Stuart J. Johnston, over at PC World's Bugs and Fixes column, does a fabulous job confusing and unnecessarily alarming Firefox users, while at the same time conflating the valuable contributions being made by the ethical security researcher community with the malicious activities of "bad guy" hackers.
That's quite an accomplishment in just 500 words.
Getting those column inches hammered out every month can be hard work, but when the obvious result of an article is that readers will walk away less informed than before they read it, it's time to consider a different approach or a different topic.
This particular piece should never have made it off of the author's laptop and definitely shouldn't have made it past an editor's desk. PC World, IDG, and Stuart Johnston are all better than this, and their readers deserve more.
Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys.
More users may make a particular program a more inviting attack target for the bad guys, but in the case of Mozilla's Firefox, more users and our open and responsive process also makes it a more inviting research target for the good guys. Yep, there are good guy hackers too, and it's those good guys working in concert with Mozilla developers that are finding and fixing the vast majority of Firefox security issues.
So, in the case of Mozilla's Firefox, more users may actually be helping to shut the door on bad guys, rather than, as Mr. Johnston claims, opening new doors for them.
Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.
If by "hit hard" the article means to communicate something like "this month security researchers and developers contributing to Mozilla's open source Firefox project have found and deployed fixes for several new potential vulnerabilities, shoring up Firefox's defense against malicious hackers and denying them new attack vectors," then sure, Firefox was "hit hard."
Unfortunately, I don't think that's what the article was implying.
So forget the idea that just because you've switched to a new browser, you're magically safer.
There's no magic here at all. Firefox has a long track record of being more secure by design, more responsive to security issues, and less often targeted by bad guys than I.E. Taken together, those factors really do mean that because you've switched from I.E. to Firefox, you are safer -- no "magically" about it.
You may be for a time, but to stay safe with any software, you need to keep current with fixes.
And here we have the only line in this entire article that could conceivably help users. Unfortunately, it's not in a context where it's likely to be taken that way.
This is one more area where just a bit more research would have resulted in an entirely different article or no article at all -- depending on the author's motivations.
With Firefox, users don't have to worry nearly as much about keeping current with fixes as they do with other browsers, I.E. in particular.
Firefox has the best record in the industry, not just for finding and fixing issues quicker, but for getting those fixes in the hands of users faster.
Thanks to Firefox's well designed update mechanism, 95% or more of our users are automatically updated to the latest secure version in less than a week.
That kind of information could have provided the context to make that one informative point actually useful to readers.
In a somewhat dubious recognition of Firefox's growing popularity, hackers have focused their attention on it, leading to a rash of newly discovered holes.
If by "hackers" the article is referring to Mozilla developers and ethical security researchers who work together to keep Firefox users safe, then sure, "hackers focused their attention on Firefox."
If, however, as it appears from the overall tone of the article, it means to suggest that Firefox users should be alarmed and worried that bad guys have discovered a bunch of new Firefox holes and users are in great danger, then no, not so much.
In an actual attack--neither the Safari nor the Firefox bugs have elicited one so far--a bad guy could take over your PC or steal your navigation history.
In an actual attack, Firefox users would be protected because the vulnerabilities were discovered and fixed by the good guys and rapidly deployed to virtually all Firefox users weeks before Mr. Johnston's article hit the Web.
With this paragraph, we also finally get the buried lede and the admission that should have killed this entire story. Bad guys are not attacking Firefox (nor, apparently Safari,) and all of the FUD from the previous four paragraphs falls apart by the author's own admission.
A month ago, with the help of some amazing security researchers, Mozilla found and fixed half a dozen problems and deployed those fixes to pretty much every Firefox user out there. In the time between those discoveries and the appearance of Mr Johnston's article, there have been no reports of any of those flaws being used to attempt attacks against Firefox users -- attacks that would fail thanks to the Mozilla developers and the security researchers that Mr. Johnston calls "bad guys" and "hackers."
What a waste and what a shame for those people who, having read this article, are now more alarmed and less informed about security than they were before.
Security is a complex area and it takes real effort to learn about all of the factors that interact in determining security outcomes. It simply doesn't lend itself to quick bean counting analysis or casual headline-skimming research.
It's also a critically important topic because a fundamental necessity of a safer Internet is that users have a clear understanding of how it actually works.
Security-related articles and headlines constructed with over-simplicifcations, fear-mongering, and out-right misrepresentations, not only don't inform readers, they actually slow the progress to a more secure Internet.
Posted by: Mr Lizard | April 26, 2008 5:10 PM
Another thing in this article doesn't really make sense:
> Think you're safe because you don't have Safari?
> You may have it without realizing it. Apple now
> distributes its browser with iTunes updates.
> Forget to uncheck a box in one of these updates,
> and it's there.
While that's very true, I'm not quite sure how browser vulnerabilities are exploited without the browser being launched.
Also: How serious are vulnerabilities in Excel of all things? Do people really still download and open untrusted Word and Excel document files in a world where PDF exists for anything that's intended as public content?
Posted by: Ben Basson | April 26, 2008 6:53 PM
Oh, and I'm also pretty sure that as of Friday, 2.0.0.13 was not the latest version of Firefox.
Posted by: Ben Basson | April 26, 2008 6:57 PM
the article sounds like a paid smear piece to fool an unwitting public.
Posted by: the constant skeptic | April 28, 2008 7:27 AM
Great post Asa. You concisely correct each statement, and I hope articles like this can be challenged more forcefully in the future, as alarming potentially millions of users on line with false information is harmful to the web.
Posted by: Kris Silver | April 29, 2008 10:03 AM
lol, so it now becomes a game of dogs bite dogs, the IE fanboys bash Firefox with some nonsense, and the Firefox fanboys counter with as much nonsense as the IE fanboys. It seems the Firefox fanboys now have a reality distortion field as powerful as the (in)famous reality distorter Steve Jobs himself.
> So, in the case of Mozilla's Firefox, more users may actually be helping to shut the door on bad guys, rather than, as Mr. Johnston claims, opening new doors for them.
Nope, more users don't necessarily "shut the doors" on bad guys as much as they don't necessarily "open new doors" for them. Open source is nice, and the contributors are among the greatest people in the world, but it's no panacea to security issues. The number of tech savvy people who can contribute to Firefox is not unlimited, and those tech savvy people are definitely not using IE already. Those who still use IE after all these years, when there are far better alternatives like Opera and Firefox are available, are mostly users who know nothing about techs, and converting them to Firefox is not likely to increase the number of contributors. So more users for Firefox from now won't really help increase contributions to Firefox and "shut the doors on bad guys" much, if any, at all.
> Firefox has a long track record of being more secure by design, more responsive to security issues, and less often targeted by bad guys than I.E.
less often targeted by bad guys than I.E. Yup. more responsive to security issues? if we go by the stats in Secunia, then Firefox is not exactly more responsive to security issues than IE. more secure by design? umm... I'd say it would be better if you can explain yourself more instead of some empty statements that doesn't mean anything. You should explain what you mean by "by design" better with hard facts and numbers instead of hollow words.
> A month ago, with the help of some amazing security researchers, Mozilla found and fixed half a dozen problems and deployed those fixes to pretty much every Firefox user out there.
that doesn't exactly sound too secure when suddenly half a dozen security problems pop out. Also I don't know how that supposed to mean Firefox is better than IE, after for IE it's not really that uncommon that quite a lot of secuirty problems discovered and fixed in one month.
> In the time between those discoveries and the appearance of Mr Johnston's article, there have been no reports of any of those flaws being used to attempt attacks against Firefox users
How does that mean anything? I don't think any browser, whether Opera, Firefox, Safari, or even IE, will still be vulnerable to security flaws after they have been, um, fixed.
> In an actual attack, Firefox users would be protected because the vulnerabilities were discovered and fixed by the good guys and rapidly deployed to virtually all Firefox users weeks before Mr. Johnston's article hit the Web.
Only a lame "bad guy" would do an "actual attack" with a security vulnerability known to be fixed weeks ago. and he'd be too lame to be even called a "bad guy", and that would be more of a "joke" than an "actual attack". No one can completely protect you from real "bad guys", and Firefox surely can't. Actually Firefox will hardly protect you at all, being just a browser. Anti-virus software and Firewalls will protect you much, much, much better.
> With Firefox, users don't have to worry nearly as much about keeping current with fixes as they do with other browsers, I.E. in particular.
> Firefox has the best record in the industry, not just for finding and fixing issues quicker, but for getting those fixes in the hands of users faster.
Again, just some hollow words that's nothing more than some fanboy's ad propaganda. I'd like to see you provide some hard facts on how Firefox has the "best record" in the industry, compared to Opera, Safari, Konqueror, or even IE. AFAIK no one needs to worry about keeping current with fixes as long as you don't specifically UNCHECK the automatic update option. As long as you have Windows auto update enabled, IE will always be updated to the current fixes, the same as Safari and Firefox.
> What a waste and what a shame for those people who, having read this article, are now more alarmed and less informed about security than they were before.
If that teaches them that Firefox is not a security software and they should find some proper anti-virus and firewall software to protect themselves, I don't see any problem in it.
> It's also a critically important topic because a fundamental necessity of a safer Internet is that users have a clear understanding of how it actually works.
> Security-related articles and headlines constructed with over-simplicifcations, fear-mongering, and out-right misrepresentations, not only don't inform readers, they actually slow the progress to a more secure Internet.
Indeed, for a more secure Internet, users should be more informed to get themselves some real security by installing real security software like anti-virus and firewalls, and/or switch to Linux, instead of being misinformed by misrepresentations of Firefox as a security upgrade, something that would protect them from "actual attacks" from "bad guys", which it is not.
Posted by: Waleof Suous | April 30, 2008 3:10 AM
>that doesn't exactly sound too secure when suddenly half a dozen security problems pop out. Also I don't know how that supposed to mean Firefox is better than IE, after for IE it's not really that uncommon that quite a lot of secuirty problems discovered and fixed in one month.
Firefox is about 3 million lines of code and writing a browser is by far one of the most complicated pieces of software to write today. There will always be security issues in browsers if they are going to render anything more than text. Firefox works with people to solve security issues, more often than not the IE team dismiss it as not being a security issue until there's a real life exploit.
>Only a lame "bad guy" would do an "actual attack" with a security vulnerability known to be fixed weeks ago. and he'd be too lame to be even called a "bad guy", and that would be more of a "joke" than an "actual attack". No one can completely protect you from real "bad guys", and Firefox surely can't. Actually Firefox will hardly protect you at all, being just a browser. Anti-virus software and Firewalls will protect you much, much, much better.
Some of the biggest attacks on IE and Windows have come months after the security hole was patched. You have a very naive understanding about the security world, I don't think someone witting a worm, virus, trojan, spyware, malware or adware cares much if you think they are "lame". Also, good user behavior should mean that an anti-virus program is never needed, assuming a browser protects you from malicious web code. I've not has a virus scanner installed on this XP machine in 2 years now and never had a problem, but then I'm the only user who uses it, so I know better.
Posted by: Damian Shaw | April 30, 2008 5:01 AM
Waleof, your faith in anti-virus software reveals enough about your lack of understanding of the security context of contemporary computing and the Internet that's it's really not worth going much further in rebutting your comments but because you took the time to write it all out, I'll take a few minutes to set you straight.
>Nope, more users don't necessarily "shut the doors" on bad guys
>as much as they don't necessarily "open new doors" for them.
Had I said that it necessarily shut doors on bad guys, you might have a point. But, if you'll read more closely, I most certainly did not say that more users necessarily shut the doors on bad guys. I said, and you even took the time to quote me, that more users "may actually help" shut doors on bad guys. It's a pretty far stretch from "may actually" to "necessarily does".
>Open source is nice, and the contributors are among the greatest
>people in the world, but it's no panacea to security issues.
And I said where that open source was "a panacea to security issues"? Can you provide the quote where I said that, or even suggested that? No, you probably cannot because I never said or even suggested that open source (or anything else, for that matter) was a panacea for security issues. Anyone selling you a panacea for security issues (like the anti-virus vendors you think so highly of) should be laughed at or ignored.
>The number of tech savvy people who can contribute to Firefox is
>not unlimited,
I did not claim that they were. I hinted, and our contributor data backs it up, that more users has meant more contributors. Our contributors are scaling quite nicely with our user growth. What I actually said, though, was that more users makes Firefox a more interesting research project for more security researchers.
>So more users for Firefox from now won't really help increase
>contributions to Firefox and "shut the doors on bad guys" much,
>if any, at all.
You can make that assertion, but you'd be wrong. Firefox contributions are scaling quite nicely with Firefox user growth. I'll leave it up to readers to determine which of the two of us would be in a better position to know about the growth of the Mozilla community.
>more responsive to security issues? if we go by the stats in
>Secunia, then Firefox is not exactly more responsive to security
>issues than IE.
Actually, if you analyze that data, which apparently you haven't, you'd see that Firefox's average response time is orders of magnitude better than IE's response time and that Firefox users are vulnerable far fewer days than IE users as a result. If you want to read some analysis, try this link.
>more secure by design? umm... I'd say it would be better if you
>can explain yourself more instead of some empty statements that
>doesn't mean anything.
Our design intentionally excludes the often demanded support for ActiveX (something that has been coded and could be included if we were foolish or took security less seriously.) That alone should be sufficient, given this:
Among the most commonly-exploited Web-oriented technologies were browser plug-ins, particularly those using ActiveX. Over the second half of 2007, Symantec documented 239 browser plug-in vulnerabilities... 79 percent of those vulnerabilities affected ActiveX components....
>that doesn't exactly sound too secure when suddenly half a dozen
>security problems pop out.
Web browsers are complex pieces of software that must cope with a wide range of content produced by people with varying skills, tools, and motivations. It will probably always be the case that given sufficiently talented and dedicated examination, a half dozen potential vulnerabilities could be discovered in a pretty short period of time. It happens quite often when we develop a new tool or technique for finding those potential problems.
With Mozilla, you can have the confidence that we put as more effort into finding (and fixing) those issues than the bad guys and you really can't say that with any certainty about the other browser vendors. Here's a quick tests. Look over the vulnerability lists for Opera, Safari, and IE. Then look over the vulnerability list for Firefox. Notice anything interesting there? I sure did. Every single vulnerability reported as found and fixed in Opera, Safari, and IE, is attributed to someone not employed by Opera, Apple, and Microsoft. Is that because they don't have anyone on payroll trying to find problems (or those people on payroll aren't competent enough to find problems)? Or is that because they don't tell you about the ones they find and fix internally. You'll never know.
I'll say it again and I'll wager that you can't find any serious security researcher who would disagree. All complex and internet connected software has security holes. How many are found has more to do with the abilities and number of people looking than anything else. At Mozilla, we have a whole lot of talented good guys looking. Who knows about the other vendors.
>I'd like to see you provide some hard facts on how Firefox has
>the "best record" in the industry, compared to Opera, Safari,
>Konqueror, or even IE.
OK. Read this. Firefox can update 95% of its entire userbase in less than a week. No other major browser vendor can match that.
>As long as you have Windows auto update enabled, IE will
>always be updated to the current fixes, the same as Safari
>and Firefox.
That's not what the data says. There are a lot of factors besides whether the switch is on or not. One major factor is that Microsoft often doesn't even offer the fix until enough days have past that they've arrived at another "patch Tuesday." That means that if someone reports a critical security issue to Microsoft on patch Tuesday and Microsoft fixes it in a week, IE users have to wait three more weeks before it's even offered to them. Then they often have to wait for a Windows restart which they may or may not agree to for some additional length of time.
At Mozilla, we don't wait three weeks after we have a tested fix just to stay "on schedule" like Microsoft. We care more about our users' safety than we do about making life a little bit easier on IT departments.
And there are obviously other factors but if you just look at the data, you'll see that the results most assuredly put Firefox at the front of the pack when it comes to keeping users up to date.
>How does that mean anything? I don't think any browser,
>whether Opera, Firefox, Safari, or even IE, will still be
>vulnerable to security flaws after they have been, um, fixed.
Then you're either not reading carefully or you really don't understand how software works. Just because a browser vendor has created a fix does not mean that users all have that fix. There's a difference between the metric "time to fix" and the metric "time to deploy". Even after the software vendor has made the fix available via a software update system, not every user will have the update installed and applied.
>Only a lame "bad guy" would do an "actual attack" with a security
>vulnerability known to be fixed weeks ago.
And here's where you make it clear that you really don't understand the Internet security landscape. The overwhelming majority of attacks being pushed today are against known and fixed problems. Just because the problem has a fix available does not mean that every user has that fix. With most software products, it takes not weeks, but months to get most users upgraded with the fix. That's plenty of time for the bad guys to craft and deploy an exploit. There are tools available today that let attackers auto-generate attack packages the day a software fix is released. The tools compare the old version of the software and the new version and use that information to figure out what the flaw was that was being patched and then uses that information to craft an exploit for that flaw. Every day that users don't have the fix installed is a day that users will get exploited. That's precisely why we put so much effort into getting the fix deployed as fast as possible. That's precisely why our winning track record in this area matters so much.
If you're not following Internet security close enough to have even a basic understanding of the kinds of exploits that are being successfully deployed, why should anyone trust anything you've got to say on the matter?
>If that [article] teaches them that Firefox is not a security software
>and they should find some proper anti-virus and firewall software to
>protect themselves, I don't see any problem in it.
You don't see any problem because you don't know much about Internet security. I'm not trying to be insulting here, but you've made it pretty clear that you don't understand how any of this actually works. Security, as I said in my initial post, is a complex area with a lot of factors at play. Your attempts to reduce it all to making sure updates are turned on and anti-virus software and a firewall are installed demonstrates that you really don't know much about the Internet security landscape.
Firefox has a well-documented track record of providing users with a more secure Internet experience than IE. The article that this blog post covered was just about as uninformed as your comments here. The main difference is that article came from a "journalist" at a well respected website so I hold it up to a higher standard than random blog commenters.
- A
Posted by: Asa Dotzler | May 1, 2008 12:11 AM
And let's not forget the cases where Mozilla was able to roll-out a protective fix in Firefox before the vendor with the actual bug was able to fix their own code.
Mis-using the registered command-line in QuickTime:
http://www.mozilla.org/security/announce/2007/mfsa2007-28.html
WindowsXP+IE7 broken registered protocol handlers:
http://www.mozilla.org/security/announce/2007/mfsa2007-36.html
Both were bugs in the other program, admitted by the vendor (Apple and Microsoft) and eventually fixed in their own code -- but not until Firefox users had already been protected by a Firefox update.
Posted by: Dan Veditz | May 1, 2008 6:56 PM
If Mozilla for a for-profit, it could sue for spreading mis-info like this.
Not that I'm suggesting Mozilla goes for-profit ;-)
Asa, assume this has been taken up for For The Record?