Experts warn against judging Firefox on poor Pwn2Own performance

Researchers at annual hackfest discover four previously unknown vulnerabilities, but experts say that may not necessarily make it the least secure browser


Mozilla Firefox was the loser in this year's Pwn2Own hackfest, but experts warn against placing too much importance on the number of zero-day vulnerabilities found in the Web browser.

[All major browsers fall during second day at Pwn2Own hacking context]

Last week, security researchers at the annual contest discovered four previously unknown vulnerabilities, more than for rivals Google Chrome, Apple Safari and Microsoft Internet Explorer. The number of holes found in Firefox prompted some in the media to declare it the least secure browser.

On Monday, security experts said judging the security of Firefox, or any other browser, by the number of vulnerabilities found in a single contest is misleading.

"No single test determines what browser is least secure," Randy Abrams, research director for NSS Labs, said. "However, the trend throughout the Pwn2Own contests combined with the current result does demonstrate that Firefox is significantly more exploitable than other browsers."

Mozilla, meanwhile, said patches for all the vulnerabilities will be in Firefox 28, set for release on Tuesday.

"Because the exploits were not publicly known, and thus the security risk to unpatched users was low, we decided not to disrupt users with additional upgrade cycles," Sid Stamm, senior engineering manager for security and privacy at Mozilla, said in an emailed statement.

Testing by NSS Labs has found that IE and Chrome lead the other two by a wide margin in protecting against "socially engineered malware," which NSS defines as a site that looks benign, but tricks people into clicking on a link that downloads malware. For example, such a site could offer a free screen saver.

However, Firefox was slightly ahead of the other browsers in blocking phishing sites, according to the latest tests from NSS Labs. A phishing site impersonates a legitimate entity in order to collect personal information via a Web form.

"In NSS testing for phishing protection both Firefox and Safari have been leaders in browser phishing protection," Abrams said.

Some researchers attribute Firefox's greater vulnerability to malware to its lack of a sandbox, which runs applications in a container that prevents it from accessing unnecessary PC resources. The other browsers have such containment systems.

NSS Labs recommends Firefox users consider a third-party sandboxing product to reduce the browser's attack surface. Other experts disagree.

[Mozilla gives plug-in developers until March 31 to apply to whitelist]

"Sandboxes are just one tool that can be used to contain and mitigate attackers, albeit a useful one," Chester Wisniewski, senior security adviser for Sophos, said. Wisniewski uses Firefox as his personal browser.

Mozilla is working on adding a sandbox to Firefox for Linux, Windows and Mac O X, Wisniewski said. But while the technology will improve security, "I don't think sandboxes are a requirement for a browser to be safe to surf with."

Other experts believe not having a sandbox is a flaw that has to eventually be corrected. "Mozilla is behind in process separation and sandboxing, which I both see as an important security technology that the major browsers should implement," Wolfgang Kandek, chief technology officer for Qualys, said.

Firefox has been slow to implementing a sandbox, because it represents a major architectural change, making backward compatibility with older PC operating systems difficult, Kandek said.

No matter which browser a company uses, encouraging employees to exercise good browsing habits is the best form of protection.

Educating workers about phishing sites and malware, disabling Java and Adobe Flash browser plugins, two of the favorite targets of hackers, and white-listing sites allowed to run JavaScript are some of the best ways to avoid having a PC compromised, Zak Dehlawi, senior security engineer for Security Innovation, said.

While Dehlawi believes Chrome is more secure and uses it himself, "the security benefits are not so superior that I would force corporate users not to use it (Firefox)."

Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline