Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google-Funded Study Knocks Firefox Security

Posted by Soulskill on from the time-to-argue-again dept.

Sparrowvsrevolution writes "Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top. More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards. Though the study seems to have been performed objectively, it won't help Google's fraying partnership with Mozilla." The full research document is available here (PDF), and it goes into much greater detail than the Forbes article. Accuvant also published the tools and data they used in the study, which should help to evaluate their objectivity.

9 of 225 comments (clear)

  1. Opera by jaak · · Score: 5, Interesting

    The researchers dd not evaluate Opera in their study. I wonder how that would have compared...

    1. Re:Opera by kangsterizer · · Score: 5, Interesting

      They don't care about opera. It's not a technical study. It's a marketing study.
      Opera has no market share. Chrome's easiest target is Firefox.
      IE's easiest target is Firefox too, and they made a similar advertising study, where IE is on top of security, way ahead of Chrome - but not too much.
      Both put Firefox down.

      All of them fail to mention other security features of Firefox. All of them fail to mention noscript and the like.
      (and before you ask a list, take a look at Firefox's separated memory management per tab, or frame poisoning protection, etc.)
      Also, no mention of CVE count of course, aka the actual discovered vulnerabilities.

      That's just making a checklist where you put names of technologies that the opponent doesn't have, but don't put names of the ones you do not have.
      Then put a mark in front of them to make you appear better.

      In the past they've been (as in all corporations) doing that for ages, Microsoft certainly did a lot of it. The difference here is that they now buy out companies to do it for them.

  2. Re:Chrome and IE are the most secure browsers by InsightIn140Bytes · · Score: 5, Interesting

    You would only gain additional security if the exploits actually targeted the browsers. They don't - most of them target plug-ins and work in every browser. Now, both Chrome and IE sandbox them and have extra security layers for plug-ins just so that even if plug-in is vulnerable, you can't actually gain access to system. Since Firefox doesn't offer any of these options, you gain access directly after compromising the plug-in.

  3. Won't hurt either by hal2814 · · Score: 3, Interesting

    It won't hurt Google's fraying partnership with Mozilla. Their "partnership" is Google writes a check and Mozilla cashes it. I'm pretty sure Google can say or do what whatever they want. It's not like Mozilla will stop cashing any checks that Google writes.

  4. Re:NoScript! by TheGratefulNet · · Score: 1, Interesting

    NoScript isn't a part of Firefox

    every install I build has NS and adblock installed, at the very min.

    the value of FF is its plugins. why is that not obvious?

    it would be like reviewing an SLR and not using its raw mode. its a slanted test, its not fair, really. or a fast car that is not taken out to a racetrack for a proper test run.

    FF by itself is not what people MEAN by firefox. not really. its value is its plugins and to test it 'bare' is ignorant and has a bit of market-speak to it that I find distasteful.

    --

    --
    "It is now safe to switch off your computer."
  5. Re:Chrome and IE are the most secure browsers by Anonymous Coward · · Score: 4, Interesting

    You don't even need to read them, if you happen to ever have had adobe's reader installed, the shell extension remains lingering around, which means merely hovering over the file icon will open you to exploits.

  6. Re:Chrome and IE are the most secure browsers by Vellmont · · Score: 3, Interesting


    Anyone who still says that IE is insecure browser just doesn't know what he is talking about.

    Care to point to any actual data on breakins, rather than theoretical security models to demonstrate this point?

    You might want to look at the pwn2Own contest results from this year:
    http://en.wikipedia.org/wiki/Pwn2Own

    Teaser:
    The second and last browser to fall for the day was a 32-bit Internet Explorer 8 installed on 64-bit Windows 7 Service Pack 1.[23] Security researcher Stephen Fewer of Harmony Security was successful in exploiting IE. Just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk.

    Day 3
    No teams showed up for day three. Chrome and Firefox were not hacked.

    Only IE8 was in the competition since IE9 wasn't even released until shortly afterward. We'll see how the new batch of browsers does next year.

    So I have to ask: Why does "anyone who thinks IE is an insecure browser doesn't know what he is talking about"?

    --
    AccountKiller
  7. Re:Chrome and IE are the most secure browsers by cryptoluddite · · Score: 4, Interesting

    Both IE and Chrome offer sandboxing, JIT hardening and ways to make vulnerable plug-ins less easy to exploit and gain access to system. Firefox offers none of these.

    On the other hand only Firefox is checked with static analysis tools before released, meaning that there are very, very few actual flaws in the browser (IE might be, Chrome certainly isn't). For instance when Chrome added a very basic memory checker to their test servers they caught dozens of bugs -- and that's just from the most basic of runtime checks. When people have run their commercial static analyzers on Chrome they've found several hundreds of potential flaws.

    What does this mean in practice? The inner sandboxed code in Chrome is wide open to attack. They aren't even using serious methods to try to protect that code and are instead relying completely on the sandbox. This is the reason why you'll get random crashes in Chrome, and why they purposely try to keep you from using too many tabs (if a process is rendering more than one tab then when it crashes more of your tabs have to reload). On the flip side, this is the reason why in a years of running Firefox nightly it has never crashed once. Yes, there are errors in Firefox, but they are complex ones not the simple mistakes that crash Chrome left and right.

    Personally I've never had a malware in dozens of years, so browser stability matters a whole lot more to me than security. A sandbox would be nice, but one that is relied on and causes random page crashes is worse than not having one but having far fewer crashes.

  8. Re:Potential shill: First post & instant Score by Dhalka226 · · Score: 3, Interesting

    Okay, I have noted those things. Now can you explain to me why I should care?

    The vast majority of his post was statements of fact that can be proven true or false. If you have something to say about the information he provides, by all means, enlighten us.

    If your complaint is that he might be paid to post it, I honestly can not be bothered to give a shit. This is not a review site where he is posting fake opinions to make a product seem better or more well-liked than it is. His motives mean nothing; whether or not the information he gives is accurate does, and that is independent of whether or not he is a shill. (Getting facts out about a product is also called "marketing," if one is not instantly out to make it be a nasty thing.)