Join 3,563 readers in helping fund MetaFilter (Hide)


How safe is Firefox 2.0?
July 19, 2008 1:36 PM   Subscribe

How secure is Firefox 2.0? I recently attended a short seminar on Web security and the horrors of "drive by downloading". So how vulnerable is the latest version of Firefox 2.0 to this type of nastiness? What about 3.0?

At Mozilla.org, there's a nice long list of the security flaws that each 2.0 update has fixed. But no general statement. Even a probabilistic statement would be nice....
posted by storybored to Computers & Internet (10 answers total) 1 user marked this as a favorite
 
Vulnerable to what?

It won't accidentally or blindly execute programs. It puts all your downloads in the same spot.

Firefox (2 or 3) is not perfect, but it's far better than anything else you can use.
posted by cmiller at 1:46 PM on July 19, 2008


You can also install the no-script plugin to improve your security.
posted by missmagenta at 1:52 PM on July 19, 2008


A probabilistic statement of what? It would be difficult to even imagine what that would look like. The reason that there are lists of specific fixes is because you can only protect against specific attacks. It's impossible to say "Firefox 2 is 94% secure" because in order to do that, you'd need to know the denominator (number of possible attacks) and that simply isn't possible as the number continues to increase.
posted by proj at 2:13 PM on July 19, 2008


How much do you know about vulnerabilities in general? It sounds like you're not quite sure about that part and are thus asking a somewhat unanswerable question.
posted by odinsdream at 2:20 PM on July 19, 2008


Firefox is the most secure popular browser you can use. It is pretty resistant to drive-by downloads, and it's what I get my relatives to use so that I don't have to clean up spyware, adware, and malware on their machines.
posted by zippy at 2:27 PM on July 19, 2008


You guys are right I probably need to be a bit more specific with my question but it's in an area I don't know much about.

From what i gathered in the seminar, drive-by downloads are attempts by malicious websites to download malware onto your computer, purely from your visiting and loading their webpage.

So perhaps the question becomes, are there any known drive-by techniques that Firefox is vulnerable to? How does Firefox react when an attempt is made at a drive-by, will it say something or does it just ignore it?
posted by storybored at 3:06 PM on July 19, 2008


as previously mentioned, installing no-script adds a pretty strong layer of security on the browser. it disables scripts until you allow it per site.
posted by meowN at 3:13 PM on July 19, 2008


Drive-by downloads generally work by exploiting unpatched browser vulnerabilities (security-based bugs) so using any of the major browsers should be safe assuming you keep the browser up-to-date.

Mozilla, who create FireFox, are well-regarded for the speed of fixing critical bugs and have a very good security record and FireFox automatically checks for updates. It has been reported that FireFox has more vulnerabilities found than IE, but this is likely due to its open source nature and Mozilla's transparency and the fact that Mozilla are very quick to act to roll-out patches is more important

Microsoft's security record used to be notoriously poor giving IE a bad reputation but has greatly improved over the past few years. Updates are delivered via Windows Update on the 2nd Tuesday of every month ("patch Tuesday").
posted by HaloMan at 3:34 PM on July 19, 2008 [1 favorite]


It's also worth adding that FireFox also has an "attack site" feature provided by Google to prevent access to sites that contain vulnerabilities which is an added layer of protection.
posted by HaloMan at 3:36 PM on July 19, 2008


Most of the time referencing drive-by downloads is referencing how IE was configured back in 1998 or so. It was possible to have a website push software and have it install with only one prompt or if misconfigured by zero prompts.

Nowadays both in IE and Firefox you'll find that this kind of this doesnt happen anymore. Im not even sure if its possible to make IE run an unsigned untrusted activeX control without a prompt.

So the idea that a person is at risk by this isnt as true as it once was. Of course as Haloman writes a lot of this stuff is for unpatched vulnerabilities so you should be mindful of making sure your software is patched. As far as IE vs Firefox vs Opera or whatever but IE has 90 something percent of the install base, so it will always be targeted more frequently by malware writers.

Also, its worth mentioning that you can make yourself 100% immune to these attacks and many others by not running as a local admin but by doing your daily computing as a limited user, the same way unix folk dont run as root 24/7.

I think its 100% impossible to even kid yourself about security if youre running with admin privs on a computer.
posted by damn dirty ape at 7:45 PM on July 19, 2008


« Older ArchitectureFilter: What evide...   |  SQLFilter: I'm struggling with... Newer »
This thread is closed to new comments.