Chrome is the most secure browser, claims new study

Microsoft’s Internet Explorer does a better job protecting systems from attackers who already have gained some degree of access than Mozilla’s Firefox, and Google’s Chrome trumps both of them, says security firm Accuvant.

They came up with those results by analyzing the security features of the three most popular web browsers, but have decided not to employ the usual metrics: numbers of patched vulnerabilities, the severity of the flaws and the time it took for the developers to fix them.

Instead, they chose to assume that hackers have already exploited a bug and have managed to gain some access to the machines, and see what exploit mitigation techniques the browsers use to lessen the potential damage to the system.

And while all three browsers employ address space layout randomization (ASLR), data execution prevention (DEP) and stack cookies (GS), Firefox does not implement sandboxing (the separation of running programs), plug-in security and Just-In-Time hardening (preventing javascript located on websites from compiling code that can be run on the target system).

On the other hand, it turns out that URL blacklisting techniques used to warn users about malicious sites work only in a small percentage of cases and are, effectively, not enough.

“As with antivirus, the question is not whether the pattern-based detection will fail, but when and how,” point out the researchers. “As such, blacklisting services should be considered a part of the overall browser defense model, rather than the only perimeter an attacker must traverse.”

These conclusions were the result of a study performed by the security company on behalf of Google, so they should perhaps be taken with a grain salt. Nevertheless, Accuvant is a respected firm that is unlikely to sully its reputation by letting the results be affected by the fact that Google asked for the analysis.

The researchers made great points regarding their choice of metrics and the need to look at the complete picture when evaluating the efficacy of any software. “Drawing conclusions based solely on one category of protection, such as blacklisted URL statistics, doesn’t give a valid perspective on which browser is most secure,” they pointed out. “Instead, they should be considered in the context of other mechanisms such as anti-exploitation technologies and malicious plug-in protection, which play a more important role in protecting end users from exploits and persistent malware.”

“There will always be browser vulnerabilities, but browser appraisal must be derived from metrics that can be accurately correlated,” they concluded.

To download the 102-page-long report issued by Accuvant, go here.