IE, Firefox, and the add-on security problem

Browsers have an add-on security problem, but how big it becomes depends on how vigilant users are in patching the add-ons.

Microsoft blames add-ons for its Internet Explorer security woes, according to InternetNews, yet in separate news from TechCrunch Mozilla's Firefox just hit its one billionth add-on and yet delivers better security, according to several studies.

Is Microsoft out of line?

Probably not. Microsoft is almost certainly right to pin some blame on add-on functionality to the browser as a security vulnerability. But given that add-ons are a fact of life now, what is Microsoft doing to protect its IE users against malware attacks?

Plenty, and in perhaps in the most important place: the update service. Both IE and Firefox include automatic update services, but researchers for the Honeypot Project discovered that Firefox's mechanism may actually be more effective:

We suspect that attacking Firefox is a more difficult task as it uses an automated and "immediate" update mechanism. Since Firefox is a standalone application that is not as integrated with the operating system as Internet Explorer, we suspect that users are more likely to have this update mechanism turned on. Firefox is truly a moving target. The success of an attack on a user of Internet Explorer 6 SP2 is likely to be higher than on a Firefox user, and therefore attackers target Internet Explorer 6 SP2.

The Honeypot research was done in 2007, however, on older versions of both IE and Firefox and, as Sean Michael Kerner writes in InternetNews, the game may have moved on, and neither Firefox nor IE may be fully ready to "play":

...[T]here is still a very large underlying problem here. While Microsoft users have Microsoft Update and Firefox users have an integrated update too, not all of the add-ons that people use have update mechanisms that are as obvious or as used.

In other words, add-ons remain a potential security breach. The security of your Firefox (or IE) application may well come down to how vigilant you are in updating your add-ons. For most people, that will likely mean "not very secure at all," since most people treat security as an afterthought.

Microsoft and Mozilla have made great strides in improving security for their browser customers, but both have a long way to go. Perhaps the update service should warn users about out-of-date add-on security, and disable those add-ons until updated? I'm not sure, but the problem is big enough that it's virtually guaranteed that both Mozilla and Microsoft will introduce enhanced security for add-on applications within the next year. Stay tuned.

Update: Open Road reader William Zola graciously offered up this clarification to how Firefox resolves add-on updates:

I wanted to point out to you that if you get Firefox add-ons from the official Mozilla site, Firefox will check for out-of-date add-ons every time you start up Firefox, and will offer you a chance to update them if it finds any that are out of date. This happened to me just today with NoScript. As I also know, it will keep on nagging you at every browser start-up until you capitulate and install the latest version. I've also seen Firefox pop up an alert window notifying me of an out-of-date add-on after I'd had it running for a few days. (I guess this gets the folks who - like me - don't reboot their computers or browsers for days at a time.)

It's a great point, and indicates he's probably using Mac OS X or Linux since he rarely needs to reboot. :-)