Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs (bleepingcomputer.com)

Posted by BeauHD on Friday September 22, 2017 @12:05PM from the testing-in-progress dept.

An anonymous reader writes from a report via Bleeping Computer: The Project Zero team at Google has created a new tool for testing browser DOM engines and has unleashed it on today's top five browsers, finding most bugs in Apple's Safari. Results showed that Safari had by far the worst DOM engine, with 17 new bugs discovered after Fratric's test. Second was Edge with 6, then IE and Firefox with 4, and last was Chrome with only 2 new issues. The tests were carried out with a new fuzzing tool created by Google engineers named Domato, also open-sourced on GitHub. This is the third fuzzing tool Google creates and releases into open-source after OSS-Fuzz and syzkaller. Researchers focused on testing DOM engines for vulnerabilities because they expect them to be the next target for browser exploitation after Flash reaches end-of-life in 2020.

15 of 105 comments (clear)

Min score:

Reason:

Sort:

What an impartial study! by Anonymous Coward · 2017-09-22 12:13 · Score: 3, Funny

Google finds their own browser is best. News at 11.
1. Re:What an impartial study! by Anonymous Coward · 2017-09-22 12:16 · Score: 3, Funny
  
  Apple's reply was that while Safari was not the first, it was the best-looking one.
2. Re:What an impartial study! by K.+S.+Kyosuke · 2017-09-22 12:32 · Score: 3, Insightful
  
  Maybe the same or similar group of people who wrote the tool also wrote the part of the browser that the tool tests, using similar approaches?
  
  --
  Ezekiel 23:20
3. Re:What an impartial study! by mangastudent · 2017-09-22 12:44 · Score: 4, Informative
  
  Fuzzers are pretty impartial, and I don't find it hard to believe that the Chromium/Chrome team is the best at security.
4. Re:What an impartial study! by swillden · 2017-09-22 15:09 · Score: 5, Interesting
  
  Fuzzers are pretty impartial, and I don't find it hard to believe that the Chromium/Chrome team is the best at security.
  Also, I know a couple of people on the Project Zero team, and they treat Google absolutely different from anyone else. They attack everything, regardless of origin, with equal gusto and skill and have a strict, no-exceptions-ever 90-day public disclosure policy. I work on Android and Project Zero has even 0day'd us a couple of times, publishing existing vulns in Android that we haven't gotten fixed within the 90 day window.
  It's interesting working with PZ team members directly because even though they're Google employees, they are not subject to the standard employee NDA. More than one time I've had one of them stop me mid-sentence to remind me that they are not allowed to hear non-public information... and that if I tell them anyway they are not obligated to keep it secret.
  Project Zero is employed by Google, but that means nothing to them. And, strangely enough, Google is totally fine with that.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
5. Re:What an impartial study! by swillden · 2017-09-22 15:11 · Score: 2
  
  they treat Google absolutely no different
  Gah. I reorganized that sentence and in the process lost the most important word.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Not suprising by Billly+Gates · 2017-09-22 12:20 · Score: 3, Informative

Safari is Apple's IE 6 of this decade. It hasn't been updated in a long time and they can no longer piggy back both Google and Konqueror for new code since Chrome forked -webkit with -blink.
I worked for a famous software supporting their cloud software. Safari was the one browser which always had trouble with even drag and dropping files. Something rudimentary in the HTML 5 standard. Even IE 9 from 2011 can easily support this.
Sometimes Safari would work. Sometimes it would not and the Apple users always get mad at us for some reason never blaming their shitty browser.

--
http://saveie6.com/
1. Re: Not suprising by Old97 · 2017-09-22 12:58 · Score: 4, Informative
  
  Funny because I also use Safari and I run Adblock - right now in fact. There are tons of extensions and privacy features. The ad industry is up in arms about the latest Safari feature - no allowing the ad networks to track you across different web sites. I suspect you don't use Safari at all because you don't know anything about it. Do you work for Google or Microsoft?
  
  --
  Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
2. Re:Not suprising by Anonymous Coward · 2017-09-23 00:14 · Score: 3, Insightful
  
  Safari in High Siera score 457. Safari loses 11 points as it doesn't support Ogg, WebM. 11 points lost because they don't support something that isn't useful (unless you have a 4k screen and want to watch new 4k youtube vids). WebP and JPEG-XR add in another 2 useless points missing.
  This is the problem with html5test. It includes so many features which are of no interest to the majority of people. WebVR? How the fuck is this relevant to how good a browser is?
  html5test is setup to make Chrome look better.
  For the record Edge scores 496. Firefox 484. So Microsoft scores higher than Mozilla! IE scores 312
Re:I take it we're all supposed to know... by fibonacci8 · 2017-09-22 12:26 · Score: 5, Funny

It's a system where a SUB is required to create a "safe word" 6 to 14 characters long containing at least one capital letter, at least on numeric digit, and at least one punctuation mark.

--
Inheritance is the sincerest form of nepotism.
Re:Simple Fix by amiga3D · 2017-09-22 12:29 · Score: 3, Interesting

It's gotten to the point I do banking on a distro I run off a thumb drive on my laptop. It's designed for security from the ground up and that is the only thing I use it for. As to surfing the web and everything else I don't worry too much and just use the standard Ubuntu on the hard drive.
Re:Simple Fix by Anonymous Coward · 2017-09-22 12:30 · Score: 2, Informative

It's not that simple. Try using Google without JS.
Actually, google search works ok without javascript. Google mail still has a basic lite mode too. The rest of google won't work without javascript.
There are tons of other sites with the same problem.
Yes, and they are badly written. Compare to amazon - it works with any browser, with or without javascript, because amazon knows you won't buy if their website won't work in the customer's browser.
Re:I take it we're all supposed to know... by hord · 2017-09-22 13:01 · Score: 4, Informative

DOM = Document Object Model
The DOM engine is what is responsible for parsing HTML/CSS, converting it into a tree, and then rendering the tree to the client area in the browser. It's essentially the core of the browser and presents a programmatic API along with JavaScript. It may also be used to render UI elements. For example, all of Chrome's plugins use HTML/CSS to create the menus you see in the options and menu screens.
Re:no surprise about safari by dgatwood · 2017-09-22 13:10 · Score: 4, Informative

Is there a corporation that forces people to run Safari?
Apple. On iOS, all browsers (even Chrome) are actually running Safari's rendering engine, with the exception of browsers that run all the JavaScript server-side. The reason for this is that Apple won't let apps run non-Apple JavaScript engines out of concerns about security. (The irony here is not lost on me.)

--
Check out my sci-fi/humor trilogy at PatriotsBooks.
Man oh man by 93+Escort+Wagon · 2017-09-22 16:34 · Score: 2

I can't believe so many of you are such zealots when it comes to your web browser of choice.

--
#DeleteChrome