Welcome to the big time

I received a variety of responses to my column on the Penn State’s advisory to switch from Internet Explorer to another browser. Some noted, correctly, that there have been security flaws found in Firefox, the currently popular alternative.

Others noted, also correctly, that Microsoft’s Internet Explorer is simply a larger target than other operating systems and browsers. Some suggested I switch to either a) an Apple system or b) a Linux system. One even suggested someone that dares to own a Windows 98 system should not be writing a security column.

To handle the last statement first, I still have the Windows 98 system hanging around for the same reason my ’98 Honda is still around: I haven’t had the time and/or the funds to replace either. It is not my main computer by any means. Besides, it now seems to be a nice test bed for this security column. As for moving to an Apple or Linux system, I have a similar answer — lack of time and funds.

Now, on to the question of security flaws in Mozilla and Firefox: Security firms recently reported several new, potentially serious security flaws in various versions of the Mozilla and Firefox Web browsers, as well as Mozilla’s Thunderbird e-mail client.

For example, Secunia has discovered a vulnerability in Mozilla and Firefox that can be exploited to spoof the source displayed in the Download Dialog box. According to information posted on Secunia’s Web site, “The problem is that long subdomains and paths aren’t displayed correctly, which therefore can be exploited to obfuscate what is being displayed in the source field of the Download Dialog box.”

To this I say, “Welcome to the big time.” Some readers correctly stated that Microsoft’s IE (as well as the Windows OS) is a larger target for security threats because of its greater market penetration. Now that Firefox is gaining some market traction, it too will find itself a target.

Although my last column looked at some security trends of the past and future, I wanted to share some of the results from yet another recent survey of network security professionals conducted last month by StillSecure, a network security software provider.

Their 2005 IT Security Adoption Survey shows, not surprisingly, that anti-virus, firewall, and VPN solutions have already been widely implemented at rates of 96 percent, 94 percent, and 78 percent, respectively. A complete copy of the survey is available in PDF format. 

Among newer technologies, intrusion detection/prevention, vulnerability management and end-point policy compliance show implementation rates of 54 percent, 38 percent, and 27 percent, respectively.

Of those who haven’t yet implemented these technologies, 83 percent plan to implement an intrusion detection/prevention solution before the end of this year. During the same timeframe, 74 percent plan to implement a vulnerability management solution, and 67 percent plan to implement an end point policy compliance solution. That’s a decent step forward.