Sunday, October 23, 2011

The safest web browser? Part II

I've written before about browser security. I found that if you look at browser exploits in the wild, which is really what matters, Internet Explorer and Firefox have been affected by such exploits in recent history. (Internet Explorer has been affected by far more further back in history, but let's put that behind us.) Looking at that criterion, Opera and Chrome are "more secure".
Of course it's also possible for a browser to be a vehicle of security compromise via a deliberate download of malware, rather than a "drive by" download as the result of a security exploit. I've also written about Microsoft's claim that Internet Exporer is much better at blocking this sort of malware than other browsers, and found that it is, but possibly with a 30-75% chance that the "malware" blocked is a legitimate file or program- a false positive rate that would cause outrage if it was a third-part anti-virus program doing it.
Now there's a new story which claims that Internet Explorer is the safest browser and Firefox is the least secure. To cut to the chase, it's Microsoft doing its own evaluation of browser security, and giving more weight to Internet Explorer's (somewhat contentious) ability to block malware than its record on security vulnerabilities.
 The story has been greeted by derision by two other writers on the ZDNet site, who point out that at the same time the story appeared Microsoft Explorer contained a major security vulnerability that affected even the latest version (IE9) which Microsoft was touting as much more secure, and that the "online security test" that Microsoft was doing was merely looking at the browser ID string and reporting Microsoft's previously-determined security assessment based on its own (some would argue biased) weighting.
Is there any truth to Microsoft's claim that Internet Explorer is "more secure" than Firefox? Another story I came across this week takes a slightly more objective look.
Paul Mehta, senior research scientist at Accuvant, told the SecTOR audience the Web browser rendering process should run at low integrity so, if it is compromised, the underlying system is still ok. In IE, the browser is assigned low integrity and the same is true for Chrome. Firefox runs everything as a medium integrity process, according to Mehta. (eSecurity Planet.)
So Internet Explorer and Chrome are "sandboxed", and Firefox isn't. Doesn't that make Firefox less secure? Well not if there are exploits which can get through the sandbox and infect the system, which is exactly the sort of exploit reported in Internet Explorer above. Which makes the Microsoft claim regarding Firefox debatable. I have reported a story which claimed that Chrome's sandbox had been breached, but never found out if there was any truth to it. So the Microsoft claim that Internet Explorer is more secure than Chrome is also debatable: we have a proven exploit of the MS sandbox, verses an unsubstantiated claim of a breach in the Chrome sandbox.
An important point to make here is that Internet Explorer is "sandboxed" and Firefox not because Microsoft won't let non-Microsoft software use its sandbox. The playing field is not level for Mozilla, Google or Opera. Chrome has chosen to add its own sandbox, which may give it a security advantage.
So what is the safest browser? Well, if you really feel the need for a sandbox, possibly Chrome. If somebody tells you its Internet Explorer 9, they've probably been listening to the Microsoft FUD. If they tell you Firefox is the least secure, then they've definitely been listening to Microsoft FUD, and as I pointed out before, they're very likely doing so for partisan rather than evidential reasons.