Don't be fooled; Firefox is no more secure than Opera or Internet Explorer says security expert James Turnbull. In his opinion, market share size can make a browser more or less attractive to hackers.
The author of Hardening Linux explains why distro security can be subjective, what basic steps users can take to protect themselves from browser security flaws and why the Linux desktop is more secure than Windows.
Which Linux distribution is the most secure? Which has the most updates for bug-fixes?
James Turnbull: I think this is very subjective. It greatly depends on the level of security that is configured at installation by default, the level of security you implement (this could also be described as how you "harden" the distribution) and exactly what you wish to run on the host.
Much of your ability to do this is also enhanced or limited by the inherent security features offered by the distribution, either in the userspace or the kernel.
Personally, I like Red Hat Enterprise Linux (RHEL) since it comes with SELinux, is generally well-configured out of the box and provides most of the features I require. Bug fixes and updates are frequent and, by purchasing a license, you are able to access support services.
But RHEL does cost money. There are also distributions available for free ,of course, like Debian, Gentoo and Fedora (a Red Hat offshoot). Of the free distributions, I do have some concerns about Debian at the moment due to another compromise of one of their development servers. Most of them do tend to update fairly regularly.
What should I consider when choosing a distribution?
Turnbull: Overall, when making the selection of a particular distribution you need to take into consideration cost, risk, management requirements, skills available to handle the host(s), security, ease of use, availability of required functionality and a number of other factors.
Is Mozilla's Firefox still safer than Internet Explorer or Opera? I'm concerned about the flaw that let the Infostealer.Snifula program slipped some Trojans into the Firefox browser?
Turnbull: The idea that Firefox is more secure than IE or Opera feels to me like somewhat of a fallacy. The origin of the message came from a CERT pronouncement that, due to the large number of IE flaws and Microsoft's not-always-sterling efforts to publicize and fix these flaws, recommended using another browser. The suggestion made was that Firefox was a more appropriate choice.
At the time of this announcement, and from my understanding based on some recent comparisons, there have been fewer flaws discovered (emphasis on discovered rather than existing) in Firefox. This doesn't mean Firefox is more secure.
If you examine market share of the browser space, then IE still firmly remains the major player with approximately 80-90% of the market, depending on whose figures you believe. In comparison, Firefox has about 10-15% of the market share. If I am an attacker and designing a trojan or attempting to discover a flaw in a browser then, in order to maximize the effectiveness of that attack, I am logically going to target the application based on:
Therefore, most attackers seek out flaws and target attacks on IE browsers. If Firefox's market share grows then attackers will start to pay more attention to it and, I suspect, some more flaws may be discovered and exploited. This is a very simplistic overview but it highlights that making assumptions about the security of a particular application can be dangerous.
What can I do to protect myself from security flaws in browsers?
Turnbull: Well first, update. Make sure to the best of your ability that you and your organization use an up-to-date version of your selected browser. Chose a good anti-virus product and look at anti-spam and personal firewall products, like ZoneAlarm. Consider a regular scan of your environment/host for spyware/malware using one of a number of tools available on the market.
Here's the apparently simple and common sense stuff which is, sadly most often responsible for causing a breach: don't trust emails, downloads or applications where you are not sure of the sender or the content. When in doubt, err on the side of caution. Someone can always re-send you an email but it's a lot harder to get back stolen money or recover from an identity theft.
How safe is Windows' Vista? How much safer is the Linux desktop, in comparison?
Turnbull: To be honest I've steered clear of Windows Vista. I don't like beta products at the best of times and previous experiences with beta versions of Windows XP have ended in disaster. This often has little to do with security and more to do with stability. Any new product, no matter who the vendor, tends to have flaws. Mostly because it is impossible to test for all contingencies, for all hardware and in combination with all software. As a result, I am sure Windows Vista will have functionality, stability and security flaws when it is first released.
Is a Linux desktop more secure? Well yes and no. It depends on which desktop you chose, how you configure it and what you do with it. In the past, Windows desktops often came installed, by default, with some very poor security controls. For example, there was no default firewall and no requirement to use a password. Some of these deficiencies have been corrected in XP and it is my understanding that these controls will be further enhanced in Vista.
In comparison, it is my opinion that most Linux desktops tend to be more secure due to things like firewalls and password installation by default, in terms of their base configuration. But in both cases you can configure, harden and lock down Windows and Linux-based desktops to ensure a higher level of security than they come with. As a result, it is very hard to say which is the more appropriate option, especially if you ignore the other factors in selecting a desktop -- cost, user skills, manageability and functionality.
My recommendations is to configure the appropriate desktop for your environment that provides a secure setting at an appropriate cost and won't compromise your user's ability to perform their required functions.
This was first published in August 2006