Tag Archives: FireFox

What is the Most Secure Web Browser?

23 September 2018

For some weeks now I am busy with patch strategy and vulnerability management. When new critical vulnerabilities shows up two questions must be addressed:

  1. How fast must we patch the vulnerable systems?
  2. What vulnerabilities must be patched with highest priority? Or mitigated, if a patch is not available in due time.

Speed is the key in cyber security. The faster we find and patch vulnerable systems the greater is the chance that cyber criminals cannot exploit the vulnerabilities.

The exploit is the weapon in cyber warfare. A vulnerability as such increases the potential risk only. Once an exploit is published that can leverage the vulnerability, the vulnerability becomes a real risk. And if the exploit is “in the wild”, i.e. if the exploit is actively used by cyber criminals for attacks, the IT organization is on red alert.

Unfortunately, no one knows when an exploit spreads in the wild. Therefore, the cautious answer to the above questions is:

“The moment an exploit for a critical vulnerability is published it must be patched directly, at least on critical systems. If a patch is not available proper protective measures must be applied to mitigate the risk effectively.”

Browsers are the most critical systems because they are used in a hostile environment. Browsers are very complex applications, thus prone of errors.  Between 2013 and 2017 about 11% of 40671 vulnerabilities in total were found in the 4 major browsers Chrome, Firefox, Internet Explorer and Edge.

Market Share Browsers 2013 - 2017

Market Share Browsers 2013 – 2017. Data source: StatCounter

Browser Vulnerabilities 2013 - 2017

Browser Vulnerabilities 2013 – 2017

It remarkable to see that 67% of all browser vulnerabilities are related to IE, Edge and Firefox although they have only a small market share (11% in 2017).

Exploit publication date relative to CVE publication date

Exploit publication date relative to CVE publication date 2013 – 2017

The graphic above shows the number of exploits that are published within one month before the CVE is published compared to the number of exploits published within one month after the CVE is published.

Except for Chrome and Firefox the majority of exploits is published after the vulnerability is published. Nevertheless, we have to patch immediately on publication of a CVE.

How many exploits spread in the wild? This question is hard to answer. The Symantec attack signatures give a useful indication. “An attack signature is a unique arrangement of information that can be used to identify an attacker’s attempt to exploit a known operating system or application vulnerability.” 

Exploits in the Wild 2013 - 2017

Exploits in the Wild 2013 – 2017

This is an amazing result, isn’t it.

Have a great week!

Data sources

  1. NIST. NVD Database. https://nvd.nist.gov/
  2. Offensive Security. Exploit Database. https://www.exploit-db.com
  3. Andrea Fioraldi. CVE Searchsploit.
    https://github.com/andreafioraldi/cve_searchsploit/tree/master/cve_searchsploit
  4. NIST. EXPLOIT-DB Reference Map. http://cve.mitre.org/data/refs/refmap/source-EXPLOIT-DB.html
  5. Symantec.com. Attack Signatures.  https://www.symantec.com/security_response/attacksignatures/

NSS Labs Tests Leading Web Browsers for Secure End User Experience

6 November 2016

On November 1, 2016 NSS Labs published the 2016 Web Browser Security Comparative Test Report.  Two tests with the most popular browsers (Google Chrome Version 53.0.2785, Microsoft Edge Version 38.14393.0.0 and Mozilla Firefox Version 48.0.2) had been run to check how effective they deal with socially engineered malware (SEM) and phishing attacks. The results are of interest for end-users because the inbuilt browser features were evaluated in the test.

When it comes to protection against phishing attacks the time needed until a URL is blocked is important. Microsoft Edge is the browser of choice, followed by Firefox and Chrome.

In the second test the protection against Socially Engineered Malware was evaluated. Again, the average time to block the malware is of great importance, and again, Microsoft Edge is the browser of choice, followed by Chrome and Firefox. The average time to block is 0.16 hours for Microsoft Edge, 2.66 hours for Chrome and 3.76 hours for Firefox.

Happy reading, and have a good weekend.

New: Firefox warns of login forms on non-HTTPS pages

18 February 2016

Firefox has displayed security alerts in Browser Console since Firefox Version 26 when an URL with a password field was opened across an http link:

Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.

This is a clear sign that your service provider does not care of security. Since the continuous back and forth between browser application and the console is really annoying, this function was rarely used.

With the latest Version 44 Firefox displays a notification in the URL bar if you open a URL with a password field across an unsecured HTTP connection.

For configuration:

  • Open URL about:config in Firefox
  • Approve the warning that you will be careful when changing settings.
  • Set the value of the security.insecure_password.ui.enabled preference to true if you want to be warned about non-secure login pages

With this Firefox displays a pad lock with a red slash if Firefox opens a page with password field across an insecured connection:

FireFox warns of password field on insecure page

Firefox warns of password field on insecure page

Take care, and enjoy the new security feature.

Firefox Browser Console provides valuable hints on Phishing Sites

11 July 2015

When a serious company requests login data the network connection is always secured. Clear indicator of a secured network connection is that the URL starts with the https protocol. In addition, the certificate information besides the URL provides reliable information about the company and the site which runs the service.

Secure Connection Indicators

Secure Connection Indicators

The missing https protocol and certificate information in phishing URLs like http://videoservicesmiami.com/bolu/HOTMAILFILES/HOTMAILFILES/login.srf.htm is a clear indicator that someone tries to trick you.

Firefox Browser Console is a useful little helper in identifying phishing sites. Programmers use an input box of type password when they ask for a password. With this the Firefox programmers defined a simple rule:

Password fields present on an insecure (http://) page are a security risk.

When Firefox loads a phishing site the code on the site is inspected. Firefox detects an input box of type password and outputs a warning on the Browser Console because the network connection is not secured:

Firefox Browser Console Security Warning

Firefox Browser Console Security Warning. Click to enlarge.

I would appreciate it if the Firefox programmers would warn the users with a message box of such security risks, and block loading of such sites. This would be a great step forward because malicious URLs are often difficult to recognize in emails.

Take care!