Mozilla Feeds on Rival’s Woes

By Michelle Delio

To get a copy of the Mozilla open source browser, go to
http://www.mozilla.org

Hackers have long insisted that steering clear of
Microsoft’s Internet Explorer browser is one of the
easiest ways to protect computers from many of the
security threats that lurk on the Internet.

That suggestion is often greeted with apathy or angry
accusations that the geek in question was indulging in
Microsoft-bashing — admittedly a not-uncommon activity
in hacker circles.

But last Friday, in response to the latest security
exploit involving Microsoft products, the usually staid
U.S. government’s Computer Emergency Readiness Team, or
US-CERT, published a warning strongly suggesting that
users of Microsoft’s Internet Explorer should switch to
another Web browser, due to "significant
vulnerabilities" in technologies included in IE.

Gary Schare, director of the Windows Client Division at
Microsoft, said that CERT’s advice had been
misrepresented in much of the press coverage.

"Microsoft certainly respects the work CERT does to help
protect the Internet and users. Regarding the
consideration that users switch browsers, it is
unfortunate that the published articles have
misrepresented CERT’s suggestions, and we are working
with CERT to clarify their advice," Schare said.

But many evidently took CERT’s warning to heart and
downloaded Mozilla or Mozilla’s Firefox, free, open-
source Web browsers developed and distributed by the
Mozilla Organization, who resurrected the remnants of
Netscape after it was purchased by AOL in 1999.

Downloads of Mozilla and Firefox — an advanced version
of Mozilla — spiked the day CERT’s warning was
released, and demand has continued to grow. According to
Chris Hofmann, engineering director at the Mozilla
Foundation, formed last July to promote the development,
distribution and adoption of Mozilla Web applications,
downloads of the browsers hit an all-time high on
Thursday, from the usual 100,000 or so downloads on a
normal day to more than 200,000.

Hofmann said the Mozilla team wasn’t surprised when CERT
issued its warning.

"Mozilla and Firefox downloads have increased steadily
since last fall, with the Firefox user base doubling
every few months, as more people seem to have reached
their threshold level of frustration dealing with
problems with IE and Windows, and have found the Mozilla
software a good solution to solving those problems,"
said Hofmann. "CERT’s recommendation is just a
reflection of the trend we have seen for quite some
time." Security experts said Mozilla’s lack of ActiveX
support makes the browser more secure than IE. ActiveX
was intended to allow websites to add multimedia and
interactive features, but has lately been used to slide
spyware onto PCs without the user’s knowledge or
explicit consent.

"ActiveX allows programs to run in the browser," said
Patrick Hinojosa, chief technology officer at Panda
Software, a security software vendor. "It is a big part
of the security equation, as most IE users don’t have
this locked down by default."

"But there have also been some exploits of the IE
browser that had nothing to do with ActiveX," Hinojosa
added. "There have been numerous IE patches issued over
the last year or so."

Mozilla’s Hofmann agreed that ActiveX is only part of
the story, pointing also to IE’s tight integration into
the Window’s operating system, and differences in IE and
Mozilla’s default security settings and architecture as
other reasons why Mozilla browsers are more secure.

"Tight integration of the browser with the operating
system provides some convenience and power for Windows
developers and users, but has also been a continuing
source that allows malicious hackers to leverage that
same convenience and power for their exploits," said
Hofmann.

"Most of this convenience centers on the default
protection mechanisms for downloading, installing and
running executable programs without the knowledge of the
user or any intervention by the user."

Mozilla requires users to acknowledge and grant explicit
approval to any situation that involves downloading,
installing or running executable code or any other
potentially risky operation. A well-patched version of
IE usually does the same, but Mozilla can also interrupt
automated attacks and keep malicious code from being
run, features that have saved Mozilla and Firefox from
being vulnerable to many of the problems that have
plagued IE users.

But some security experts believe that Mozilla’s biggest
security benefit is that the browser is not in wide use
yet.

"It is not so much a question that one browser is
inherently safer than another, but the fact that so many
people use Explorer," said Carole Theriault, security
consultant at Sophos, a security software vendor.

"Microsoft is targeted because they are so successful.
And they have a hard job ahead of them. Something like
90 percent of the world’s computers run Microsoft
operating systems. This homogenous environment is
attractive to those cyber criminals looking to make some
kind of impact."

Hofmann also credits Mozilla’s open-source development
model with the browser’s security successes.

Every change made to Mozilla applications is first peer
reviewed by at least two engineers who are familiar with
the code and overall architecture of the system before
the new code is allowed into the product. Then the
product goes though a series of automated tests and
evaluations, after which Mozilla users and the
development community are invited to review the impact
of each change by downloading the test builds that are
produced two or three times a day.

"All kinds of hackers, from junior high school whiz kids
to graduate students to seasoned engineers that work for
companies that use and deploy Mozilla technologies have
the code available to study and improve," said Hofmann.

Microsoft’s Schare said that Microsoft also continues to
work to improve the security of Internet Explorer, and
said focusing on security is a top priority for the
company.

Schare said the Windows XP Service Pack 2 with Advanced
Security Technologies, expected to be released later
this summer, will deliver improved security
infrastructure that will help reduce a PC’s
vulnerability to certain types of attacks. It will also
include a new pop-up blocker and download monitoring
tool that will help reduce unwanted or potentially
malicious content and downloads.

"As for last week’s IIS issues, Microsoft is
aggressively working to provide a comprehensive fix for
all supported versions of IE," Schare said. "This will
be released once it has been thoroughly tested and found
to be effective across the wide variety of supported
versions and configurations of IE. In the meantime, we
have provided customers with prescriptive guidance to
help mitigate these issues."

http://www.wired.com/news/infostructure/0,1377,64065,00.html