By: Brien Posey
What would happen if Mozilla's Firefox suddenly became the browser that everyone was running? What would happen if it was as big a target for hackers and for virus and spyware authors as Internet Explorer is now. How would Firefox's reputation for security hold up? One has to wonder how secure a default Firefox installation is, and if there are things that can be done to make a Firefox deployment more secure?
IE is the bigger target
Firefox has long had a reputation for being more secure than Internet Explorer, but I wondered if that was more perception than reality. I will admit that Internet Explorer (you pick the version) is chock full of security holes if left unpatched. If you look at the types of patches that Microsoft has released for Internet Explorer over the last year though, you will notice that the majority of them address unchecked buffers and other relatively obscure vulnerabilities. It's just my opinion, but I think that the only reason Microsoft even has to worry about patching these types of vulnerabilities is because Internet Explorer is so popular and because it is a huge target for those with malicious intent. There is very little doubt in my mind that if Firefox were suddenly to become as widely used as Internet Explorer and all of the world's hackers started going after Firefox instead of Internet Explorer, that similar obscure vulnerabilities would start to show up in Firefox just as they did in Internet Explorer.
Another issue that you can't ignore when looking at Firefox security is the fact that the Windows version of Firefox runs on top of the Windows operating system. For example, last July a bug was discovered that could allow a hacker to gain access to the local file system through the Firefox browser. I won't go into all of the gory details, but although the Firefox browser acted as an entry point, the problem had just as much to do with the Windows operating system and buggy Windows applications. A patch was created for the browser that prevents the bug from being exploited, but the point is that a browser is only as secure as the operating system that it rides on top of.
Given the arguments that I have presented so far, it probably sounds as though I am an Internet Explorer fan who just doesn't want to admit that Firefox is more secure than Internet Explorer. Actually, that's not the case. The fact that Firefox is a more secure browser than Internet Explorer is widely accepted, even among people like myself who traditionally gravitate toward Microsoft products.
Security is more than settings
One reason I believe that Firefox is so much more secure than Internet Explorer is because of its compact size. There is a fundamental law of computing stating that the more complex an application is (the more code that makes up that application) the greater the chance that the code will contain bugs or security holes. Firefox weighs in at a mere 5 MB in size. By way of comparison, Service Pack 1 for Internet Explorer 6 varies in size depending on which components are installed, but can be as large as 77 MB. Beta 1 of Internet Explorer 7 is just over 10 MB in size. As you can see, Firefox is a whole lot smaller than Internet Explorer and should therefore theoretically have fewer security holes.
So let's go back to my original question. If everybody in the world started using Firefox tomorrow and it therefore became a huge target for hackers and virus authors, how would Firefox hold up running an out of the box configuration? To be perfectly hones, nobody knows for sure because Firefox has never been as popular as Internet Explorer. My personal thoughts are that Firefox would probably hold up just fine. It tends to be very secure running an out of the box configuration, and there are actually relatively few settings that you can adjust to make it more secure.
There are several things that make me believe that Firefox would hold up pretty well if an all out assault were unleashed upon it. For starters, unlike Internet Explorer, Firefox can not become infected with spyware just because you visited a malicious Web page (to the best of my knowledge). Another reason why I think that Firefox would hold up pretty well is because it does not offer any support for VBScript or ActiveX. Many of the worst exploits against Internet Explorer have taken advantage of security holes in these two technologies. Likewise, Firefox does not use Microsoft's Java VM, which has a history of having more security problems than other Java VMs.
One last reason why I think that Firefox is more secure than Internet Explorer, and this is a biggie, is because it is not integrated as a part of the Windows operating system. If someone did manage to hack Firefox, there is little chance that they could take control of the entire machine because Firefox is simply an application, not a part of the Windows operating system.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This was first published in January 2006