To do that, keep an eye open for blue, green, or red arrow icons in the upper-right corner of the browser window. Clicking these buttons will list all available updates and let you install them. Try also to limit your exposure to potential risks associated with "active" technologies like Java; look to Firefox extensions like PrefBar ( ) that let you control these functions for individual Web sites.

Speaking of extensions, always install them with caution; third-party extensibility provides a perfect vector for new threats, as many IE users have learned the hard way. Researching user opinions and experiences with extensions before installing them is probably a good idea. And pay more attention to what you're doing while surfing the Web—if you're being prompted to take an action that seems suspicious or unnecessary, it probably is.

Dan DiNicolo is a freelance writer and author of the forthcoming book PC Magazine Windows XP Security Solutions.


No comments: