NSS Labs report on the Browser Security Comparison report by Accuvant / Google


Image representing Google as depicted in Crunc...
Image via CrunchBase

On 09/12/2011 security reseller Accuvant published report looking at Internet Explorer, Firefox, and Chrome, where Google Chrome comes out on top, and Mozilla Firefox at the bottom. Accuvant are fairly respected, but the report was funded by Google.

Just because Google paid for the report it does not make it corrupt, but it did leave me with a dirt feeling.

The Accuvant report can be found here, I ask you to give it a good read before you read the NSS labs report.

The Accuvant report states that “Readers should understand that, while Google funded the research for this paper, Accuvant LABS was given a clear directive to provide readers with an objective understanding of relative browser security. The views expressed throughout this document are those of Accuvant LABS, based on our independent data collection.”

The Accuvant reports conclusion was that “The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art antiexploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack.”

I respect Accuvant but if Microsoft had paid for a report Google would be screaming about its findings. If the findings had been that Internet Explorer 9 was the most secure and Chrome the least, would Google have gracefully have allowed the findings to come to light?

Due to that report being published NSS Labs where approached by several enterprise clients, who asked for a review of the Google/Accuvant publication and supporting tools and data to give an independent opinion.

NSS analysts have also examined data from on-going NSS Labs browser research to give additional guidance.

The NSS Labs report can be found here, give it a good read, its shorter than the Accuvant report.

The final analysis from NSS labs was as follows.

How vulnerable a modem web browser is to attack is certainly a high profile question. It is a well-documented phenomenon that new software contains more bugs (which may expose vulnerabilities) than software that has been around for a while. It is part of the software development lifecycle. Examining historical data on the number of vulnerabilities discovered during a period of time provides insight into the maturity of the software in question and is a good indicator of how many future vulnerabilities will be discovered.”

“The most frequently exploited vulnerabilities leading to system infection with malware are found in third party software such as Java software and the most popular exploit toolkits being used by criminal organizations (such as Black Hole) primarily target third party software (such as Java). This focus on third party applications is likely due to frequent and semi-automatic updates by browser vendors which shrinks the opportunity-time an attacker has to compromise a target, as well as the cross browser-platform nature of third party applications. In essence, if you think from an attacker’s standpoint, why design an exploit for Chrome 15 and a separate one Firefox 8 and a separate one for Internet Explorer 9 when they will have very short shelf life, when a single Java exploit will do the trick just fine? In addition, exploits that use interpreted languages such as Java are very difficult to defend against. Unless they have a pattern match for a known exploit, network and host intrusion prevention systems as well as anti-virus/endpoint protection products are unable to discern legitimate Java from malicious Java. So as an attacker, there is an added “stealth” benefit to exploiting third party software such as Java.”

Google with holding important malware protection from its SafeBrowsing feed so that its own product has an advantage over Firefox and Safari, is an important precedent and contains echoes of accusations made against the company that it improperly provided preferential search results for its own products over third parties. While Google is entitled to improve its product, the way in which the company approached the break with Firefox should be noted.”

So let’s get this right, Google a company whose motto is “Don’t do evil” has dumbed down its SafeBrowing feed that it gives to Firefox and Safari. From a marketing point of view that’s an inteligent thing to do, it makes your browser look better. But from a white hat perspective that’s pretty EVIL with a capital EVIL, you putting you our there as pushing an open form of share security, and then you are making all the users on Firefox and Safari less safe.

Hmm I think you guys need to go read that motto again, because that sticks!

My browser of choice was and still is IE9.

What do you think?

Advertisements

About Joseph Leon Hall
I am a Systems Administrator, Network Engineer and Senior Technical Support Analyst and Microsoft evangelist. I spend my work time looking after networks, servers, desktops, laptops, and people. You ask wy people? That’s because in any network people matter. ”I am a PC! I am NOT a Mac nor a I a Chrome”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: