Introduction to Mat Wright

Mat Wright is a Zend Certified Engineer and qualified designer available for freelance web development + consultation work.

Thursday, February 4, 2010

Operation Aurora - The Aftermath

Tensions between China and the USA have shifted focus since January's cyber-attack on Google's systems towards a somewhat more worrying matter involving $6.4bn worth of arms to Taiwan. Nevertheless 'Operation Aurora' has left behind a bitter after-taste in the web browser world.

A Sophisticated Cyber-Attack

The so-called 'Operation Aurora' - was a sophisticated cyber-attack allegedly carried out from China, targeting email accounts held by Human Rights Activists. The attacks, carried out between December 2009 and January 2010 were publicly disclosed by Google on January 12 in its official blog. The hackers used a trojan horse to gain remote access to the affected computers. Google stated in its blog that some of its intellectual property had been stolen.

Internet Explorer, You Are The Weakest Link !

The weak link and perhaps the biggest victim in the whole matter turned out to be Internet Explorer after Microsoft admitted that the attackers had exploited a vulnerability within the Internet Explorer web browser in order to carry out the attacks.

"Internet Explorer users currently face a real and present danger due to the public disclosure of the vulnerability and release of attack code, increasing the possibility of widespread attacks," said George Kurtz, chief technology officer of McAfee, in the McAfee Security Insights blog on the 17th January.

Microsoft admitted that they had known about the vulnerability since September 2009 and that a security update had been scheduled for February 2009.

With pressure mounting and panic spreading, the Australian, German and French governments decided to advise people to remove Internet Explorer from their computers and change browsers to either Firefox or Chrome, at least until Microsoft fix the security issue with Internet Explorer.

The fix came on the 21st January. The Microsoft security bulletin indicated that the vulnerability affected all versions of Internet Explorer with a severity level of 'critical' on more-or-less all versions of Windows. The update also covered seven other privately reported vulnerabilities but Microsoft did not state whether these had already been exploited or not.

Step Forth Firefox 3.6

With Internet Explorer firmly fastened in the stocks during the incident, Microsoft's biggest rival in the browser market, Mozilla, took full advantage of the public climate with the release of Firefox 3.6.

Internet Explorer Versus Firefox

Being open-source software, Firefox enjoys rapid development between releases as well as a huge library of plug-ins and other contributions from the open-source community.

Many of the key features of Internet Explorer that we take for granted, like opening new pages in tabs rather than a new window, were originally implemented by Mozilla Firefox (as well as other browsers) and later adopted by Internet Explorer. For those who like to have the latest browser features Firefox is the software of choice. Web developers and heavy users also tend to prefer Firefox for its performance levels.

Perhaps the most important question to pose when comparing the two browsers is which one is the most secure. After-all the humble web browser has become a kind of mirror or interface between our private life and the outside world. We regularly type in our credit card numbers, telephone numbers and home address, we use our web browser to access our bank accounts, pay our bills and  remember our secret passwords. Web browsers know the keywords we search for, the email messages we send and receive, the products we buy, when and where we are going on holiday, which websites we visit. We place an awful lot of trust in our web browser of choice and and it's quite scary to think that it can be exploited by someone, criminal or otherwise.

Security Statistics

Internet Explorer is the worlds most widely used web browser with over 60% of the market share compared to Firefox with just 25%, therefore a successful exploitation of Internet Explorer also gets you a 60% share of the market compared to just 25% if you exploit Firefox. The point I am trying to make it that logically, Internet Explorer is bound to attract more interest from cyber criminals resulting in more security vulnerabilities becoming publicly known than with other web browsers. This logic would suggest that using a lesser popular browser like Firefox could be a more secure option.

Vulnerabilities are regularly found in all browsers, in most cases they are never made public, they just get fixed and no one gets hurt. However when vulnerabilities are disclosed publicly and attack-code made known the most important factor to the public is the speed at which the vulnerability gets patched or fixed. As you can see from the pie charts below (courtesy of Secunia) Microsoft left 33% of advised vulnerabilities found in the latest version of Internet Explorer unpatched in 2009 while Mozilla Firefox patched 100% of advised vulnerabilities.

So far this year (2010) Secunia has not issued any advisories to Mozilla Firefox, while it has issued two for Internet Explorer 8, of which only one has been patched.

According to Secunia's annual security report
research shows that Microsoft do not respond as quickly as their competitors in fixing security vulnerabilities and making patches available.

These facts strongly support the claim that Firefox could be a more secure web browser than Internet Explorer.

The very nature of open-source software like Firefox might suggest that vulnerabilities could be found with greater ease, but the speed at which the vast team of open-source developers are able to respond to security threats might make Mozilla Firefox a serious alternative to consider.

No comments:

Post a Comment