HEAT Security Blog

Could Firefox 3.6 be the Answer to Aurora?

Not sure this is entirely coincidental, but Mozilla released Firefox 3.6 on Jan. 21 – the same day that Microsoft announced their out-of-band patch to the so-called Google Attack / Aurora exploit / IE zero-day. Perhaps fortuitous is a better way of putting it.

My colleagues Don Leatham and Paul Zimski have both weighed in on this week’s hubbub surrounding Google and the IE zero-day (see here and here, respectively). Don discusses the out-of-band patch itself, and why these are reasonably uncommon. Paul provides a very nice synopsis of the issues (as we know them at the moment) surrounding the exploit and what organizations might do to protect themselves until they can get all their systems patched.

I just want to pick up on a point that Paul makes in his mitigation strategies: Remove Internet Explorer as the default browser if a secondary browser is available. As long time readers (hi Eric) know, it’s long been my contention that Firefox with NoScript is a good alternative to the MS IE hegemony. I’ve used IE so little of late that, as you may remember, I didn’t even know that they’d loaded IE6 on my box … and that back in November we discussed getting rid of IE6 in a safe, orderly, proficient manner. Of course, the Aurora exploit hit all current versions of IE – from 6 through 8 – so when I look back at my previous post, I need to come back to the words from Brian Krebs (now at Krebs on Securityhighly recommended): Now might be an excellent time for diehard IE users to either upgrade to IE8, or to try out another browser, such as Firefox or Opera. Firefox, combined with either the NoScript or Request Policy add-ons, goes a long way toward helping users insulate themselves from these types of malicious attacks. Obviously, I think both these guys are onto something.

And so must others: after news of the Google attack broke, several European governments recommended that users get off Internet Explorer (altho the UK declined to go this route). This resulted in a huge spike in downloads for Firefox and Opera.

So, what do you get with the latest version of Firefox? Most important, from a security perspective, they have expanded on the ability to check for updates to Adobe Flash Player; Firefox 3.6 now scans your system for any insecure plug-ins and, if found, it will now prompt the user to apply the patch via a one-click interface. Another major improvement comes with the Component Directory Lockdown, which locks out Firefox add-ons without explicit user permission. In addition, they made several improvements to the TraceMonkey JavaScript engine for improved / faster video performance, along with many other tweaks (see the release notes here).

Bottom line, once again I’ll put it to IE users: might be time to move to a new default browser. The “World’s Best Browser” bit might be a tad over the top, but it will undoubtedly improve your security posture.