This is a debate that has raged for some time now, and this was the primary topic of discussion for the researchers that were attending the RSA Conference in San Francisco earlier this year. During the conference, a research team from Accuvant Labs presented the results of a three-month security evaluation conducted for the top 3 internet browsers (Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome). The study was designed to show exactly which browser was the most secure against potential attacks.
The Winner is…….Chrome?!?!
According to the results, Google Chrome came out on top in this security evaluation. This has certainly become an important consideration, given that internet browsing are the largest gateway for malware and other potential threats. In the end, Chrome proved to be significantly more secure than Internet Explorer. While, Internet Explorer turned out to be slightly more secure than Mozilla Firefox.
While this might come as a shock to some users, the research team made a point to remind people that analyzing the results of a security evaluation on a scale like this was never going to be a straightforward project. To put it simply, it is very hard to make clear comparisons given the subjective metrics, plus browser developers do not want to discuss their patches or disclose how vulnerable they could be, and providers of protection technology don’t want to share much data either. The only way they can do it is by normalizing the available information as much as possible.
The Debate Rages On
One other thing that some people should now is that this study, titled the Browser Security Comparison: A Quantitative Approach, was commissioned by Google. On the other hand, Google has stated that all they wanted to do was advance industry understanding and implementation of best online practices.
Utilizing a layered perspective, Accuvant technicians were able to compare these top browsers while accounting for various anti-exploitation techniques and account security architecture.
Their research team discovered that one of the best techniques used by these internet browsers was sandboxing. Say what?? Sandboxing is a security technique which involves isolating multiple objects, processes, and threads from one another, and it has proven pivotal in preventing unwanted access to multiple resources on a user’s system. In a sense, it is also a great way that browsers are able to run damage control in more severe situations.
Breaking Down the Browsers Security Metrics
According to Accuvant, both Internet Explorer and Chrome both had implemented the specific security protocols that could be designated as a sandbox. Not surprisingly, Chrome’s sandbox proved to be superior in the comparison. The results showed that Explorer’s restrictions still allowed access to most objects in the user’s operating system, and only restricted a certain number of system modifications. How about Firefox? The research team found that Firefox would permit most of the system change capabilities that have been linked with non-administrative users.
One other important security tactic for preventing attack that the Accuvant team identified was JIT hardening. An analysis of these browsers showed that Internet Explorer made full usage of these JIT hardening techniques, and Firefox wasn’t using any at all. Further examination of the browsers’ add-on options showed that these security tactics were pretty much non-existent for all three internet browsers.
Differing Results from NSS Labs
Interestingly, the results of this Accuvant study paint a much different story than those that have been put out on a quarterly basis by NSS Labs. According to NSS, Internet Explorer has been consistently better at detecting potential malware attacks than any of the other heavy contenders.
However, some have been a little skeptical of these reviews from NSS Labs as they allegedly only review the URL blacklisting services. This tactic is a simple metric and easy to test, but it has also left some members of Accuvant Labs questioning their results.
So, Accuvant then attempted their own recreation of the tests conducted by NSS Labs. They compared the URL blacklisting services of Microsoft and Google against a sample set of more than 4,000 identified malicious URLs. Each found about 12 percent, only that they both found a different 12 percent. This left researchers scratching their heads as to how NSS Labs was able to arrive at their own conclusion.
In an effort to be more transparent about their research, the Accuvant team has made all of the data from their study available to download in a free 139-page report. They are optimistic that others will take advantage of the opportunity to expand upon this research.