Opensource Team

Contacts

Imran (iali@microsoft.com) Osama (osamam@microsoft.com) Asad (asadj@microsoft.com) Derek (derekch@microsoft.com) Jared (jaredsmelser@yahoo.com)

What is open source? [JARED]

Types of Open Source Software. A discussion of the concept of open source and the open source community. We will also study/discuss how is the open source software produced, distributed and supported? Does open source provide a “complete” solution for a home user, corporate user eg Walmart?

Inherent Security Advantages [ASAD]

The code gets reviewed by a lot of computer “geeks” which means it goes through a lot of scrutiny. How much does this really help catch security flaws before they get exploited? Study how the information gets distributed when a security flaw is discovered. Is open source community more forthcoming in acknowledging the flaw and fixing the problem?

Inherent Security Disadvantages [DEREK]

Is the free distribution of source code a good thing? Are there any known cases where vulnerabilities were easier to exploit because the source was easily available. Does this make open source in secure by definition?

Open source community’s response to cyber attacks.: Who is responsible for patching security flaws in open source products? How are fixes distributed?

How do you make a responsible disclosure of a open source vulnerability?

What is the recourse for cyber attack victims? Can they sue someone for damages? Are there any known cases in the industry?

Comparison of security in open source vs other products.[JARED]

How has open source performed in the industry compared to other products? Has it traditionally been more secure? What is the perception of the users? Do they feel more secure with open source? How do open source security “incidents” compare to non-open source products.

Case Study 1: Linux VS Windows [OSAMA]

In this case study we will look at the security features of the two operating systems. We will also discuss the security flaws discovered in Linux and Windows over the years, how these flaws were discovered, what was the response, what was the damage caused? How did similar flaws play out in the two?

Case Study 2: MySQL VS SQL Server and Oracle [ASAD]

A similar study as the OSs but this is at the application level.

Case Study 3: IE vs Firefox [IMRAN]

Introduction This case study will compare Internet Explorer 6 (IE) and Mozilla Firefox based on their security flaws and features, how their code bases are managed and the security incident statistics. Internet Explorer is a proprietary product developed by Microsoft and Firefox is an open-source product managed by the Mozilla Foundation. This case study will drill down more on how open source techniques can affect the effectiveness of dealing with security bugs and design. This case study will not compare each browser on features that are not directly related to security such as tabbed pages and RSS feed support.

Background Both IE and Firefox are web browsers designed to browse the Web. IE 1.0 was first released in 1995. It underwent several revisions until version 6 which was released in 2001. Firefox was first released under the codename ‘Phoenix’ which was made public in 2002 and is based on the Mozilla Foundation’s code base. After several name changes, the latest version available is Firefox 1.0.2. According to PCWorld.com, IE currently has a market share of 94%, whereas the market share for Mozilla browsers such as Firefox and Netscape is now at approximately 4% of all users. IE and Firefox publish their latest security flaws on a regular basis. Based on a review of recent security bulletins, both browsers have exposed vulnerabilities of being able to execute code remotely. Firefox allowed this through Linux and IE allowed this through the Windows operating system. Statistics based on how long it takes to fix these bugs is not widely available for both browsers.

Reporting Security Bugs Mozilla regularly fixes security bugs without informing its user base. IE publishes security bulletins for almost every bug found as this is company policy. Firefox does not also have an automatic way for users to update their installs, whereas IE uses Windows Update to automatically update a user’s install. In addition to this, IE releases security updates on the second Tuesday of every month so that enterprise and consumers can plan for these updates. Firefox’s inability to automatically update its customer’s installs potentially leaves a large number of its customers with many different versions of unpatched Firefox installs.

Firefox allows any users to report security bugs whereas IE allows user to report issues but does not give them access to its internal bug tracking system to follow the progress of the fix. Firefox has also allowed for it’s users to be rewarded monetarily for security bugs that they find. As this is a recent initiative by the Mozilla foundation, there are no meaningful statistics available yet on whether this has increased the number of bugs found. Microsoft Corporation has teams of penetration testers who attack products like IE so the reliance on external bug reporters is less than Firefox.

Security Features Both Firefox and IE contain a plethora of security features with both claiming to have features unique to each. There are still a few similar security features common to both such as Pop-up blocking and the ability to purge personal data such as browsing history, cookies, webform entries and passwords.

The key difference between IE and Firefox is that Firefox is not completely integrated with Windows so that viruses attacking Windows will have minimal impact on Firefox especially since Firefox is not closely integrated with the Windows file system and network stack. Firefox also has no support for VBScript and ActiveX, both which are sources for many security holes. Firefox does not use Microsoft’s Java Virtual Machine, which has a history of more flaws than other Java VMs.

On the other hand, IE contains additional security features which do not exist in Firefox. For example, IE has the concept of zones which allow the user to put trusted sites in ‘Trusted’ zones. This partition allows for trusted sites to be handled differently from untrusted sites. For example a trusted site can be allowed to download ActiveX controls without prompting. IE also has the ability to selectively block ActiveX usage which allows the user to be prompted if an ActiveX control is to be downloaded. By being closely integrated with the Windows operating system, users of IE automatically get many of the Windows XP security features such as Windows automatic updates and the Security Center containing tools to detect security vulnerabilities.

Checking in Code IE and Firefox have very different processes for checking in code. Mozilla Firefox does not necessarily have security reviews done on code before it is checked in. There are assigned ‘module’ owners who are available to review code; however, this is not mandatory for a checkin to be made. The fact that there are no consistent code reviews opens the door to more potential security bugs especially when there are no code reviewers dedicated to detecting security issues.

By contrast, IE has dedicated development and testing teams that have a strict process whereby code is peer-reviewed and tested before any checkins are made. Also, the Windows Division has a Secure Windows Initiative which is a team of security experts within Microsoft that review all components checked into the Windows code base.

Firefox has a security policy that is subject to change and has changed based on the opinions and votes of its user community. Firefox also has a security module owner who is responsible for reviewing code only when security fixes are made. This is in contrast to IE which does regular security reviews of all code. However, code that gets checked into the Firefox code base potentially has more public exposure as there could be many more people involved in a code review than the IE team which is usually of a fixed size. The IE team will have a fixed number of people working on the product at one time and given the environment at Microsoft it is still possible that security may take on a secondary role when the IE team is in ‘crunch’ mode and must deliver on a release by a specific date.

The main advantage IE has over Firefox in terms of dealing with security bugs is the fact that there is a dedicated team that will concentrate on security issues and performing penetration testing on the product. However, Firefox has a lot more exposure given the size of the developer community who contribute to the code base, which is sizeable especially since Firefox is open source.

Statistics One way of determining how secure a product is by analyzing the number and type of security flaws found in the product in any given time period. Secunia (http://www.secunia.com) is a renowned security research company that monitors security flaws in thousands of products. The following sections will discuss Secunia’s finding on the security flaws found in both IE and Firefox over the last twelve months as Firefox was used extensively only recently based on usage data available on its website. Data from the last three years related to IE will also be discussed to illustrate any trends.

Internet Explorer http://secunia.com/product/11/

Fig 1-1 : IE 6 Advisories from 2003-2005

Fig 1-2 : IE 6 Advisories in 2005

Mozilla Firefox http://secunia.com/product/4227/

Fig 2-1: Mozilla Firefox Advisories from 2003-2005

Fig 2-2: Mozilla Firefox Advisories in 2005

Fig 1-1 shows that IE has been long plagued with many security advisories during the last three years. However, the number of security advisories was reduced substantially after the introduction of IE 6 which was released with Windows XP SP2. Fig 2-1 also shows that the number of advisories increased substantially when Mozilla Firefox started to gain popularity which is indicative of its increased market share of the browser market.

Fig 1-2 also indicates that there were only 15 security advisories issued this year so far, as opposed to Fig 2-1 which shows that there were 21 advisories reported for Firefox during 2005. However, according to Secunia, out of the current 15 issues reported for IE this year, 47% of these have been unpatched as opposed to Firefox which has 0% security issues which are unpatched. Looking at these statistics in more detail uncovers the fact that 95% of the security issues for Firefox were patched by the vendor, whereas only 40% of the issues for IE were patched by the vendor. This is indicative of the open-source nature of Firefox where vendors who use Firefox invest their own resources to fix problems. Microsoft vendors have limited access to the IE source code so the percentage of vendor patches is smaller.

Secunia also reports on the criticality of reported vulnerabilities based on how a malicious user could gain root access to the system or cause denial-of-service (DoS) attacks, for example. The statistics show that 5% of Firefox vulnerabilities are ‘Extremely Critical’ as opposed to 13% of IE vulnerabilities. However, given that these are percentages, this account for approximately 2 security issues for Firefox and 2 issues for IE.

The statistics above cannot conclusively determine how secure one product is as opposed to each other, especially given the fact that Firefox has had a smaller market share and does not have the ten year history that IE has. However, they do indicate that as Firefox has become popular, the number of reported vulnerabilities has increased. Also, it appears that IE has also started a downward trend towards less vulnerabilities reported which may be attributed to its recent security push which started during the release of Windows XP SP2.

Conclusions Both Firefox and IE have been the target of recent media scrutiny whenever new security bugs are found in their products. Firefox has started to attract a substantial number of users and has taken some of the IE’s market share. The fact that Firefox is open-source and is not integrated with the Windows operating system has led many to believe that it is less vulnerable to security attacks. However, this case study has shown that in the past year it has had more vulnerabilities reported than in IE. The way code is checked in, security bugs are reported and fixes are reviewed may have contributed to this rise in security issues. Firefox also lacks automatic updates which is not necessarily a side-effect of open source but may be due to the fact that Firefox cannot piggyback on an operating system such as Windows. For an open-source system, the infrastructure required to allow automatic updated may not be feasible or even possible to create. Internet Explorer, which is not open-source, is a mature codebase with dedicated development and test teams. However, it is also subject to security flaws and vulnerabilities, some of which are the result of it being too closely integrated with the Windows operating system.

Given all the above factors, it can be concluded that an open source product such as Firefox may lend itself to more than or an equal number of security flaws as compared to a proprietary product like IE. However, given the complexity of the Internet space and operating system dependencies, open-source products are not inherently insecure especially given the fact that IE, with all its stringent checkin policies and security reviews, is still subject to many security flaws even after 10 years of existence. It is possible that over time Firefox may take even more market share from IE especially if it focuses on refining its checkin policies and security reviews, and perhaps incorporate infrastructure such as automatic updates and adding more security features that are already being used in the Windows operating system.

Conclusions [DEREK]