Firefox
Content
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 1/15
COMPUTING FIREFOX IS STILL THE LEAST SECURE WEB BROWSER, FALLS TO FOUR ZERO-DAY EXPLOITS AT PWN2OWN
By Sebastian Anthony on March 17, 2014 at 9:09 am 63 Comments
At Pwn2Own 2014, an annual
Email Address...
The demon core: A scary
story of sloppy science
from the Manhattan
Project Aug 20
Smartphone usage surges while PCs show
startling decline in new worldwide study
Aug 20
Follow
Follow @ExtremeTech
ExtremeTech Newsletter
Subscribe Today to get the latest ExtremeTech
news delivered right to your inbox.
Subscribing to a newsletter indicates your consent
to our Terms of Use and Privacy Policy.
More Articles
Top Searches: Windows 8 Autos Quantum Intel Trending: Linux Windows 8 NASA Batteries Automobiles
Firefox is still the least secure web browser,
falls to four zero-day exploits at Pwn2Own
206,955 people like this. Like Share
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 2/15
computer hackfest in Vancouver,
Mozilla’s Firefox has proven yet
again that it’s the least secure major
web browser. While all four major
web browsers — Chrome, Internet
Explorer, Firefox, and Safari — were
successfully exploited, for a grand
total of $850,000 in prize money awarded to successful security researchers, Firefox was
by far the least secure browser, racking up no less than four zero-day vulnerabilities. These
vulnerabilities, if they were in the wild, would allow a hacker to do just about anything with
your computer if you visited a specially crafted website.
Firefox has never had a great record at Pwn2Own. While the format of the contest has
generally changed every year since its inauguration in 2007 (different platforms, different
rules, different attack vectors), Firefox has been involved in some way or another since
2009. While Chrome went unhacked in 2009, 2010, and 2011, the only year that Firefox
wasn’t hacked was 2011. Since 2012, however, as security researchers have grown ever
more wiley, every major browser has fallen to at least one zero-day vulnerability. That four
separate vulnerabilities were found in Firefox at Pwn2Own 2014, however, is impressive.
(Read: The death of Firefox.)
Firefox’s weaker security is generally attributed to its lack of a sandbox — a shell or firewall
around a piece of software that keeps it segregated from the rest of the operating system.
In theory, the sandbox should prevent the browser from running other programs, reading
the contents of your RAM, or opening other files. Chrome, Safari, and Internet Explorer
(newer versions) all have a sandbox, while Firefox does not. In short, if someone finds a big
enough vulnerability in Firefox, there’s nothing preventing them from gaining complete
access to your computer. It is slightly disconcerting that security researchers found four
such vulnerabilities in just three days at Pwn2Own. (Read: How to surf safely: From LastPass
to tin foil hats, and everything in between.)
NASA’s electric vertical-
takeoff airplane takes first
flight, aims to eventually
replace the helicopter
Aug 20
California’s new solar
power plant is actually a
death ray that’s
incinerating birds mid-flight
Aug 20
The PS4 is still selling
much faster than expected
– and Sony doesn’t know
why Aug 20
673
Like Tweet
222 StumbleUpon
949
117
1
Share Thi s Arti cle
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 3/15
The key to improving Firef ox security: Multiple processes
Somewhat fortunately for us, since Pwn2Own 2013, all of the vulnerabilities are reported to
the web browser makers so that they can be fixed in a timely fashion. Still, it is a good
reminder that Firefox might not be the best choice of browser if security is one of your
primary concerns when surfing the web. As for why Firefox doesn’t have a sandbox, it’s
most likely because it was conceived in an era when security on the web was still a nascent
and naive topic. Chrome, which was developed a few years later, was intentionally
designed from the outset to be very fast and secure. Likewise, Microsoft went through a
complete overhaul between IE8 an IE9, adding a sandbox and other modern features so
that it could actually stand next to its peers without being snickered at. Mozilla would like
to add sandboxing to Firefox, it’s very hard to add sandboxing to a program that wasn’t
originally designed for it. (For technical people: It’s closely linked to the Electrolysis project,
which will eventually give Firefox per-tab processes.)
A grand total of $850,00 in prize money was given out to security researchers at Pwn2Own
2014. Much like 2012 and 2013, French security firm Vupen had a very strong showing,
taking home $400,000 for a total of 11 zero-day vulnerabilities, covering Chrome, Firefox,
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 4/15
Software Google Operating Systems Web Security Surfing Chrome Firefox
Internet Explorer Sandbox Pwn2own Pwn2own 2014
More reading:
Share This Article
Tweet 222
StumbleUpon
117
673 Like
IE, and Adobe Flash and Reader. George Hotz (yes, Geohot of PlayStation and iOS hacking
fame) took home $50,000 for a Firefox exploit. The prize money is awarded by the Zero-
Day Initiative (owned by TippingPoint, which was acquired by HP), which actually buys the
vulnerabilities from the hackers, so that they can improve the security of TippingPoint/HP
products.
[Image credit: Gill Penney]
You Might Also Like
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 5/15
We Recommend
The death of Firefox
Cold fusion tech picked up by major US partner,
prepares for launch in the American and Chinese
energy markets
Just how big are porn sites?
How to surf safely: From LastPass to tin foil hats, and
everything in between
Think GPS is cool? IPS will blow your mind
US military’s mysterious X-37B space plane passes
500 days in orbit, but we still have no clue what it’s
actually doing up there
From Around The Web
Recommended by
Post a Comment
63 Comments ExtremeTech Login
63 Comments
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 6/15
Sort by Oldest Share
Join the discussion…
• Reply •
Jake Locker • 5 months ago
You know you're in for a rough day as a web browser when IE is considered the better
choice...
42
• Reply •
Ray C • 5 months ago Jake Locker
Not if you don't hold a bias for or against any particular software
10
• Reply •
XenoSilvano • 5 months ago Ray C
It's not bias, it's Internet Explorer that is just plain ####.
8
• Reply •
XenoSilvano • 5 months ago XenoSilvano
Its about time to sandbox my Firefox.
10
• Reply •
paul • 5 months ago Jake Locker
Firefox with noscript is the best choice available now.
You will not get a plugin like noscript for google chrome or ie. Trust is a hard thing to
find these days.
4
• Reply •
Chris Bordeman • 5 months ago paul
Chrome + Ghostery and Grease Monkey
2
Favorite
Share ›
Share ›
Share ›
Share ›
Share ›
Share ›
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 7/15
• Reply •
Jon Q. Publix • 5 months ago paul
Firefox with noscript is the best choice available now.
Not an effective solution for the average user. Disabling javascript effectively
cripples the web experience.
6
• Reply •
nithudi • 5 months ago paul
HTTP Switchboard. Blocks scripts (including inline scripts). It's Request
Policy + Noscript + Adblock + many privacy enhancing features.
4
• Reply •
Ray • 5 months ago Jake Locker
Only thing is that Firefox is the best overall browser and everyone who knows about
these types of things knows it, plus most non biased and non corporate.
12
• Reply •
jaimie bisbee • 5 months ago Jake Locker
my Aunty Sienna recently got a year old
Jaguar only from working off a home computer... Recommended Reading C as hD u-
ties .ℂom
2
• Reply •
George Valkhoun • 2 months ago Jake Locker
This article is FUD and probably funded by google in some way. What a joke. This
doesn't prove firefox is the least secure. And what is with "the death of firefox". This
article is just another of these FUD articles to get people to switch to Chrome. We
all know by now Google's run by the CIA, NSA or whatever other pack of worthless
excuses of existence. Who are you going to trust? Closed source spyware or open
soruce?
2
Mac JT • 5 months ago
Share ›
Share ›
Share ›
Share ›
Share ›
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 8/15
• Reply •
Mac JT • 5 months ago
Switched to Chrome , never looked back at Crappyfox.
11
• Reply •
David • 5 months ago Mac JT
SRWare s' Iron chromium port is even better :)
1
• Reply •
George Valkhoun • 2 months ago Mac JT
You're an idiot.
7
• Reply •
jpmjr • 5 months ago
lol, funny how so many "pc experts" always knock people using ie and tell them to use
firefox.
12
• Reply •
Sebastian Anthony • 5 months ago Admin jpmjr
Well, zero-day vulnerabilities are one thing -- there are other reasons you might
want to use Firefox! (Add-ons, functionality that IE11 misses, etc.)
It's a balancing act. If security is your #1 concern, I would say use Chrome, or IE11
on a fully-patched Windows 8 machine.
19
• Reply •
Guest • 5 months ago Sebastian Anthony
Among the reasons time-to-patch is another one to consider. From a 2011
study from accuvant (I'm not aware of more recent studies), IE appeared to
be the slowest (214 days) while Chrome (53 days) was the fastest with
Firefox (158 days) in between.
Browser+platform share is another factor, the probability of falling to an
attack on unknownbrowser+linux is lower than the common IE+windows
even if the first has probably more bugs.
5
Share ›
Share ›
Share ›
Share ›
Share ›
Share ›
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 9/15
• Reply •
Phobos • 5 months ago Sebastian Anthony
What kind of add-ons are we talking about? I haven't use FF in a very long
time, I have it as a back up just incase ie goes down, though it rarely does. I
hardly have any problems with IE not sure why people hate it so much and I
have use it sense IE7, though I do agree IE8 was flaky and 10 for some
reason it crashed adobe flash in youtube web page. 9 and 11 are great.
3
• Reply •
Ray • 5 months ago Sebastian Anthony
Security with Chrome? that's funny considering Google is anti privacy and
security.
18
• Reply •
Fla • 5 months ago Ray
Yeah, it looks like nobody here saw that they do not control what is
happening in Chrome, Safari or IE. *This* is the first security leak...
4
• Reply •
joe • 2 months ago Sebastian Anthony
or just install sandboxie and manually or automatically sanbox any program
that touches the internet.
Kellic • 5 months ago jpmjr
The nature of IE and its deep ties into the bowels of Windows is one core reason
why avoiding IE is a good thing. I'm well aware of its sandbox capabilities, but the
simple fact is after the better part of a half decade of ignoring security on the
browser side of the force. I trust IE as far as I could through Microsoft's campus.
They have burned so many of their advocates over the years that they could build
the most secure browser in the known universe, it wouldn't matter. The minute you
mention IE to a seasoned IT professional you will have them flash back to long
evenings spent patching IE only to have a patch for the patch come out the day
Share ›
Share ›
Share ›
Share ›
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 10/15
• Reply •
evenings spent patching IE only to have a patch for the patch come out the day
later and in one case I remember a patch for the patch for the patch.
Level of ****s given about IE: -8
16
• Reply •
Ray C • 5 months ago Kellic
Well, it's easy for other companies to not ignore security after all the
headaches Microsoft had to go through. Look at the one company that
came around before Microsoft made those changes, Firefox. They're the
weakest on security. IT's easy for any product, browser or otherwise, to
come many years after another product has been in existence and make
changes or point out what is wrong with another product. It's also easy to
constantly complain about what another company did 5 to 10+ years ago
compared to what is going on now instead of just looking at now
9
• Reply •
FlyFlyTN • 5 months ago jpmjr
The lesson is that nothing ever stays the same. IE was a complete joke until
recently, for security, features and standards. MS had to react (slowly) and now
they've got somewhere. In the meantime, FF slipped in relation. This is why I am
always prepared to change my view over time, because nothing is set in stone.
12
• Reply •
Ray • 5 months ago jpmjr
If you would actually inform yourself and not simply read this you would know that
the best overall browser is still Firefox and has been for a while now.
4
• Reply •
Sijjvra • 5 months ago
I hope you know that the picture is a group of red pandas... Not foxes. Just sayin' maybe
you were hacked?
11
Share ›
Share ›
Share ›
Share ›
Share ›
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 11/15
• Reply •
Sebastian Anthony • 5 months ago Admin Sijjvra
http://www.bbc.co.uk/nature/li...
9
• Reply •
Phobos • 5 months ago Sijjvra
red pandas or foxes one thing for sure they look fucking adorable.
3
• Reply •
Chewykernel Geo • 5 months ago
This would imply that the lesser developed 64-bit Firefox engines (Waterfox in my case)
have even bigger holes.
1
• Reply •
FlyFlyTN • 5 months ago Chewykernel Geo
Bigger holes because there's more bits to fill of course....
• Reply •
Jon Q. Publix • 5 months ago Chewykernel Geo
This would imply that Firefox OS is one big ball of security lapses.
3
• Reply •
paul • 5 months ago
Heart breaking to know that Firefox has so much security holes.
Should consider Opera or Chromium. Can't trust Google products.
13
• Reply •
tgrech • 5 months ago paul
Try Maxthon. Great Chrome alternative, lots of great features, not made by Google,
one of the fastest browsers there are, and security focused. Not many plugins
though.
Share ›
Share ›
Share ›
Share ›
Share ›
Share ›
Share ›
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 12/15
• Reply •
Cees Timmerman • 5 months ago paul
I've used Opera years back, but it had too many keyboard options and ran as a
single process.
• Reply •
paul • 5 months ago
On second thoughts, i think it is better to live with security holes in 100% open source
projects like firefox (with noscript installed) than installing proprietary softwares like google
chrome.
9
• Reply •
Jon Q. Publix • 5 months ago paul
So you just throw caution and safety to the wind in favor of open source? Wasn't
one of the big selling points of open source supposed be better security --- eyeballs
on code and all that rot?
Your call but you only have yourself to blame. Good luck.
10
• Reply •
tgrech • 5 months ago Jon Q. Publix
The point is it's not throwing caution to the wind, because it's open source.
The security benefits of open source software far outweigh the "dangers".
1
• Reply •
Cees Timmerman • 5 months ago tgrech
Do you leave your house unlocked in case emergency services
have to enter? Secret services are well known to use zero-day
exploits as well, before reporting them if in the interest of their
country.
1
Groud Frank • 4 months ago Cees Timmerman
I would leave my house open if there was a community of people
Share ›
Share ›
Share ›
Share ›
Share ›
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 13/15
• Reply •
I would leave my house open if there was a community of people
keeping an eye on it. Absolutely.
2
• Reply •
Cees Timmerman • 10 days ago Groud Frank
I saw a community on the news today, but they were quite irate over
a certain flag.
• Reply •
Lophs • 5 months ago
Yet it is always IE is in the news. I wouldn't forgo real world data for test lab experiments.
"If we count just the critical zero-days, there were at least 89
non-overlapping days (about three months) between the beginning of 2011
and Sept. 2012 in which IE zero-day vulnerabilities were ACTIVELY EXPLOITED"
http://krebsonsecurity.com/201...
1
• Reply •
Paul Salmon • 5 months ago Lophs
In addition to the thought, it is has been shown that 100% of IE vulnerabilities in
2013 could have been mitigated by using a standard user account instead of an
admin account. From Vista onwards, there is zero reason to use an administrator
account as an everyday user.
• Reply •
Cees Timmerman • 5 months ago Paul Salmon
I can't believe.. wait, people complained about Vista's prompts, but still, i
can't believe that's still an issue.
SumGuy954 • 5 months ago
Easier to use less secure. I guess that makes sense. Firefox is more convenient for me,
but I have always known it is less secure. I have always considered IE to be more secure if
Share ›
Share ›
Share ›
Share ›
Share ›
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 14/15
• Reply •
configured properly vs the others. I know some disagree, but this is my opinion.
I still prefer to use the Chrome and Firefox.
1
• Reply •
Paul Salmon • 5 months ago SumGuy954
Same here. I prefer Firefox, but have Chrome as a backup, just in case I have
trouble with a website using NoScript.
2
• Reply •
Cees Timmerman • 5 months ago Paul Salmon
If Chrome didn't hide its plugins and respected my session management
(don't spend 15 minutes loading everything; only what i click on), i'd probably
be using it instead of Firefox. Also, debugging is still best in Firefox.
1
• Reply •
Julien • 5 months ago
Bad new for Firefox this day. How it's possible to work on untrusted world wide code
without sandbox ??? Maybe refactoring this will also increase stability with memory when
keeping the browser open for long time.. and a better sandbox when Flash crash too...
Your the only browser company i want to make trip with. Keep the good work.
• Reply •
Cees Timmerman • 5 months ago Julien
Flash crashes are no problem in Firefox anymore, but hangs are. Stupid complex
threading setup.
• Reply •
HowardBrazee • 5 months ago
The only reason I use Firefox is that, unlike the new "improved" Opera, it has old fashioned
book marks, and unlike Chrome, those bookmarks have a place to put comments, such as
my UserID and password clues.
Share ›
Share ›
Share ›
Share ›
Share ›
Share ›
8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 15/15
Load more comments
• Reply •
Software Company India • 5 months ago
What ever, Firefox is still user friendly like Google chrome.
Software Development Company India
1
Subscribe Add Disqus to your site
Share ›
About ExtremeTech
Advertising
Contact ExtremeTech
ET Forums
Terms Of Use
Privacy Policy
Ziff Davis
Jobs
Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2014 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved.
ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff
Davis, LLC. is prohibited.
