After spending the better half of two days scraping a rootkit off my fiancee’s system, I think I need to reevaluate my position on Firefox being the safest browser ever. While browsing some fairly innocuous sites (artsy sites she frequents), she somehow managed to infect her entire system – in a matter of seconds – with some very nasty malware. This is what we call, drive-by-downloading – simply visiting an infected website and utterly compromising your system.

Firefox, Not So Safe

As Firefox becomes more prevalent, so do the exploits. Going back a few years, it wasn’t hard to entice us all with a browser that did such nifty tricks as stopping pop-up advertisements, not being so laughably exploitable and just plain performing faster. There were a few performance and security hiccups along the way, but overall, we were happy.

Early on, exploiting Firefox was left to hacker conferences where large bearded men with Linux laptops wrote complex proof-of-concept hacks to break through the boundaries of Firefox and System. Fundamentally, however, even the average user was safe from himself with Firefox. As popularity grew, malware authors began to take notice.

Browser development is akin to operating system development. It is terribly complex and tedious to develop. Just breaking into the market is difficult enough – even as I write this, a television somewhere is playing a Google Chrome ad. As complexity grows, so do the vulnerabilities – and someone, somewhere will have time/incentive/moral ambiguity to find and exploit them. The more eyes you have searching, the faster this process becomes.

Unfortunately, Firefox wasn’t written by cybernetic foxes from future. No, they were written by fallible humans who have had gone to bed at 5am the previous night because they had ran out of coffee. As a result, bugs and vulnerabilities are bound to occur. And while the Mozilla team are very good about releasing frequent patches, there always seem to be something else.

The Infection

The latest Firefox exploits I’ve seen come from JavaScript, Java and sometimes obscure things you wouldn’t expect like GIFs, PDFs and Flash. The malware my fiancee’s system encountered, however, likely came from a JavaScript exploit. Although I am uncertain of the exact means her machine became infected, the immediate sign was unmistakable:

A program that suddenly appears on the screen claiming to be a virus scanner…which you didn’t install…is a pretty good indication you’re system has been compromised. But, as it turns out, this was just one of the many friends the original virus invited to join the party. Overall, her system became infected with 18 different virus and virus traces, according to the initial real malware scanner used.

So, what now?

Short of ripping out the network card and ceremoniously launching it into the sun, the best thing to do now is to enact some preventive measures. But finding the balance between crippling the user experience and not doing enough is a difficult task indeed. What are the options?

Disable Java. This is simple enough and not all too inconvenient as not too many sites directly use Java to serve content. If there is a site I know that requires it, and it is a site I trust, it is easy enough to turn it back on.

While tempting, disabling JavaScript is out of the picture. Thanks to Web 2.0, there are very few sites (especially community and media-heavy) that will work (properly, if at all) without JavaScript. The alternative is to install the [terribly inconvenient] NOSCRIPT Firefox plug-in. Even though it is better than nothing, there are still ways around it as it too has vulnerabilities.

If you’re good at staying away from the seedier parts of the Internet, you still have to worry about well-known sites being compromised either by getting entirely hacked or having one of their ad networks compromised or going rogue. To further secure your browser, Flashblock will disable any Flash animation until you click on it (which is also good for getting rid of some truly annoying and sometimes noisy ads).

With those plug-ins (and some common sense), you’re likely in good shape. By diminishing the ability for client-side execution of just about anything (which mostly includes Java, JavaScript and Flash), you’re chances of picking up drive-by-downloaded malware also diminish. If you absolutely must visit a questionable site, use a virtual machine.