It's what is not inside the Firefox browser that makes it more secure for business use than Microsoft Internet Explorer (IE), according to John Hedtke, co-author of Firefox & Thunderbird Garage, due out from Prentice Hall PTR in mid-April.
Hedtke says Firefox developers eliminated two ways that hackers commonly exploit security holes in Microsoft Internet Explorer by not supporting VBScript and ActiveX. Additionally, the author said, Firefox is not part of an operating system, so viruses and trojan horses do not gain automatic access to many parts of the platform on which it resides.
John Hedtke: In addition to not being an integral part of Windows, not supporting VBScript and ActiveX, and providing complete control over Web cookies, Firefox doesn't allow Web sites to automatically download spyware or malware. Firefox also provides popup blocking, which curtails a common entry point for spyware.
Microsoft's approach to designing Internet Explorer was an optimistic view of security. IE provided the maximum amount of capability with the hope of providing mechanisms that could and would be used to avoid risks. Unfortunately, it didn't quite work that way. ActiveX lets people silently access the operating system, the browser itself, applications, and the Security Zone Model can allow the silent downloading, installation, and execution of programs without your knowledge.
Sure, that's powerful stuff that you can use to do great things. But, sadly, it doesn't have enough safeguards. As a result, ActiveX and the Security Zone model are used together as the primary mechanism that people use to deploy spyware and malware.
Hedtke: My favorite example of malicious ActiveX code was demonstrated in 1997 by Germany's Computer Chaos Club, who were able to look for Quicken on a computer and have Quicken transfer money to someone else's bank account. That was in 1997. Imagine what people are able to do today.
Back to the differences between Firefox and IE security: How does the Firefox security approach differ from that of IE?
Hedtke: In contrast, Firefox takes a pessimistic view of vulnerability. Firefox attempts to create a firewall around the browser, remote content and other applications that might be available on the PC. In every case where potentially dangerous actions can happen, Firefox attempts to warn the users about the risk. Furthermore, since Firefox doesn't support ActiveX and the Security Zone architecture, Firefox doesn't allow Web sites to install software automatically, providing some immediate security advantages to using Firefox rather than Internet Explorer.
To be fair, Microsoft has been addressing some of the issues recently in SP2 for Windows XP, but only a couple years after the dangers of Internet Explorer and its architecture were discussed in an article entitled The Most Dangerous Software Ever Written.
Unfortunately, Microsoft is focusing only on Windows XP, so over 200 million users of Windows 95, Windows 98, and Windows 2000 are being left out in the cold.
Don't take my word for all of this. Check out the U.S. government's Computer Emergency Readiness Team (US-CERT) warnings. Their findings point out that there are "a number of significant vulnerabilities" with IE. Among other things, the report recommends using a different Web browser.
How else does Firefox differ in security from IE?
Hedtke: One other thing about Firefox that makes it more secure than IE is that it's open source. Security holes and code bugs can be addressed immediately by developers all over the world. Some 880 developers submitted code for the first major release of Firefox, and thousands of people tested it. New ideas, patches, and features are constantly being submitted to Mozilla for consideration and incorporation. Rather than have the code locked away and not maintained, people are looking at the code all the time for potential revisions and improvements.