Are You Safer With Firefox?
By Larry J. Seltzer
Is Firefox a more secure web browser than Microsoft's Internet Explorer? The answer may be yes, but the issues are more complicated than most people realize. In fact, Firefox has its share of security problems, and has probably been saved from real-world attack so far only by its single-digit market share.
In late February, the Mozilla Organization released the first update to Firefox, version 1.0.1 (www.getfirefox.com). There are no new features of note in the new release, but it did fix 17 documented vulnerabilities in version 1.0. (www.mozilla.org/projects/security/known-vulnerabilities.html). The most famous was a URL-spoofing bug involving URLs with Internationalized Domain Names (IDN - www.mozilla.org/security/announce/mfsa2005-29.html). Basically, an attacker could set up a site that had, to outward appearances, the same URL as another site (such as www.ebay.com), but in fact the domain name would be in an international character set, not English. (Mozilla didn't actually fix this problem, which is less a bug in the program than a problem with the whole approach to IDNs; instead version 1.0.1 just disables IDN support by default.)
You probably hadn't read about any of those bugs before the update. That's because it's only recently that the Mozilla Organization began issuing security advisories of the sort that Microsoft issues every month (see www.mozilla.org/security/announce). For the most part Mozilla wasn't hiding these bugs prior to publishing advisories, but it wasn't publicizing them either. If you know where and how to look, you can get a better picture of security (and other) bugs in Firefox and other Mozilla projects at bugzilla.mozilla.org, the official bug database for Mozilla development. But even here the organization isn't totally open about security bugs; when new ones are reported, the entries in Bugzilla are generally made private for a time while they are investigated and fixed.
And unlike Microsoft, when Mozilla fixes a bug it doesn't release a patch for users. If you want to stick to release-level programs, your only option is to wait for the next general release; the upgrade to version 1.0.1 from 1.0 took about 3.5 months. You can install an interim build of the program (the nightly builds are available at ftp.mozilla. org/pub/mozilla.org/firefox/nightly/latest-trunk/), but these are not official release versions and you should expect them to have other bugs; to the extent that you get support for Firefox, it will be undermined by your use of an interim build.
According to one of the Firefox developers (weblogs.mozillazine.org/asa/archives/007609.html), the infrastructure for the update notification feature at Tools| Options | -Advanced-|Software Update hasn't even been turned on yet.
And there are security problems in version 1.0.1 already, even if there are no advisories for them yet. For instance, on a multiuser machine, such as a Linux system, if one user running as root starts Firefox, and another non-root user starts Firefox, that non-root user's instance of Firefox gains root privileges (bugzilla.mozilla.org/show_ bug.cgi?id=247412).
Moreover, it's difficult and nonobvious for a user to examine the certificate for a signed extension at install time (bugzilla.mozilla.org/show_bug.cgi?id=278629), so a spoofer might have an easy time getting away with pretending to be a trusted source. There are also a number of crash bugs, such as bugzilla.mozilla.org/show_ bug.cgi?id=263609, and these often indicate an exploitable vulnerability behind the scenes.
Finally, anti-spyware companies Webroot and Sunbelt Software have said that they expect Firefox-specific spyware to start showing up this year, and if the browser's market share continues to increase it's easy to see why it would. So don't forget to update, and don't rest on your Firefox laurels. You're not free of security problems, you just have different ones.
Larry Seltzer, a frequent contributor to PC Magazine, writes the Security Watch newsletter for pcmag.com.
小生随笔:Firefox的迅速普及真是让人意想不到,前几天发现一些普通的上网用户也都装了Firefox。在Windows下Firefox根本不是IE的对手,不太明白一般用户为何选择Firefox。