Google-Funded Study Knocks Firefox Security

Sparrowvsrevolution writes "Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top. More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards. Though the study seems to have been performed objectively, it won't help Google's fraying partnership with Mozilla." The full research document is available here (PDF), and it goes into much greater detail than the Forbes article. Accuvant also published the tools and data they used in the study, which should help to evaluate their objectivity.

Chrome and IE are the most secure browsers

[InsightIn140Bytes]

More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards.

How is this surprising? Apart from some ignorant cases on Slashdot who believe Microsoft is the devil and should die, it's not a new fact that IE has been a really secure browser for a long time. Both IE and Chrome offer sandboxing, JIT hardening and ways to make vulnerable plug-ins less easy to exploit and gain access to system. Firefox offers none of these.

Currently, it's not even often that you find a vulnerability directly in the browser. Most of the attacks target either plug-ins like Flash or PDF reader, and if someone does find an exploit in the browser, the extra security layer makes it much harder to exploit. Yes, you can use something like NoScript in Firefox (and other browsers), but majority of people don't. In fact even I don't because frankly, it's pain in the ass to use. This is the reason why extra security layers provide so much better overall security.

Anyone who still says that IE is insecure browser just doesn't know what he is talking about. On top of that, this study doesn't really bring anything new to table (but it is really well done with comprehensive disassemblies and exploit testing), it just confirms what has been known for a long time now - both Chrome and IE are really secure browsers, followed by Opera. The one that is lagging behind is Firefox. I don't know what happened to them, but they seem to copy the aspects of Chrome that no one actually cares about (UI and version number scheme) while completely forgetting what Chrome and IE do underneath and what actually counts - sandboxing, JIT hardening, auto-updating browser and plug-ins and separating different tabs to different processes.

Re:Chrome and IE are the most secure browsers

[bunratty]

I think the folks at SecurityFocus disagree. Although IE 9 is more secure than previous releases, IE still has plenty of vulnerabilities [securityfocus.com]

Re:Chrome and IE are the most secure browsers

[InsightIn140Bytes]

If you browse the same site for Chrome, you'd notice that the list is about same length for the latest version. And the total vulnerability count is huge for Firefox compared to Chrome and IE.

Re:Opera

[InsightIn140Bytes]

Opera is the most used browser in many CIS countries, having almost 50% market share in some and beating all IE, Chrome and Firefox. Maybe you wanted to say that Opera has no market share in the US.

Re:Chrome and IE are the most secure browsers

[bunratty]

Here are the lists for: Chrome [securityfocus.com] which shows zero vulnerabilities, and Firefox [securityfocus.com], which shows two. Ah, good old cognitive dissonance -- making people ignore evidence that doesn't match their conclusions since the dawn of man.

Re:Chrome and IE are the most secure browsers

[InsightIn140Bytes]

The links you showed lists new vulnerabilities for:

Chrome 15.0.874.121 (really minor version number)
Firefox 8.0 (FF 11.0 is in the works already!)
IE 9.0 (now we suddenly have a major version number)

Both Chrome and Firefox use insane version number schemes which really doesn't make that comparison valid. Because of that you have to compare the vulnerabilities within some time frame, for example one year or two years. But I suspect you knew that.

In fact ...

[Kaz Kylheku]

The PDF paper trashes NoScript. That is to say, it is mentioned in a paragraph that basically states that Firefox has add-ons, and add-ons are a security threat. Nothing is mentioned about the security benefits that add-ons can provide.

Re:Chrome and IE are the most secure browsers

[Ucklak]

Don't care how secure IE is now, it renders differently between versions 7, 8, and 9 and is incredibly slow.

Firefox still a single-process browser

[Animats]

Many of the security issues mentioned in the paper for Firefox come from the fact that Firefox is, for historical reasons, a single-process browser. It's the last of the single -process browsers.

This is both a performance problem and a security problem. Even add-ons aren't yet running in separate processes. The Mozilla project to make Firefox multiprocess [mozilla.org] is behind schedule and in trouble.

"Fennec", the Mozilla browser for mobile devices, is already multiprocess. But getting that machinery into the main line of Firefox has run into problems, and, after two years of effort, multiprocess Firefox is now on hold. [lawrencemandel.com] "Converting an established product, like Firefox, from a single- to multi-process architecture requires the involvement and coordination of many teams. ... Electrolysis requires a large investment of resources and time and has a long timeline for completion. How long? At this point we do not have a definitive answer...."

Re:Chrome and IE are the most secure browsers

[Billly Gates]

Keeping flash and Java up to date helps. WIth Java these days it is best to disable it in your browsers if you have to use it for things like eclipse on the desktop. Thats what I do as Java 7 is a pile of dung even if it is much more secure. I haven't used a Java applet since 2002 seriously. SO I can still use Java 6 and not worry about being hacked when I browse.

With WIndows Vista and Windows 7 it is very difficult as hell to target a browser with the exception of Firefox because it does not support sandboxing. The reason why is because ASLR is a ram address randomization technique so if you overflow a buffer you can't say "use server.exe by its ram address and inject your dll into it". DEP is something XP only partially supports that Vista and 7 do fully where you can't plant data execution code in regular data like a picture file. In XP with IE 6 you simple render the pic on the page and you have instant data execution as the CPU/Kernel are too dumb to know which is data and which is executable. That is another common broswer exploit.

But today these are rare and hard to do so a plugin is a great way to do it. IE 9 even has a special compiler option which the engineers even control exception handling so the program will never go into an area out of bounds.

Flash and Adobe Air are teh way to go. Keep them updated or use adblock if you can. The first thing I always do when I get a new computer is uninstall PDF reader and flash and then go to file hippo and download only the latest.

Re:Chrome and IE are the most secure browsers

[Zamphatta]

But a flaw in IE can root your system, since IE is tied in so deep. So, even if the insecurity is in Java or Flash or some other plugin, it can have much nastier effects than the same problem via Chrome since Chrome isn't tied into the system. (assuming we're talking about Windows comp's and not Chrome OS or Linux/WINE). In this way, IE is still a bigger insecurity than any other Windows browser even when the insecurity isn't specifically an IE flaw, because IE's "tied in" design is flawed.

Re:Chrome and IE are the most secure browsers

[RobbieThe1st]

I've found the same thing. FF seems to be extremely stable, does what I want, and is configurable enough that I can make it look /how/ I want(unlike Chrome and, I suspect, IE), which is something like the UI of FF3.
Also, aside from a couple of glitches I've seen in nightly versions(locking up if reloading over 30 tabs at once being a problem I saw for a year), It's been pretty fast and stable.

Re:Chrome and IE are the most secure browsers

[Anonymous Coward]

Not according to the national vulnerability database. Here is the score for the last three months:

• Internet Explorer: 15 security holes [nist.gov]
• Chrome: 76 security holes [nist.gov]
• Firefox: 31 security holes [nist.gov]

We can argue that it makes more sense to look at holes over the last year instead of over the last three months, but the evidence indicates that Chrome is the least secure and IE is the most secure. (Security holes by version doesn't make sense for Chrome, since it changes its version number so quickly. Ditto with Firefox).

Look people

[cshark]

I love Slashdot, always have. But as a community, we seriously need to stop applying the term "study" to every observation, or web page with pretty charts on it. This last thing wasn't a study. Not in the formal sense. It was a feature comparison. Biased, maybe. But who cares? It's not a study. And it's not the first time this has happened here.