[Cialug] Security and the browser

Josh More morej at alliancetechnologies.net
Mon Oct 20 11:07:14 CDT 2008


 The biggest risk with IE is it's tight integration with the OS.  Most
of the vulnerabilities involve Active X and system libraries (mostly
graphics).  Firefox is proof against these simply because it doesn't
integrate with the OS at the OS level, so there is an abstraction layer
that attacks have to get through.  That makes it harder both to attack
and to do integrative tasks... one of the reasons that Windows Update
only works with IE.

The plugin architecture to both the new IE and Firefox does present a
security concern, but most plugins should run sandboxed, so as long as
you review them before installation, you should be fine.  A bigger
concern with plugin proliferation is the consumption of system
resources.

My recommendation would be to disable IE as much as possible and
replace it with Firefox.  In other words, keep IE around only for tasks
that need the OS integration (Windows Update, custom apps) and use
Firefox only for web browsing.  Use either system imaging or a PUA
filter (Sophos provides this, but there others too) to lock the Firefox
configuration (plugins, themes, etc) to something reviewed and
acceptable.

The big advantage you get this way is somewhat improved security at the
architecture level (abstraction layer) and significantly improved
security at the application layer (if you pick the right plugins (like
adblock)).  The big drawback is that you have to maintain patches for an
additional system and it's associated plugins.  There are likely third
party tools to help manage this (PatchLink maybe?), but I can't
recommend any from first hand experience.

Whatever browser you use should be the latest generation to protect
against phishing and known malware sites.  These technologies aren't
perfect, but they're a lot better than having nothing... so at a
minimum, you should ditch IE 6.


 

-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701



>>> "Nathan C. Smith" <nathan.smith at ipmvs.com> 10/20/08 10:53 AM >>> 

I've heard people say Firefox is "More Secure" than Internet Explorer,
and while it seems to make sense at first, I do not believe that claim
can be substantiated.  Firefox may have "less inherent risk" than I.E.,
and that is where my question comes in.

At work we use I.E. but we are looking at Firefox.  I have some
reservations about manageability.  Our philosophy right now is that the
single browser, I.E., is probably heavily targeted and has lots of
problems but it easily updated and attacks will become quickly known via
different communities.  It is also "protected" through antivirus and
anti-malware software.  If we were to allow Firefox and perhaps  Chrome,
there would be three very different vectors of risk all with different
types of potential security holes/weaknesses.  We would in fact be
"casting a wider risk net" by using all three or two broswers.

I'm not looking to start a flame war, but rather an intelligent (and
perhaps spirited) discussion of the weaknesses of different browsers and
ways we can look at the risks involved to somehow compare the elements
of risk between browsers.

Some of the risk elements might include plug-ins, types of plug-ins,
rendering engines, open-source v. closed source and whether a code
review is possible, and the track record of the company supplying the
product.  One unfortunate truth is that other products that contain the
Internet Explorer engine are probably going to be subject to the same
risks I.E. is when that product is running.


-Nate
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug



More information about the Cialug mailing list