Speaking at the RSA Conference in San Francisco yesterday, researchers at Accuvant Labs presented the results of a three-month security evaluation of Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer. The goal of the study was to determine which browser is the most secure against attack — an important consideration, given that browsers continue to represent the widest vector for attacks.
The winner: Chrome. Accuvant’s analysis concluded that Chrome was, by far, more secure than IE. In turn, IE was found to be somewhat more secure than Firefox.
However, Accuvant was quick to caution that any browser security evaluation inevitably involves a fair amount of apples and oranges.
“It’s difficult if not impossible to make clear comparisons,” Joshua Drake, Accuvant’s senior research consultant, told the conference audience. Metrics are subjective, vendors of protection technology don’t make complete data available, and browser makers don’t always disclose patches or say how severe the vulnerability patched was. To compensate, the team normalized information to the greatest extent possible.
Furthermore, it’s worth noting that Google commissioned the study, titled Browser Security Comparison: A Quantitative Approach. Google said it wanted to advance industry knowledge and discussion of best practices. Results were first presented at the SecTOR conference in October 2011.
Accuvant compared the browsers from a layered perspective, taking into account security architecture and anti-exploitation techniques.
The researchers identified sandboxing — isolating objects, threads and processes from each other — as a critical security tactic for controlling access to various resources on a system.
“Sandboxing limits what damage can be done. While not perfect, it provides a huge barrier to entry and gaining persistence on a user’s machine,” Chris Valasek, Accuvant LABS senior research scientist, told the RSA conference audience.
The researchers found that Chrome and Internet Explorer both implemented the kinds of security restrictions that would be considered a sandbox. In fact, they found that Chrome’s sandbox was the most restrictive. Explorer allowed read access to most objects in the operating system, and only prevented a handful of system modifications. Firefox permitted read, write, and the kinds of system change capabilities associated with non-administrative users.
Shawn Moyer, practice manager, noted, “Anything you can do as a user, an exploiter can do as well.”
The Accuvant team also identified JIT hardening as an important barrier to attack. They found that IE used all necessary JIT hardening techniques, while Firefox used none at all. But when it came to browser add-ons, security tactics were mostly absent from all three browsers.
The results of the Accuvant study differ markedly from those produced quarterly by NSS Labs. NSS consistently finds that Internet Explorer is better at detecting malware attacks than Firefox, Safari, Chrome, and Opera.
Moyer told eSecurityPlanet that the NSS Labs study looks only at URL blacklisting services. He said, “The thing about that is, it’s easy to test, a simple metric. And we don’t know their methodologies.”
When Accuvant compared Google’s and Microsoft’s blacklisting services against a reference sample set of more than 4,000 known malicious URLs, each found only 12 percent — and each found a different 12 percent.
“We don’t know how NSS arrived at their conclusion, but our results for even that single criterion were very different,” Moyer said.
The Accuvant team called for more transparency. They’re freely sharing their tools and data, making the entire 139-page report available as a free download. They hope others will expand on their research.
“We try to position this research as giving the data and letting people make their own decisions,” Moyer said. “I think organizational and corporate information security people should enforce a standard browser platform for their organization — and that should be a corporate mandate of some kind. The worst thing you can do is let everybody run whatever browser they want.”
Susan Kuchinskas covers technology, business, and culture from Berkeley, California.