By David Murphy - PC Magazine
Raise your hand if you're running the most secure browser right now. Google Chrome users: Your arms are going to get tired. Internet Explorer users: You're close, but you can safely put your arms down. But Mozilla Firefox users, no need to wave your arms like a student trying to get a teacher's attention – according to a new browser security study from Accuvant, you don't have much to brag about at all.
Accuvant's study, released Friday, ranks the "big three" browsers in that order in terms of their overall security features: Chrome's first, IE's second, and Firefox is dragging along in third, with Accuvant rating four of the seven security features tested in Firefox either "unimplemented" or "ineffective." To note, the study – while independently and objectively assessed, said Accuvant – was funded by Google.
As for the raw details, Accuvant's study didn't just focus on the sheer number of published vulnerabilities that a browser has at the time of testing. Rather, Accuvant presumed that a browser vulnerability is going to be exploited in some fashion by a third-party: The security testing, therefore, focused on the strength of a browser's anti-exploitation measures after-the-fact – "the software with the best anti-exploitation technologies is likely to be the most resistant to attack and is the most crucial consideration in browser security," Accuvant wrote.
While Google's Chrome browser won the day in Accuvant's research, the browser didn't sail through with a perfect score. Accuvant noted that Chrome, along with the other two browsers in the test, failed to adequately offer up strong enough URL blacklisting to pass Accuvant's examinations – a daily comparison of roughly 6,000 malware-related URLs against either Microsoft's URL Reporting Service or Google's Safe Browsing List.
"Gathering intelligence about malware URLs is generally performed by running honeypots and spamtraps, and harvesting URLs from malware captured in the wild. Since no authoritative source exists, it is likely that each organization gathering data is getting one part of the overall picture," Accuvant wrote. "Based on Accuvant's analysis, no party is performing this data collection comprehensively."
That said, Chrome's apparent excellence in sandboxing, plug-in security, JIT hardening, and Address Space Layout Randomization, among other features, was enough to win it top honors. But Mozilla isn't letting Accuvant have the last word regarding the security of its browser.
"We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We're proud of our reputation on security, and it remains a central priority for Firefox," responded Jonathan Nightingale, director of Firefox engineering, in a statement to Forbes' Andy Greenberg