Mozilla has sent out double the amount of security patches for Firefox than Microsoft has for Internet Explorer so far this year, giving IT administrators reason to wonder if unsupported browsers, which aren't as simple to patch, should be allowed on their Windows client desktops.
Microsoft has only released three security patches for Internet Explorer this year, while Mozilla has released seven security patches for Firefox. Most recently, Mozilla reported that a bug related to handling of certain very long Unicode strings resulted in crashes, but said the bug is not exploitable. Apple has released four for Safari, according to Eric Schultze, chief technology officer at Shavlik Technologies, a Roseville, Minn.- patch management software company.
"That could indicate that IE has been more secure than the others during this time -- though that could be debated ad nauseum," Schultze said.
That's not to say Internet Explorer (IE) still doesn't have its vulnerabilities. Just this month, Microsoft issued a security patch for a critical vulnerability in Microsoft Video ActiveX Control that allowed remote code execution if a user views a specific Web page using IE.
Microsoft's IE has famously been a popular target of Web attacks in the past decade. But IT pros can use Windows Update and Windows Server Update Services (WSUS) to keep Internet Explorer up-to-date for client systems across the enterprise. Third-party browsers, like Apple Safari, Google Chrome and Mozilla FireFox have an update process built into the browsers to keep them up-to-date, but they require third-party update management software to do enterprise-wide patch management.
"Many organizations have implemented Microsoft's free WSUS patch management application, which does Microsoft patches only. This means they'd have a better shot at installing the IE patches vs. the Firefox or Safari patches," Schultze said. "[Mozilla, Google and Apple] updates don't favor the enterprise as they don't have centralized management or reporting like is found in WSUS."
And in many cases, IT pros will only test their web applications to make sure they work with Internet Explorer, so applications running on untested browsers could cause issues, said one senior server administrator with a large hospital in New England.
More on patch management:
"It's really a supportability issue," said the administrator, who wished to remain anonymous. "We only deploy workstations with Internet Explorer, and most users don't have the ability to install other browsers on the workstations, or other programs for that matter."
Following news of Firefox security issues, one system administrator wrote on the IT community site ARS OpenForum that his team goes as far as removing any third party browsers on his end users' Windows machines.
"At this time IE7 is the only browser that we allow on our machines. If we find Firefox, Chrome, etc., then we remove them," he wrote. "The reason for this is because with IE, we can make sure it's up-to-date with patches, we can centrally manage it with GPOs and it has lower RAM usage than Firefox. The RAM usage is especially important because most of our people are on terminal services."
The administrator said he likes Firefox and a number of users have asked for it, "but unless I can centrally manage it similar to IE, then it's a non-starter."
Other IT pros let third-party browsers live under the radar."We don't support [Firefox], but we don't prevent its use. As such, we don't manage it in any way, with respect to updates or configuration, which is not ideal, obviously," another IT administrator wrote on ARS OpenForum.
Schultze said IT pros should stay informed on the security advisories and patches for the browsers that end users rely on by checking the browser updates -- Microsoft IE, Mozilla Firefox or Apple Safari. From there, updates can be installed using the patch management software of your choice, he said.
Let us know what you think about the story; email Bridget Botelho.