Forgot your password?
typodupeerror
Google Chrome Firefox Internet Explorer Security Technology

Google-Funded Study Knocks Firefox Security 225

Posted by Soulskill
from the time-to-argue-again dept.
Sparrowvsrevolution writes "Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top. More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards. Though the study seems to have been performed objectively, it won't help Google's fraying partnership with Mozilla." The full research document is available here (PDF), and it goes into much greater detail than the Forbes article. Accuvant also published the tools and data they used in the study, which should help to evaluate their objectivity.
This discussion has been archived. No new comments can be posted.

Google-Funded Study Knocks Firefox Security

Comments Filter:
  • by InsightIn140Bytes (2522112) on Saturday December 10, 2011 @12:25PM (#38326472)

    More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards.

    How is this surprising? Apart from some ignorant cases on Slashdot who believe Microsoft is the devil and should die, it's not a new fact that IE has been a really secure browser for a long time. Both IE and Chrome offer sandboxing, JIT hardening and ways to make vulnerable plug-ins less easy to exploit and gain access to system. Firefox offers none of these.

    Currently, it's not even often that you find a vulnerability directly in the browser. Most of the attacks target either plug-ins like Flash or PDF reader, and if someone does find an exploit in the browser, the extra security layer makes it much harder to exploit. Yes, you can use something like NoScript in Firefox (and other browsers), but majority of people don't. In fact even I don't because frankly, it's pain in the ass to use. This is the reason why extra security layers provide so much better overall security.

    Anyone who still says that IE is insecure browser just doesn't know what he is talking about. On top of that, this study doesn't really bring anything new to table (but it is really well done with comprehensive disassemblies and exploit testing), it just confirms what has been known for a long time now - both Chrome and IE are really secure browsers, followed by Opera. The one that is lagging behind is Firefox. I don't know what happened to them, but they seem to copy the aspects of Chrome that no one actually cares about (UI and version number scheme) while completely forgetting what Chrome and IE do underneath and what actually counts - sandboxing, JIT hardening, auto-updating browser and plug-ins and separating different tabs to different processes.

    • Re: (Score:3, Informative)

      by bunratty (545641)
      I think the folks at SecurityFocus disagree. Although IE 9 is more secure than previous releases, IE still has plenty of vulnerabilities [securityfocus.com]
      • by InsightIn140Bytes (2522112) on Saturday December 10, 2011 @12:39PM (#38326650)
        If you browse the same site for Chrome, you'd notice that the list is about same length for the latest version. And the total vulnerability count is huge for Firefox compared to Chrome and IE.
        • Re: (Score:3, Informative)

          by Anonymous Coward

          Not according to the national vulnerability database. Here is the score for the last three months:

          We can argue that it makes more sense to look at holes over the last year instead of over the last three months, but the evidence indicates that Chrome is the least secure and IE is the most secure. (Security holes by version doesn't make sense for Chrome, since it changes its version number so quickly. Ditto with Firef

          • Keep in mind that Chrome holes include Flash holes, because Chrome ships with Flash. IE and Firefox stats don't count Flash, because it's technically a separate product. But, in practice, 99% of desktop PCs have it installed, so you might as well count it against all three browsers.

    • by hey! (33014) on Saturday December 10, 2011 @12:35PM (#38326596) Homepage Journal

      Well, let's wait and see.

      Software products are products of corporate cultures. That's not just how people in a corporation tend to think, it's what they tend to value. There is no doubt that Microsoft is capable of producing a secure browser when faced with public criticism and strong competition. The question is whether they will continue to do so if public attention flags or the competition declines, or whether security will be sacrificed to some other business goal.

      Of course you can ask that of *any* browser produced by *any* organization, but the point is that it is a bad idea to accord any one browser product a privileged position. Developers should develop to standards then test against multiple products, and users should not be shy about changing browsers. The problem is that IE inherently has a privileged position, and Microsoft has a history of using interlocking, non-proprietary product stacks to drive sales across product categories. That means Microsoft has unusual temptations when it comes to security, because of IE.

    • by hedwards (940851) on Saturday December 10, 2011 @12:41PM (#38326676)

      The study itself appears to be bunk. They assume that the browser is going to be exploited which doesn't give any credit to how difficult that might be. It is valid to look at that, but it's incredibly misleading for them to suggest that all browsers are equally likely to be broken. Ultimately, by the time those technologies come into play you're more or less screwed. They can somewhat limit the damage, but if somebody's broken into the browser they probably know where one of the exploits is to get out of the browser.

      It also doesn't take into account common security extensions that people are likely to have or the types of people that use the browsers. Ultimately, it doesn't matter how secure your browser is if you just go around clicking random links and downloading questionable software.

      • by Vellmont (569020)


        Ultimately, it doesn't matter how secure your browser is if you just go around clicking random links

        WTF? This is the entire experience of the World Wide Web! Are you really suggesting that we're all supposed to "just know" which are the "good" links to click on, and which ones are the "bad" ones? Do you really think an attacker isn't clever enough to trick you into clicking on his malicious site? And no, I'm not talking about the "punch the monkey", or "take this IQ test" crap.

        • by tycoex (1832784)

          My browser tells me which looks are 'good' links and which are 'bad.'

          http://www.mywot.com/ [mywot.com]

        • by hedwards (940851)

          All sites aren't equal in terms of their risk factors. Yes every once in a while a major site will get hit, but in general there's a substantial difference between frequenting a random warez site and a random hobby related forum.

      • by smash (1351)

        The study itself appears to be bunk. They assume that the browser is going to be exploited which doesn't give any credit to how difficult that might be

        Hate to break it to you, but it doesn't matter how difficult it was to exploit when there are scripts available for free to do it. If an exploit is feasible, it will be exploited eventually. Running an application that runs any sort of un-trusted code from the internet without a sandbox in 2011 is playing with fire. Eventually you'll get burned.

        You don

    • by dln385 (1451209)

      Yes, you can use something like NoScript in Firefox (and other browsers), but majority of people don't. In fact even I don't because frankly, it's pain in the ass to use.

      Install NoScript and enable scripts globally in its options. I do this and it's like it's not even there, but once in a while when I'm on a shady website, it'll pop up and say that it blocked a suspected malicious script or XSS attack. Better than nothing.

    • Re: (Score:2, Informative)

      by Ucklak (755284)

      Don't care how secure IE is now, it renders differently between versions 7, 8, and 9 and is incredibly slow.

    • by Anonymous Coward

      Of all of the major browsers, Firefox has by far the most fucked up architecture. When you examine it, it's no wonder why Firefox suffers from so many performance problems, excessive memory usage, and various other problems.

      The core parts of it are written in C++, which isn't a bad idea, by any means. However, they've decided to use a stuck-in-the-1990s variant of C++ that's extremely handicapped and limited. This might make it portable, but it also encourages the creation of obtuse, low-quality C++ code.

      It

      • by improfane (855034)

        This is probably the first post posting as AC.

        Get a real job!

      • by iserlohn (49556)

        Firefox is built on Javascript, just like the rest of the web. That's the standard architecture now, live with it.

      • by bonch (38532)

        I just wanted to note that, even though your post is modded +4 Insightful, none of your performance claims have any citations or other evidence proving that XUL is the cause of performance issues, excessive memory usage, and "various other problems."

      • by Kjella (173770)

        If you've done any serious UI development using real toolkits like Motif, MFC, wxWidgets, Swing, SWT, WinForms, and even Gtk+, you'll immediately see how stupid this JavaScript/XUL approach is.

        Sorry, but my stupid-o-meter doesn't have the resolution in the "utterly dumb crappy cluster fuck" range, which is where several of these toolkits are. Never used XUL, but as far as real toolkits go you certainly missed Qt.

        • The mention of Motif also kinda raises a flag.

        • by smash (1351)
          I think he meant "real toolkits" as in examples from the real world, both good and BAD, that demonstrate both some of the brain damage in firefox, and how to not do it. Only having used a good toolkit, you have perhaps not been exposed to the brain damage that firefox has, and seen that it is a horrible idea.
    • by Vellmont (569020) on Saturday December 10, 2011 @02:25PM (#38327868)


      Anyone who still says that IE is insecure browser just doesn't know what he is talking about.

      Care to point to any actual data on breakins, rather than theoretical security models to demonstrate this point?

      You might want to look at the pwn2Own contest results from this year:
      http://en.wikipedia.org/wiki/Pwn2Own [wikipedia.org]

      Teaser:
      The second and last browser to fall for the day was a 32-bit Internet Explorer 8 installed on 64-bit Windows 7 Service Pack 1.[23] Security researcher Stephen Fewer of Harmony Security was successful in exploiting IE. Just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk.

      Day 3
      No teams showed up for day three. Chrome and Firefox were not hacked.

      Only IE8 was in the competition since IE9 wasn't even released until shortly afterward. We'll see how the new batch of browsers does next year.

      So I have to ask: Why does "anyone who thinks IE is an insecure browser doesn't know what he is talking about"?

    • by metacell (523607)

      I assume the TFS meant it was surprising considering who funded the research...

    • by cryptoluddite (658517) on Saturday December 10, 2011 @03:29PM (#38328572)

      Both IE and Chrome offer sandboxing, JIT hardening and ways to make vulnerable plug-ins less easy to exploit and gain access to system. Firefox offers none of these.

      On the other hand only Firefox is checked with static analysis tools before released, meaning that there are very, very few actual flaws in the browser (IE might be, Chrome certainly isn't). For instance when Chrome added a very basic memory checker to their test servers they caught dozens of bugs -- and that's just from the most basic of runtime checks. When people have run their commercial static analyzers on Chrome they've found several hundreds of potential flaws.

      What does this mean in practice? The inner sandboxed code in Chrome is wide open to attack. They aren't even using serious methods to try to protect that code and are instead relying completely on the sandbox. This is the reason why you'll get random crashes in Chrome, and why they purposely try to keep you from using too many tabs (if a process is rendering more than one tab then when it crashes more of your tabs have to reload). On the flip side, this is the reason why in a years of running Firefox nightly it has never crashed once. Yes, there are errors in Firefox, but they are complex ones not the simple mistakes that crash Chrome left and right.

      Personally I've never had a malware in dozens of years, so browser stability matters a whole lot more to me than security. A sandbox would be nice, but one that is relied on and causes random page crashes is worse than not having one but having far fewer crashes.

      • by RobbieThe1st (1977364) on Saturday December 10, 2011 @03:45PM (#38328730)

        I've found the same thing. FF seems to be extremely stable, does what I want, and is configurable enough that I can make it look /how/ I want(unlike Chrome and, I suspect, IE), which is something like the UI of FF3.
        Also, aside from a couple of glitches I've seen in nightly versions(locking up if reloading over 30 tabs at once being a problem I saw for a year), It's been pretty fast and stable.

    • by smash (1351)

      Pretty much agree with this. Whilst in theory maybe firefox code is more reviewed or whatever (i'm willing to play devils advocate on that one) the simple fact is that the industry has moved on from attempting to write secure code and ensure that all code in the browser is written securely, to sandboxing. Sandboxing makes the assumption that all this code is insecure - which with 20/20 hindsight is probably the way browsers (or anything connected to a network) should have been written in the first place.

    • by BZ (40346)

      Firefox offers various security mitigation strategies (in terms of properly dealing with various memory-safety issues, say) that Chrome does not. As far as I can tell, this study just started off with a subset of the list of techniques that Chrome implements and then "studied" which other browsers also implement them, instead of studying what browsers actually do to ensure security and how difficult they are to actually exploit.

      Your larger point that modern IE is a fairly secure browser (like any modern br

  • Here it comes (Score:5, Insightful)

    by masternerdguy (2468142) on Saturday December 10, 2011 @12:27PM (#38326506)
    Nobody is going to RTA. This is going to be a good flamewar though.
    • by Aerorae (1941752)
      The problem is that, though I agree whole-heartedly with the results of the study, it was funded by Google. Even if it wasn't we'd have controversy, but since it does, it's gunna be more than a flamewar!
      • The PDF contains all the things they tested, and goes to very technical details. I also doubt Google would want to make Microsoft look better than Mozilla.
      • by Trepidity (597)

        That's true, and a good instinct to have, but I apply it less in this case than usual, because the study appears to actually include substantial technical detail, and Accuvant is a well-respected security firm. At the very least it looks like a more serious commissioned study than the stuff you get from the usual "independent" shill consultants that write most commissioned tech whitepapers.

    • IE sucks!

      Just playing my part...
  • Opera (Score:5, Interesting)

    by jaak (1826046) on Saturday December 10, 2011 @12:33PM (#38326576)

    The researchers dd not evaluate Opera in their study. I wonder how that would have compared...

    • Re:Opera (Score:5, Interesting)

      by kangsterizer (1698322) on Saturday December 10, 2011 @12:45PM (#38326718)

      They don't care about opera. It's not a technical study. It's a marketing study.
      Opera has no market share. Chrome's easiest target is Firefox.
      IE's easiest target is Firefox too, and they made a similar advertising study, where IE is on top of security, way ahead of Chrome - but not too much.
      Both put Firefox down.

      All of them fail to mention other security features of Firefox. All of them fail to mention noscript and the like.
      (and before you ask a list, take a look at Firefox's separated memory management per tab, or frame poisoning protection, etc.)
      Also, no mention of CVE count of course, aka the actual discovered vulnerabilities.

      That's just making a checklist where you put names of technologies that the opponent doesn't have, but don't put names of the ones you do not have.
      Then put a mark in front of them to make you appear better.

      In the past they've been (as in all corporations) doing that for ages, Microsoft certainly did a lot of it. The difference here is that they now buy out companies to do it for them.

      • Re:Opera (Score:5, Informative)

        by InsightIn140Bytes (2522112) on Saturday December 10, 2011 @12:48PM (#38326742)
        Opera is the most used browser in many CIS countries, having almost 50% market share in some and beating all IE, Chrome and Firefox. Maybe you wanted to say that Opera has no market share in the US.
        • Funny.
          You're using the same tactic I pointed out Google is using.

          September 2011, median of all worldwide browser usage statistics:
          Opera 2.7% = Yay for CIS 10 users! 2.7% woohoo!

          Chrome was at 20%, Firefox 25 and IE 38%. See the difference?

          That doesn't mean Opera is a bad browser. In fact, Opera mobile is very, very good. But that doesn't mean one should write FUD now should it?

  • Won't hurt either (Score:4, Interesting)

    by hal2814 (725639) on Saturday December 10, 2011 @12:52PM (#38326778)
    It won't hurt Google's fraying partnership with Mozilla. Their "partnership" is Google writes a check and Mozilla cashes it. I'm pretty sure Google can say or do what whatever they want. It's not like Mozilla will stop cashing any checks that Google writes.
    • by catbutt (469582)
      I think the implication is, the more the two trash-talk one another, the sooner Google stops writing the checks.
  • by yuna49 (905461) on Saturday December 10, 2011 @12:54PM (#38326802)

    I've read the first few pages of the report and intend to read the details about the three areas where the authors think Firefox is lacking -- sandboxing, plug-in security, and JIT hardening.

    However I will point out the comparison applies only to versions of these browsers running on Windows 7. For Linux users, the comparisons might not be so important, though I'd obviously prefer a browser that employs technologies like sandboxing and enforces security on plug-ins.

    If I switched to Chrome, how much privacy would I sacrifice to gain these security enhancements? I already use Google dozens of times a day, sometimes with a Google account. I use Ghostery to block most tracking cookies except for Google Analytics. I have some clients' sites subscribed to Analytics so I figure I should support the service myself. Would switching to Chrome provide Google additional information about me that it doesn't get now?

    What about the state of plug-ins for Chrome? Along with Ghostery I use AdBlock Plus, ForecastFox and some download helpers. I won't switch browsers if it means abandoning the functionality available in Ghostery and AdBlock.

    I could just use Konqueror or rekonq, but I've never preferred either of KDE's browsers to Firefox.

    • You could use Chromium instead, as it's the open source basis of Chrome, and pretty much the same in functionality, but without the Google branding, and I don't think it sends usage data to Google by default.

      • Even better, use SRWare Iron Browser. Also based on Chromium, but with a bunch of privacy- and security-oriented tweaks. AFAIK, it's nothing you couldn't do yourself while compiling chromium, but it's a lot more convenient like this.
        • Re: (Score:3, Insightful)

          by Anonymous Coward

          Perhaps not: http://chromium.hybridsource.org/the-iron-scam [hybridsource.org]

          • That's good to know. Thanks for the link.
          • by aeoo (568706)

            Now there's a web page written by a douchebag full of hot air. Chromium is open source and distributing your version of the same software with a few changes is not a "rip-off", it's part of the freedom that the open source programmers enjoy. And for this exercise of freedom he decided to sic patent trolls on the Iron's dev? I hope that's not for real.

    • Ghostery looks to be available on all major browsers [ghostery.com] including Chrome.

      There's an extension Adblock [google.com] which is similar to AdBlock Plus. It isn't identical, but other than issues with video-embedded ads (which I remember having with Adblock Plus occasionally) it works just as well as far as I'm concerned.

      As other posters have mentioned Chromium. Here [google.com] are the major differences. "User metrics" and "crash reporting" are the only two differences with potential privacy issues, AFAIK.

  • The folder has default write privileges. This is how a standard user can install it. It also means privilege escallations dll injections and other nasties. Worse on XP the default user is a full admin without aslr or dep fully implemented.

    • The folder has default write privileges. This is how a standard user can install it. It also means privilege escallations

      What kind of privilege escalation are you planning to get by modifying code of an application that runs under standard user account, anyway?

  • by Animats (122034) on Saturday December 10, 2011 @01:19PM (#38327090) Homepage

    Many of the security issues mentioned in the paper for Firefox come from the fact that Firefox is, for historical reasons, a single-process browser. It's the last of the single -process browsers.

    This is both a performance problem and a security problem. Even add-ons aren't yet running in separate processes. The Mozilla project to make Firefox multiprocess [mozilla.org] is behind schedule and in trouble.

    "Fennec", the Mozilla browser for mobile devices, is already multiprocess. But getting that machinery into the main line of Firefox has run into problems, and, after two years of effort, multiprocess Firefox is now on hold. [lawrencemandel.com] "Converting an established product, like Firefox, from a single- to multi-process architecture requires the involvement and coordination of many teams. ... Electrolysis requires a large investment of resources and time and has a long timeline for completion. How long? At this point we do not have a definitive answer...."

    • by TheLink (130905)
      You can run firefox using different user accounts, and set up the user account privileges accordingly. You can have one for banking, one for slashdot and one for youtube or whatever. That way the main desktop user and its data doesn't easily get pwned just because the browser does. You can't do the same thing easily for Chrome or IE anymore.

      Where multiprocess really helps is with memory use. Right now if some page or plugin or add-on leaks, with firefox you have to close the entire browser - all tabs, all p
      • You can't do the same thing easily for Chrome or IE anymore.

        How so? Last I checked, Linux still has su, and Windows still has runas.

    • by makomk (752139)

      This is both a performance problem and a security problem. Even add-ons aren't yet running in separate processes.

      On the other hand, plugins like Flash are run in a separate process and have been for quite a while. It does wonders for browser stability.

    • Converting an established product, like Firefox, from a single- to multi-process architecture requires the involvement and coordination of many teams...

      As I recall, with Mozilla 5.0, they scrapped a large part of the classic Netscape code base because it had become too unwieldy to maintain. Any significant change impacted many teams and subsystems. In technical terms, the code suffered from "low cohesion and high coupling". It sounds like we're there again.

      (This happens to a lot of software projects, and has since the start. The field of software development is interesting in its frequent inability to learn from history.)

  • See, with ABP and NoScript, nothing touches my computer without explicit permission.

    It's that simple. These 'vulnerabilities' are mostly due to third-party shit (Adobe, JS)

  • is a-OK! because, after all, we are the 'dont be evil people'. therefore, conflict-of-interest doesn't apply to us

  • Rather than rely on a biased study by Google that damns its competitors, look at what Secunia -- an independent source -- says.

    At http://secunia.com/advisories/product/38734/?task=statistics_2011 [secunia.com], we see that Firefox 8 has 1 minor vulnerability (unpatched).

    At http://secunia.com/advisories/product/38537/?task=statistics_2011 [secunia.com], we see that Chrome 15 has 3 vulnerabilities, with 2 considered "highly critical". Those two have patches; the minor vulnerability is not yet patched.

    It seems that security for Chrome a

  • Could we link better?

    Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top.

    "Chrome came out on top" is the link to a blog article? What about

    Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came o

  • What does google have to gain? Unless chrome is spying on you and they're reselling that data... Seems like a giant waste of effort and money.

  • Look people (Score:4, Informative)

    by cshark (673578) on Sunday December 11, 2011 @04:30AM (#38333222)
    I love Slashdot, always have. But as a community, we seriously need to stop applying the term "study" to every observation, or web page with pretty charts on it. This last thing wasn't a study. Not in the formal sense. It was a feature comparison. Biased, maybe. But who cares? It's not a study. And it's not the first time this has happened here.

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...