Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google-Funded Study Knocks Firefox Security

Posted by Soulskill on from the time-to-argue-again dept.

Sparrowvsrevolution writes "Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top. More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards. Though the study seems to have been performed objectively, it won't help Google's fraying partnership with Mozilla." The full research document is available here (PDF), and it goes into much greater detail than the Forbes article. Accuvant also published the tools and data they used in the study, which should help to evaluate their objectivity.

10 of 225 comments (clear)

  1. Chrome and IE are the most secure browsers by InsightIn140Bytes · · Score: 4, Informative

    More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards.

    How is this surprising? Apart from some ignorant cases on Slashdot who believe Microsoft is the devil and should die, it's not a new fact that IE has been a really secure browser for a long time. Both IE and Chrome offer sandboxing, JIT hardening and ways to make vulnerable plug-ins less easy to exploit and gain access to system. Firefox offers none of these.

    Currently, it's not even often that you find a vulnerability directly in the browser. Most of the attacks target either plug-ins like Flash or PDF reader, and if someone does find an exploit in the browser, the extra security layer makes it much harder to exploit. Yes, you can use something like NoScript in Firefox (and other browsers), but majority of people don't. In fact even I don't because frankly, it's pain in the ass to use. This is the reason why extra security layers provide so much better overall security.

    Anyone who still says that IE is insecure browser just doesn't know what he is talking about. On top of that, this study doesn't really bring anything new to table (but it is really well done with comprehensive disassemblies and exploit testing), it just confirms what has been known for a long time now - both Chrome and IE are really secure browsers, followed by Opera. The one that is lagging behind is Firefox. I don't know what happened to them, but they seem to copy the aspects of Chrome that no one actually cares about (UI and version number scheme) while completely forgetting what Chrome and IE do underneath and what actually counts - sandboxing, JIT hardening, auto-updating browser and plug-ins and separating different tabs to different processes.

    1. Re:Chrome and IE are the most secure browsers by bunratty · · Score: 3, Informative

      I think the folks at SecurityFocus disagree. Although IE 9 is more secure than previous releases, IE still has plenty of vulnerabilities

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:Chrome and IE are the most secure browsers by InsightIn140Bytes · · Score: 5, Informative

      If you browse the same site for Chrome, you'd notice that the list is about same length for the latest version. And the total vulnerability count is huge for Firefox compared to Chrome and IE.

    3. Re:Chrome and IE are the most secure browsers by InsightIn140Bytes · · Score: 4, Informative

      The links you showed lists new vulnerabilities for:

      Chrome 15.0.874.121 (really minor version number)
      Firefox 8.0 (FF 11.0 is in the works already!)
      IE 9.0 (now we suddenly have a major version number)

      Both Chrome and Firefox use insane version number schemes which really doesn't make that comparison valid. Because of that you have to compare the vulnerabilities within some time frame, for example one year or two years. But I suspect you knew that.

    4. Re:Chrome and IE are the most secure browsers by RobbieThe1st · · Score: 3, Informative

      I've found the same thing. FF seems to be extremely stable, does what I want, and is configurable enough that I can make it look /how/ I want(unlike Chrome and, I suspect, IE), which is something like the UI of FF3.
      Also, aside from a couple of glitches I've seen in nightly versions(locking up if reloading over 30 tabs at once being a problem I saw for a year), It's been pretty fast and stable.

    5. Re:Chrome and IE are the most secure browsers by Anonymous Coward · · Score: 3, Informative

      Not according to the national vulnerability database. Here is the score for the last three months:

      We can argue that it makes more sense to look at holes over the last year instead of over the last three months, but the evidence indicates that Chrome is the least secure and IE is the most secure. (Security holes by version doesn't make sense for Chrome, since it changes its version number so quickly. Ditto with Firefox).

  2. Re:Opera by InsightIn140Bytes · · Score: 4, Informative

    Opera is the most used browser in many CIS countries, having almost 50% market share in some and beating all IE, Chrome and Firefox. Maybe you wanted to say that Opera has no market share in the US.

  3. In fact ... by Kaz+Kylheku · · Score: 3, Informative

    The PDF paper trashes NoScript. That is to say, it is mentioned in a paragraph that basically states that Firefox has add-ons, and add-ons are a security threat. Nothing is mentioned about the security benefits that add-ons can provide.

  4. Firefox still a single-process browser by Animats · · Score: 5, Informative

    Many of the security issues mentioned in the paper for Firefox come from the fact that Firefox is, for historical reasons, a single-process browser. It's the last of the single -process browsers.

    This is both a performance problem and a security problem. Even add-ons aren't yet running in separate processes. The Mozilla project to make Firefox multiprocess is behind schedule and in trouble.

    "Fennec", the Mozilla browser for mobile devices, is already multiprocess. But getting that machinery into the main line of Firefox has run into problems, and, after two years of effort, multiprocess Firefox is now on hold. "Converting an established product, like Firefox, from a single- to multi-process architecture requires the involvement and coordination of many teams. ... Electrolysis requires a large investment of resources and time and has a long timeline for completion. How long? At this point we do not have a definitive answer...."

  5. Look people by cshark · · Score: 3, Informative

    I love Slashdot, always have. But as a community, we seriously need to stop applying the term "study" to every observation, or web page with pretty charts on it. This last thing wasn't a study. Not in the formal sense. It was a feature comparison. Biased, maybe. But who cares? It's not a study. And it's not the first time this has happened here.

    --

    This signature has Super Cow Powers