Recent blog posts

Open Source doesn't automatically mean safety

The recent Firefox security upgrade introduced me to someone who thought that their old browser was still more secure than others. Sorry. It doesn't work that way.

By sjvn  2 comments

December 18, 2009, 9:40 AM Yesterday, Mozilla fixed ten security bugs in Firefox. If you haven't upgraded Firefox to 3.5.6 yet, you can do so now. I'll wait for you. Done? Good. You're better off than a friend of mine who, I discovered, was still running Firefox 3.0.0. His logic? It's Firefox and open source therefore it's still safer than, say, Internet Explorer 6. Oh dear.

Sorry, it doesn't work that way. He was right that open-source programs tend to be safer than proprietary programs. And, yes, he was right in thinking that the ancient IE 6 isn't safe at all. But, just because a program is open source doesn't mean that it's always safe, and an old program, no matter how it was made or who made it, is very unlikely to still be safe.

The simple truth is that all programs can be broken. Some, like operating systems, Web browsers, and commonly used office software are constantly being poked and prodded by crackers to find weaknesses. Therefore, when a vendor comes out with a security patch for whatever program it is that you're using, your best move is to patch your copy of the software as soon as possible.

Sometimes, as with the recent case of Adobe Reader, there is no patch and you have to work around the problem. But, more often than not, developers stay ahead by a nose in the race between programmers and crackers.

Except that is, after the programmers have released a fix. Then, the crackers know where the problems are and they can quickly release attacks that will work on the older versions of the programs. This is true whether a program is proprietary or open source. Once a program is patched, the clock is ticking and the longer you stay with out-of-date software the more likely it is that someone can get at you through it.

They won't be able to get at my friend though. As I told him his faith in open source software was touching, but misplaced. When it comes to securing software, the faster you apply patches the safer you'll be regardless of how a program was created.

Oh, and Firefox? With serious bugs fixed in its HTML rendering and JavaScript engines, and three of its multimedia player libraries, you'll want to patch it especially quickly. Any of those could, in theory, be used to take over your PC.

2 comments

    Anonymous 2 years ago
    While I would contend that Firefox 3.0.x series is not as safe as the newer versions, I too disagree with firefox taking over your computer. That is, unless you are running it under an administrator or root account.If you're doing that, well, it would seem security is not on your mind.I'm no expert on security, but you make a good argument for using a rolling-release cycle gnu/linux distro, even if you didn't intend to.
    Flag comment  |  Permalink Reply
    Anonymous 2 years ago
    1) Firefox 3.0 is still supported, so safe2) http://secunia.com/advisories/product/11/ vs http://secunia.com/advisories/product/4227/ shows that even unsupported versions are safer than, this is becasue 1 they are safer to start with and 2 they get extended support from distros.3) There is no need to be sensationalist "Any of those could, in theory, be used to take over your PC.", on any modern operating system there is enough security from arbitrary code injection that you are safe to upgrade in your own time (i.e just wait till your distro pushes the update or firefox's update manager prompts you)So yes you do need to keep opensource software secure but this doesn't mean you have to run the latest version.
    Flag comment  |  Permalink Reply

      Add a comment

      Post a comment using one of these accounts
      Or join now
      At least 6 characters

      Note: Comment will appear soon after you have activated your account.
      Obscene/spam comments will be removed and accounts suspended.
      The information you submit is subject to our Privacy Policy and Terms of Service.

      ITworld LIVE

      SecurityWhite Papers & Webcasts

      White Paper

      Overcome Top 7 Admin Challenges of Active Directory

      As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable, enforceable processes that reduces administrative overhead and enables robust, customizable reporting and auditing capabilities. Brought to you by NetIQ.

      White Paper

      Insiders Can Ruin Your Company. Take Action.

      Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper from NetIQ, discusses key technology solutions that help to prevent and detect insider threats.

      White Paper

      Top Solutions and Tools to Prevent Devastating Malware

      Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts. This white paper has been brought to you by NetIQ, the leader in solving complex IT challenges.

      White Paper

      Streamline Compliance and Increase ROI

      Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will help your business gain the maximum return on investment possible while aligning your compliance programs.

      White Paper

      X-Ray of the PCI Process-4 Proactive Steps

      This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into creating a compliant and secure IT environment. Follow these four proactive steps now before your next audit. Brought to you by NetIQ.

      See more White Papers | Webcasts

      Answers - Powered by ITworld

      ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

      Join Now

      New questions

      Friday fun: What's your guilty pleasure?
      0 answers
      What are the chances that the cloud will kill off the PC?
      0 answers
      How to print from a mobile device
      2 answers
      How to get started developing Android applications
      2 answers
      How to market a mobile app
      2 answers
      View more questions

      Ask a question

      Join Now or Sign In to ask a question.
      Ask a Question