Firefox faces browser clone war in China

The browser war in China is heating up but not quite in a way that resembles the Western markets, as Mozilla's Beijing chief explains.

While browser makers in overseas markets often tout their products' Web page rendering speeds and ability to run richer apps, China's browser landscape calls for customized browser versions that bring additional features in order to demonstrate value to users.

According to Li Gong, chairman and CEO of Mozilla's Beijing-headquartered subsidiary, Mozilla Online, the proliferation of Microsoft Internet Explorer (IE) clones and the dominance of pages coded for IE are among some of the barriers Firefox faces in the country.

"China is different from other markets in that there is a very active IE-clone market," said Li, in an e-mail interview with ZDNet Asia.

An IE clone is a browser built on IE's core rendering engine, but carries a different skin and has additional features. Citing numbers from iResearch, Li said there are some 30 different clones in use in China.

Some clone browser makers have employed aggressive tactics to get their browsers adopted, he said. Some have been willing to pay fees to be bundled with pirated Windows disks--"the easiest distribution channel", said Li--while others pay members of the media to tout their wares.

"The most outrageous example is the 360 browser," he noted. Its maker distributes free security software, which upon installation, also stealthily installs the 360 IE clone onto systems and removes other browsers without first seeking user permission, said Li.

"[The 360 browser] makes it very hard to reverse [the implementation] once the software is installed," he added.

Mozilla's answer to the competition is its Firefox China Edition, which integrates a number of services popular among Chinese users, said Li. Examples of such services include IPTV (Internet Protocol TV), music and video, he said.

Mozilla's China team, set up two years ago, also conducts community outreach programs in hopes of educating users on Web standards--a bigger bugbear to Firefox, where the proliferation of IE-optimized pages prevent "even devoted Firefox users" from exclusively using the Mozilla browser, Li noted.

"Most, if not all the large Chinese banks, have online banking [sites] that use proprietary Microsoft ActiveX controls," he explained. "This means that anyone wishing to do online banking has to use IE on Windows."

Furthermore, almost all the country's Web developers test only for IE, resulting in pages that are badly formed and inoperable by browsers using non-IE cores, said Li.

China dominated by IE, clones

According to an online chart citing StatCounter numbers, China stands out with one of the lowest adoption numbers for Firefox globally, at less than 10 percent.

Li would not vouch for the accuracy of the figures, but agreed that China has been "relatively behind" in adoption figures compared to North America and Europe.

Pointing to iResearch figures, he said IE has some 60 percent share of the Chinese market, with more than 20 percent going to IE clones.

Firefox itself has an estimated 7 percent market share, he said, adding that this is higher than the non-IE competition, which includes Opera and Safari browsers.

About 24 million unique users in China use Firefox more than once per month, he said. As of June, China's official statistics show upwards of 338 million Internet users per month, said Li.

IE8 outperforms competing browsers in malware protection

A recently released study by NSS Labs is once again claiming that based on their internal tests, Microsoft’s Internet Explorer 8 outperforms competing browsers like Google’s Chrome, Mozilla’s Firefox, Opera and Apple’s Safari in terms of protecting their users against “socially engineered malware” and phishing attacks.


Not only did IE8 top the chart, but also, the rest of the browsers have in fact degraded their “socially engineered malware” and phishing block rate in comparison to the results released by the company in the March’s edition of the study.

How objective is the study? For starters, it’s Microsoft-sponsored one. Here’s how it ranks the browsers:

Socially engineered malware block rate:

Microsoft Internet Explorer v8 - 81% block rate
Mozilla Firefox v3 - 27% block rate
Apple Safari v4 - 21% block rate
Google Chrome 2 - 7% block rate
Google Chrome 2 - 7% block rate
Phishing attacks block rate:

Microsoft Internet Explorer v8 - 83% block rate
Mozilla Firefox v3 - 80% block rate
Opera 10 Beta - 54% block rate
Google Chrome 2 - 26% block rate
Apple Safari v4 - 2% block rate

What is “socially engineered malware” anyway?

Basically, it’s the direct download dialog box that appears on a, for instance, scareware or Koobface video page spoofing Facebook’s layout, like the one attached. using “socially engineered malware” as a benchmark for malware block rate isn’t exactly the most realistic choice in today’s threatscape.

And even if it is, some pretty realistic conclusions can be drawn by using some internal traffic statistics from Koobface worm’s ongoing malware campaigns. The Koobface worm, one of the most efficient social engineering driven malware, is a perfect example of how security measures become obsolete when they’re not implemented on a large scale.
The stats themselves:

- MSIE 7 - 255,891 visitors - 43.33%
- MSIE 8 - 189,380 visitors - 32.07%
- MSIE 6 - 76,797 visitors - 13.01%
- Javascript Enabled - 585,374 visitors - 99.13%
- Java Enabled - 576,782 visitors - 97.68%

What does this mean? It means that with or without the supposedly working “socially engineered malware” block filter using a modest sample of several hundred URLs, the Koobface botnet is largely driven by MSIE 7 users. The previous edition of the study dubbed IE7 a browser which “practically offers no protection against malware” with the lowest block rate achieved back than - 4%.

Just like the previous edition of the study, this one also excludes the notion that client-side vulnerabilities continue contributing to the “rise and rise” of web malware exploitation kits. By excluding client-side vulnerabilities, the study isn’t assessing IE8’s DEP/NX memory protection, as well as omitting ClickJacking defenses and IE8’s XSS filter, once pointed out as a less sophisticated alternative to the Firefox-friendly NoScript.

Socially engineered malware is not the benchmark for a comprehensive assessment of a browser’s malware block rate. It’s a realistic assessment of the current and emerging threatscape combined with comprehensive testing of all of the browser’s currently available security mechanisms, a testing methodology which I think is not present in the study.

The smallest threat to open source in 2009

How much of a problem is security updating for open source software going to be in 2009?
On Jan. 1, Dana Blankenhorn published the sensationally titled The biggest threat to open source in 2009.
His thesis is simple: that, because open source software usually lacks any mechanisms for easily updating to the latest security patched version, the growing popularity of open source software will render it more vulnerable to problems than its closed source counterparts.
As a lead-in to his main point, he said:
There is no longer any doubt that hackers and malware writers are going after open source projects as they once went after Windows. Vulnerabilities are being found, discovered, created, exchanged.
There seems to be a common malady amongst opinionated tech writers--that of never quite getting it when it comes to the fundamental principles of security. A particular favorite for being ignored is that of security through obscurity.
Many many moons ago, I wrote what I think is a decent treatment of the subject as it applies to open source software, Security through visibility. While it makes a pretty strong case for ignoring the bleatings of "popularity is insecurity" doomsayers, it's really only the first step toward full understanding of all the problems with the assumption that the only thing "secure" about open source software is obscurity.
Obviously, based on his start to the article, I was already expecting very little in the way of useful information. His next statement left me even more mystified at what appeared to be a towering edifice of ignorance, however. Specifically, he said:
The best protection against vulnerabilities is to keep software updated, but most open source lacks update services. That's one part of the Windows license that is worth paying for, and there does not seem to be an open source equivalent.
As a long-time user of open source operating systems, previously favoring Debian GNU/Linux, and subsequently moving on to FreeBSD, I was stunned to see this in writing, published for all the world to see. Was he serious? Could he really believe that?
One of the most visible wins for open source Unix-like OSes, once one has learned a fair bit about them, is the casual availability of superior software management systems. Ive written a brief primer for effective use of APT for TechRepublic, Efficient software management with the Advanced Package Tool in Debian. Ive also addressed the excellence of a security tool integrated with FreeBSDs ports system, How FreeBSD makes vulnerability auditing easy: portaudit. Both of these articles illustrate some of the significant benefits of better software management systems than offered by MS Windows.
Perhaps even more relevant to Danas point is the fact that, on open source Unix-like OSes (but not on MS Windows), the software management system typically manages security updates for far more than just the core OS and a couple of applications created by the same vendor. Such Unix-like OSes software management systems tend to provide security update management for literally thousands of software packages originating outside the core OS project itself--in some cases, tens of thousands.
Then, his next statement clarified his meaning:
An exception is Firefox...But how many take advantage of this? And how tied is Firefox to updating for security purposes? Remember were talking about pushing updates, not asking users to pull them.
Suddenly, it all became clear. In Dana Blankenhorns mind, "open source software" refers only to the handful of popular open source applications that are regularly used on MS Windows systems. I find it interesting that the only example of an open source application he offers is an exception to his rule, however.
Where are all the legions of open source applications that dont provide easy software updates? Whose fault is it that MS Windows doesn't have a software management system that can help ease the process of applying security patches for these applications the way open source OSes do? Where are the examples of closed source applications that provide such update management as he describes, where the MS Windows compatible open source alternative does not--thus justifying his singling out of open source software as somehow more notably vulnerable?
Perhaps the worst part of the inaccuracies of the article is the fact that its clear assumptions (that all software worth discussing is MS Windows-centric, for instance) for those of us who know better are opaque to those who do not.
A manager with little or no experience of OSes outside of MS Windows may read this article and come away with the assumption that open source OSes completely lack software management systems. As a result, he or she may scupper any potential plans to deploy open source Unix-like systems in the network. So much for "the best tool for the job"; such decisions are often difficult to make well even when you aren't hampered by wrong-headed ideas like those Dana's article might inspire.
He does make a good point about corporate culture, though:
But until this ramps up (hopefully in a competitive market), enterprise managers have an easy way to say "no" to open source.
Regardless of how dangerous this is, the fact that managers feel it's dangerous makes it so.
Too bad some of those managers might "feel" its dangerous specifically because of his own article.
I'd clarify that to say that managers feeling its dangerous doesn't actually make it so--but it does make it so for all intents and purposes in the corporate environment, when it comes to technology implementation decisions. When the higher-up says "I think the closed source software offering is better, because I have these concerns about the open source software alternative", his or her subordinate (and perhaps more technically inclined) IT worker will eventually reach a point where he or she must either make decisions limited by the managers fears or polish his resume. Take it from someone who knows from personal experience.
On one hand, I'm inclined to be dismayed by this common bureaucratic failure of corporate culture, and feel the urge to rail against it. After all, security is everybody's problem; it's not just a problem for "that guy over there". Your problem, to a significant extent, becomes my problem when you connect to the Internet.
On the other hand, knowing something about security that others don't provides something of a competitive advantage. Where competitors may stumble and fall, the organization with a knowledgeable IT department will remain stable and secure, and prosper where others have failed.

Code execution vulnerability found in Firefox 3.0

It’s not all about world records for Firefox 3.0.

Just hours after the official release of the latest refresh of Mozilla’s flagship browser, an unnamed researcher has sold a critical code execution vulnerability that puts millions of Firefox3.0 users at risk of PC takeover attacks.

According to a note from TippingPoint’s Zero Day Initiative (ZDI) , a company that buys exclusive rights to software vulnerability data, the Firefox 3.0 bug also affects earlier versions of Firefox 2.0x.

Technical details are being kept under wraps until Mozilla’s security team ships a patch.

According to ZDI’s alert, it should be considered a high-severity risk:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker. TippingPoint researchers continue to see these types of “user-interaction required ” browser-based vulnerabilities - such as clicking on a link in email or inadvertently visiting a malicious web page.

It looks very much like the vulnerability researcher was hoarding this vulnerability and saving it for Firefox 3.0 final release to make the sale.

In the absence of a fix, Firefox users should practice safe browsing habits and avoid clicking on strange links that arrive via e-mail or IM messages.

There are no reports of this issue being exploited but, if you are worried about being at risk of drive-by attacks, consider using a different browser.