Author: Sean Michael Kerner (eSecurity Planet)
For as long as there has been more than one browser, users have been asking which browser is more secure. Answering the question has often led to an evaluation of publicly disclosed vulnerabilities and determining how long it takes a browser vendor or organization, to patch.
According to a pair of security researchers from Accuvant Labs speaking at the SecTOR security conference in Toronto this week, there needs to be a more holistic and thorough view of browsers to fully understand security risks.
“The browser is the most critical application that we all use and in some cases it’s the only application we use,” Shawn Moyer, managing principal research consultant with Accuvant said. “The browser decision is one of the most important you can make on your computer.”
Moyer noted that the majority of modern exploits target the browser and Web applications that run within the browser. The Accuvant research is still a work in progress, though Moyer said the goal at this point is to provide some information about the approach to understanding the browser attack surface.
The Accuvant research is examining a number of different elements including browser process security architecture, add-ons security, exploit mitigation techniques, sandboxing, and malware detection capabilities.
For Windows 7 based deployments of IE, Firefox and Chrome, all the browsers leverage Windows integrity levels. The integrity level (low, medium, high) determines the privileges a given application process has within the system. The lower the integrity, the fewer the privileges.
Paul Mehta, senior research scientist at Accuvant, told the SecTOR audience the Web browser rendering process should run at low integrity so, if it is compromised, the underlying system is still ok. In IE, the browser is assigned low integrity and the same is true for Chrome. Firefox runs everything as a medium integrity process, according to Mehta. Chrome plugins are also pulled out and put into their own low integrity process, further limiting risk. Mehta said that if, for example, Flash was exploited in Chrome, it cannot get access to other browser sessions. In contrast, IE has only one process.
Process architecture matters since it sandboxes components and limits the overall exposure risk. In the Chrome multi-process approach, Mehta explained that sandboxing effectively prevents an exploit in one tab from affecting what might be going on in the system.
With IE, the browser allows read-access to most objects on the operating system, but you can only write to a small number of objects. With Firefox and its medium integrity process structure, Mehta said that a payload could potentially do anything that Firefox itself is able to do, in terms of accessing and writing to user directories.
According to Moyer, Chrome does a good job of covering its bases for JIT hardening. IE also provides protection though a number of comprehensive techniques. He noted that Firefox hasn’t done any JIT hardening as of 4.x release.
Another area of examination is URL blacklisting, which is something the is intended to help protect users from visiting malicious URLs. IE leverages the Microsoft phishing service, while both Chrome and Firefox use Google’s safe browsing list.
Accuvant tested both services against publicly available malware URLs and, over the course of seven days, pulled down 3,000 live URLs per day. Of those, on average, both the Microsoft and Google engines only found 404 and 405 matches.
“Neither one of the services catch all malware on the Internet,” Moyer said. “They both only indentified a fraction of the sample set.”
Overall, Moyer noted that every browser has made security improvements in recent years, in large part due to the competition that exists in the marketplace. At this point, Moyer declined to specifically identify any one browser as being the most secure. The Accuvant Labs teams is still building out its data and the plan is provide more details at a future point.
“There is a ton of data and detail that is coming from us that will be public, but it takes time,” Moyer said. “In general, our conclusion is that the best browser is the one that is the most hostile to a payload being successful.”