A new study has tossed the big browsers into the security mosh pit and decreed that Google's Chrome comes in first, Microsoft's Internet Explorer pulls in at a close second, and Mozilla Firefox is bleeding a bit like a stuck pig.
The study, released Friday by Accuvant Labs, found that Firefox has four "unimplemented or ineffective" security services: sandboxing, plug-in security, IT hardening and URL blacklisting (the last of which all three browsers flunked).
The browser comparison found that IE has, in fact, sandboxing and plug-in security, but it's just plain old "implemented," in Accuvant's eyes, as opposed to being an "industry standard," which is the star billing Chrome gets for all services (except the aforementioned URL blacklisting).
Here's Accuvant's conclusion:
The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti exploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack.
Accuvant measured anti-exploitation techniques as opposed to the historical practice of tabulating vulnerabilities or assessing how speedily they get patched. After all, as Accuvant puts it, it's hard to know, exactly, how long a browser hole lets the wind in, given that vendors don't necessarily go around blabbing about fix timelines:
While Accuvant LABS did not approach Microsoft for internal statistics on privately identified vulnerabilities and vulnerabilities with undisclosed remediation timelines, it is likely that these statistics exist, and could open the door for an unambiguous debate about each project’s true response time.
Caveat emptor: Accuvant says the study was independently and objectively assessed, but it was, in fact, funded by Google.
Every browser maker is apt to measure their baby and declare that it's the prettiest thing since Shirley Temple.
Case in point: in Microsoft's own estimation, IE 9 has the best protection against phishing attacks and the most protection against socially engineered malware of the three most popular browsers.
Besides, as Sophos's Carole Theriault points out, the real issue isn't which browser you use; it's more about whether your browser is up to date and how you've configured its security options.
As Carole says in her Update Your Parents' Browser Day post, people tend to stick like glue to the browsers they know and love.
Confound it to tarnation, they ain't gonna change to some fancy-pants new browser. Their old version of fill-in-the-blank works just fine, and they do not like change, no siree.
And dagnabbit, I can't make fun of them because I am one of them: My ears got hot when I saw the dissing dished out to my beloved Firefox.
I switched to Chrome recently not because of security fears but because Mozilla's update servers are getting hung up, its image consistently was corrupted when I tried to reinstall, and I just didn't have time to troubleshoot the whole mess.
To go back to Carole's point, security can be improved vastly simply by keeping a given browser up to date, without rocking the boat on an individual's personal preference for browser maker.
Prejudice toward an outdated version of a given browser, however, is inexcusable. Outdated browsers are still out there, roaming the world at a baffling rate.
IE 6, for example, held 4.63 per cent of worldwide browser usage as of February 2011. IE is, of course, the whipping boy in this scenario, but with just cause. If you look at Security Focus and Secunia's comparison of unpatched vulnerabilities, IE versions 6 through 8 spread unpatched vulnerabilities across the table like a nasty rash.
The upshot: Don't flee from Firefox or IE because of a report like this one.
But do flee from old browsers. Stick a fork in them: they're done.
Lisa Vaas is a technology writer for Sophos, see her profile and other articles here.