Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
The web browser "insecurity iceberg"
Stefan Frei and company have posted the
results of a lengthy survey on web browser security, looking, in
particular, at how many users were running versions without known
vulnerabilities. "[W]e discovered that at most
83.3% of Firefox users, 65.3% of Safari users, 56.1% of Opera users, and
47.6% of Internet Explorer users were using the latest most secure browser
version on any day between January 2007 to June 2008... Despite the
single-click integrated auto-update functionality of Firefox, rather
surprisingly, 16.7% Firefox users (one out of six) continue to surf the Web
with an outdated version of the Web browser." But the real problem,
they say, is with insecure plugins.
(Log in to post comments)
The web browser "insecurity iceberg" Posted Jul 1, 2008 17:51 UTC (Tue) by Sutoka (guest, #43890) [Link] In the case of Firefox on OSX, I've noticed that the 'auto-update' just downloads the disk image with the Firefox bundle in it to the desktop and auto opens it (requiring you to still drag the Firefox directory to whatever folder you installed FF in). I wouldn't be surprised if a good amount of that 16.7% is Mac users that have had the little window sitting open in the background for months straight without realizing it's wanting the user to manually update the Firefox install (they could at least add some text to it rather than just an arrow). Then again, I'm not an OS X user so maybe people that use it full time are used to having to do semi-manually updates.
The web browser "insecurity iceberg" Posted Jul 1, 2008 18:07 UTC (Tue) by jwb (guest, #15467) [Link] It could be people using a Firefox so old that it doesn't know how to update itself.
The web browser "insecurity iceberg" Posted Jul 2, 2008 12:18 UTC (Wed) by johnny (subscriber, #10110) [Link] Probably, because for me, Firefox downloads, installs, and restarts itself automatically on OS X.
The web browser "insecurity iceberg" Posted Jul 1, 2008 22:01 UTC (Tue) by fjf33 (subscriber, #5768) [Link] I don't believe under Gentoo or Ubuntu that Firefox auto updates. I think it still depends on the distros. Then again I don't even think those are branded although I may be wrong.
The web browser "insecurity iceberg" Posted Jul 2, 2008 17:19 UTC (Wed) by iabervon (subscriber, #722) [Link] Under Gentoo, the branding is optional (since you generally don't distribute the resulting binary). I think that auto-update is disabled if the user doesn't have permission to replace the Firefox binary, since it obviously couldn't really work. (On the other hand, maybe Firefox should be telling you to check for updates in the package manager if what you're running is from before the most recent Firefox security update.)
The web browser "insecurity iceberg" Posted Jul 4, 2008 5:38 UTC (Fri) by Cato (subscriber, #7643) [Link] Ubuntu's Firefox doesn't auto-update as its files are owned by root - however, if you install an unpackaged version under /opt and set its tree to be writeable by desktop users, then it does auto-update just fine. Since there is sometimes a delay between the Firefox update and the Ubuntu package update, this can be a good thing for security.
The web browser "insecurity iceberg" Posted Jul 13, 2008 13:39 UTC (Sun) by Duncan (guest, #6647) [Link] You're right about Gentoo, but here's a bit more detail for anyone interested. First on the branding. Since Gentoo is in general source based, a lot of the restrictions placed on normally binary based distributions don't apply, or apply in a much narrower sense. The firefox/iceweasel/code-brand branding issue is one such example. Users are therefore able to control such optional branding and/or upstream-pure functionality using the bindist if it's a legal thing, other USE flags (vanila and branding come to mind) if it's not a legal thing but still a useful option. On the auto-update, again, you're right. Basically, it's disabled if it's installed by the package manager, since the user isn't assumed to have the necessary root rights in any case -- it's the sysadmin's job to take care of packages installed by the system package manager. If a user has downloaded and installed the binary on their own, then they have rights to replace it, and (presumably) they get the update functionality enabled in ordered to do so. It works a bit differently for extensions, apparently. They notify on update availability regardless of whether the extension is system or user installed. This is actually why I disabled the restrict-javascript USE flag, which controls the noscript extension in the system install (one of the few extensions so controlled, most are left for the user, period). I was getting update notifications for versions not yet available in the package tree. Since as a sysadmin with only one human user, me, I don't have to worry about other users running without noscript if I fail to install it systemwide, I simply disabled the systemwide restrict-javascript USE flag and installed the extension as a user. Now when it says there's an update, I can let it update. =8^) I still install firefox itself as a system package, however. Duncan
The web browser "insecurity iceberg" Posted Jul 2, 2008 1:19 UTC (Wed) by mattdm (subscriber, #18) [Link] Or it could be people running a Linux distribution like RHEL/CentOS, where there's an old version with security patches applied.
The web browser "insecurity iceberg" Posted Jul 2, 2008 11:58 UTC (Wed) by rloomans (subscriber, #759) [Link] Not sure how old that version of Firefox is, but at least from Firefox 2 onwards, it's supported the typical auto update on Mac OS X that you see in the Windows version. ie, it downloads the incremental update and then suggests you restart... and it applies the update at startup. No manual intervention at all. From memory, the Firefox team went to great effort to ensure that the auto update would work on any OS they release binaries for (Linux distros of course have their own mechanisms).....
The web browser "insecurity iceberg" Posted Jul 3, 2008 1:13 UTC (Thu) by Sutoka (guest, #43890) [Link] It might have been quite an ancient version, as it wasn't my computer (family :P). Hopefully it'll automatically update in the future without requiring me to manually do it (it's now running FF 3 instead of an early 2.0 I believe). Although I do remember quite old versions of Firefox for Windows (circa 1.0 or 1.5 maybe) screwing with the Add and Remove Programs by leaving the old entry for Firefox around so you'd end up with several copies if you didn't manually uninstall first... Ah the fun of everyone-do-it-yourself-updates!
The web browser "insecurity iceberg" Posted Jul 13, 2008 13:51 UTC (Sun) by Duncan (guest, #6647) [Link] Might it be the same as a Linux version in that regard? That is, if it's a system install, update is disabled because presumably the user running it doesn't have rewrite permissions on the binary anyway, while if it's a user-install, it'll be updatable because the user has the permissions to do it. That might explain why some here indicate it works, while others say it doesn't. At least on Linux, the notifier will still notify on system installed /extension/ updates, however, or it did with 2.x. That'd be one distinction between too old a version and simply a system install, as a version too old to check for updates on the base firefox install probably won't check for extension updates either. Duncan
The web browser "insecurity iceberg" Posted Jul 1, 2008 19:53 UTC (Tue) by proski (subscriber, #104) [Link] It would be interesting to see breakdown by operating systems and by "vendors" (i.e. whoever compiled Firefox). If Firefox is a part of a Linux distribution, it won't update itself. Only a distribution specific update utility (apt-get, yum, yast) can update it (and the Slackware users don't even have that). It would often involve downloading of hundreds of megabytes of data and replacing other vital components, such and the kernel and the system libraries. Not everybody can be expected to do it.On the Windows side, the word "update" is often misused to trick users into downloading software they don't have installed (Safari), new major versions of the software (Windows Media Player) or to install a new version alongside with the old version (Java, .NET). Often the system remains vulnerable after such "updates" and requires further "critical updates" to be applied. This confuses users and makes them distrust all updates, critical or non-critical. Also, Firefox should have settings to keep behavior of the old versions. Users should not have to go to about:config to restore the position of the tab close button. Firefox should respect its longtime users and their habits. It's just as important as to be able to import MSIE bookmarks. Gratuitous changes that cannot be easily undone erode users' trust in Firefox updates.
The web browser "insecurity iceberg" Posted Jul 1, 2008 21:56 UTC (Tue) by jengelh (subscriber, #33263) [Link] >It would often involve downloading of hundreds of megabytes of data Welcome to the 21st century where .delta.rpms exist. (I am aware that changing only a few lines can trigger a complete recompile, and different bit patterns, making deltas bigger.) >Also, Firefox should have settings to keep behavior of the old versions. Hell yes, it definitely should! The developers changed quite a few things (like, the Backspace button) at random and I have no way to know. I am not visiting the mozilla.com website, remember, 'most' people use their distro update mechanism. If it is not keeping my preference, it is either a regression (IMHO) or I happened to get more cosmic rays than usual.
The web browser "insecurity iceberg" Posted Jul 1, 2008 22:11 UTC (Tue) by roc (subscriber, #30627) [Link] > Also, Firefox should have settings to keep behavior of the old versions. > Users should not have to go to about:config to restore the position of the > tab close button. Firefox should respect its longtime users and their > habits. It's just as important as to be able to import MSIE bookmarks. > Gratuitous changes that cannot be easily undone erode users' trust in > Firefox updates. There's a difference between major updates (e.g. Firefox 2 to Firefox 3) and minor updates (Firefox 3.0.0 to Firefox 3.0.1). The latter should definitely not change any UI. The former will have to change *some* UI; respecting users' habits is important, but so is improving the UI. It's a fine line to walk.
The web browser "insecurity iceberg" Posted Jul 2, 2008 13:40 UTC (Wed) by proski (subscriber, #104) [Link] Even major updates need to be installed for security reasons when the old major version is not maintained anymore.As for improving the GUI, the preferences dialog is full of things I never wanted to change, yet compatibility with the old behavior requires tweaking about:config.
The web browser "insecurity iceberg" Posted Jul 2, 2008 17:30 UTC (Wed) by iabervon (subscriber, #722) [Link] It's never necessary to change the UI as presented to existing users; when switching to a version that's got a new default UI, they could leave the UI the same by having options set to give you the old behavior if you'd previously used the old version. Then they could have a dialog showing all of the stuff that's different from the current defaults. So upgrading doesn't change anything, but makes available options that didn't exist before, and there's a place to go to try out changes and decide whether you like the new thing or want to stick with the old thing. Since there's per-user config, there's no need for "improving the UI" to conflict with "respecting users' habits", since there's no "the UI" shared across all users.
The web browser "insecurity iceberg" Posted Jul 2, 2008 8:07 UTC (Wed) by slef (subscriber, #14720) [Link] > It would be interesting to see breakdown by operating systems and by "vendors" (i.e. whoever compiled Firefox). Yes, it would, but that would probably show the headline up as a lie, with some vendor-patched secured versions. > Also, Firefox should have settings to keep behavior of the old versions. Biggest reason I'm looking at ditching it. Since the upgrade, I can't type letters like c-circumflex in it and FF3 seems to be the only application broken like that.
The web browser "insecurity iceberg" Posted Jul 2, 2008 15:02 UTC (Wed) by tzafrir (subscriber, #11501) [Link] > [Upgrading firefox, e.g. for a security update] > would often involve downloading of hundreds of > megabytes of data and replacing other vital > components, such and the kernel and the system > libraries. Only if you missed updates for quite some time and now you're updating the whole system. But then again, if you had things statically linked or with private copies, you'd have to load some thousands of megabytes for each huge system upgrade. Unless you're talking about "rolling" Linux distributions that keep upgrading under your feet. This is why I wouldn't recommend them to anybody who can't keep up with them. Gecko is actually included privately for each application that uses it. Hence each security hole in it is translated to some 5 different packages to upgrade for the distribution. Normally a security hole in a library requires only upgrading that library. For instance, a time when a secirty hole in libpng required all Linux distributions to upgrade the small libpng package. And all Firefox users to download a shiny new version of Firefox. Linux distributions (in the "stable" periods) also have a habit of packporting security updates to the version they released, in order to reduce the unexpected changes for upgrading users. This makes it normally much safer for a user to trust the distribution and upgrade semi-automatically.
The web browser "insecurity iceberg" Posted Jul 2, 2008 19:30 UTC (Wed) by nix (subscriber, #2304) [Link] This is greatly 'assisted' by Firefox 3 now requiring and bundling a version of libpng with support for APNG in it, which support will apparently *never* go upstream, so every Linux user is now vulnerable to libpng security holes unless they upgrade the Firefox-incorporated libpng as well. (Sure, the distros will do this if Mozilla lets them, but have the Mozilla people learned *nothing* from the various zlib-incorporation problems and the regular stream of libpng holes?)
The web browser "insecurity iceberg" Posted Jul 2, 2008 23:59 UTC (Wed) by njs (subscriber, #40338) [Link]
>This is greatly 'assisted' by Firefox 3 now requiring and bundling a
version of libpng with support for APNG in it, which support will
apparently *never* go upstream
I see your point about security updates, but if we accept this argument, doesn't it end up
reducing to "forking is the ultimate tool for working around an upstream that refuses to
accept improvements... unless that upstream code is a shared library, in which case you have
no recourse, sorry"?
I don't have a strong opinion either way on the APNG vs. PNG working group mess, but the
Mozilla position ("we need something that can replace GIFs for users, not wankery over the
exact phrasing of your standard") is not crazy and (thanks to Mozilla's large userbase) quite
likely to win. I wouldn't be surprised to see the APNG patch become standard in distro copies
of libpng, for that matter.
> if Mozilla lets them
This phrasing seems to suggest that there's something sinister going on, but I'm not sure
what.
The web browser "insecurity iceberg" Posted Jul 2, 2008 6:05 UTC (Wed) by ajft (guest, #52749) [Link] Pretty much any company that puts firefox into their SOE will have locked it (either the SOE or the app.) so that it either doesn't auto-update or the staff don't have administrator access so they can't apply the auto-update. When you've got 5000 staff in a bank using firefox 2.0.12 to access some "only verified for version x and y" web application you don't simply let the staff update software like its their home PC.
The web browser "insecurity iceberg" Posted Jul 2, 2008 8:12 UTC (Wed) by slef (subscriber, #14720) [Link] > When you've got 5000 staff in a bank using firefox 2.0.12 to access some "only verified for version x and y" web application you don't simply let the staff update software like its their home PC. ...because breaking all staff terminals simultaneously is clearly the Right Way! Don't laugh - I've seen that happen. The Central IT Department usually won't test as fully as real live staff doing real live work. So there's a bug with the new browser that only appears if you enter 0.00 (rather than 0) in the discount rate field on the web app - how would CITD find that? I feel you might as well let a few lemmings^Wvolunteers upgrade if they want to and maybe have to use another terminal while their browser is downgraded or the web app is fixed. The trick is to monitor staff terminals so that you know who's upgraded what when.
The web browser "insecurity iceberg" Posted Jul 3, 2008 12:25 UTC (Thu) by deleteme (guest, #49633) [Link] > The trick is to monitor staff terminals so that you know who's upgraded what when. Which makes this method fail, you can't do that. IT can never test everything, doing partial rollouts seems like a good idea, but I have never seen anyone doing it. My experience of Windows desktops is only anecdotal, so maybe there are great tools for that now...
Seriously flawed for generating a "risk rating" Posted Jul 2, 2008 9:02 UTC (Wed) by ayeomans (subscriber, #1848) [Link] Whilst the survey is good evidence for the effectiveness of auto-patching, it is seriously flawed when trying to estimate how many users are at risk. It assumes you must be running the most recent browser to be not vulnerable. Now the browser vendors *do* patch older versions. In particular, counting fully-patched IE6 as insecure, based on some Microsoft marketing [ref 19], seriously distorts the results. Secunia currently rates both IE7 and IE6 to have "moderately critical" as the most serious unpatched vulnerability. I'd love to see how effective Windows Update is, compared with the more detailed analysis of Firefox. But the results are skewed by counting all versions of IE6 as vulnerable, so the survey in reality only measures IE7 take-up rates, rather than patch status. To demonstrate how wrong this is, if the survey had continued another month to include Firefox 3, it would show all those FF2 users as being "vulnerable". Can I encourage the authors to revisit their statistics, and separate people who chose not to change major version from those who fail to apply patches?
Seriously flawed for generating a "risk rating" Posted Jul 2, 2008 16:56 UTC (Wed) by proski (subscriber, #104) [Link] I don't think Mozilla marketing department is going to call Firefox 2 insecure one month from now.
The web browser "insecurity iceberg" Posted Jul 2, 2008 15:58 UTC (Wed) by lipak (guest, #43911) [Link] I was surprised to see the following statement in the article. > For years the software industry has promoted one security best > practice over all others: always use the most recent version of the > installed software and instantly apply the latest patches. Without qualifications this statment could easily be interpreted to mean "permanent upgrade"-itis. Surely a more accurate version of the best practice statement is: Always upgrade your browser as soon as your vendor/distribution has security updates/patches available. Using "the most recent version of the installed software" could (for example) impel a number of users to become beta-testers for their installed browser even though they have no particular knowledge or skill to offer in the beta-test process. This could create new security problems due to bugs in the beta-test version. In the rapidly changing domain of computers, many excited users forget the old maxim: "If it ain't broke, don't fix it!" Kapil.
|
|
||||||||||||