NSS Labs report on the Browser Security Comparison report by Accuvant / Google

Image representing Google as depicted in Crunc...
Image via CrunchBase

On 09/12/2011 security reseller Accuvant published report looking at Internet Explorer, Firefox, and Chrome, where Google Chrome comes out on top, and Mozilla Firefox at the bottom. Accuvant are fairly respected, but the report was funded by Google.

Just because Google paid for the report it does not make it corrupt, but it did leave me with a dirt feeling.

The Accuvant report can be found here, I ask you to give it a good read before you read the NSS labs report.

The Accuvant report states that “Readers should understand that, while Google funded the research for this paper, Accuvant LABS was given a clear directive to provide readers with an objective understanding of relative browser security. The views expressed throughout this document are those of Accuvant LABS, based on our independent data collection.”

The Accuvant reports conclusion was that “The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art antiexploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack.”

I respect Accuvant but if Microsoft had paid for a report Google would be screaming about its findings. If the findings had been that Internet Explorer 9 was the most secure and Chrome the least, would Google have gracefully have allowed the findings to come to light?

Due to that report being published NSS Labs where approached by several enterprise clients, who asked for a review of the Google/Accuvant publication and supporting tools and data to give an independent opinion.

NSS analysts have also examined data from on-going NSS Labs browser research to give additional guidance.

The NSS Labs report can be found here, give it a good read, its shorter than the Accuvant report.

The final analysis from NSS labs was as follows.

How vulnerable a modem web browser is to attack is certainly a high profile question. It is a well-documented phenomenon that new software contains more bugs (which may expose vulnerabilities) than software that has been around for a while. It is part of the software development lifecycle. Examining historical data on the number of vulnerabilities discovered during a period of time provides insight into the maturity of the software in question and is a good indicator of how many future vulnerabilities will be discovered.”

“The most frequently exploited vulnerabilities leading to system infection with malware are found in third party software such as Java software and the most popular exploit toolkits being used by criminal organizations (such as Black Hole) primarily target third party software (such as Java). This focus on third party applications is likely due to frequent and semi-automatic updates by browser vendors which shrinks the opportunity-time an attacker has to compromise a target, as well as the cross browser-platform nature of third party applications. In essence, if you think from an attacker’s standpoint, why design an exploit for Chrome 15 and a separate one Firefox 8 and a separate one for Internet Explorer 9 when they will have very short shelf life, when a single Java exploit will do the trick just fine? In addition, exploits that use interpreted languages such as Java are very difficult to defend against. Unless they have a pattern match for a known exploit, network and host intrusion prevention systems as well as anti-virus/endpoint protection products are unable to discern legitimate Java from malicious Java. So as an attacker, there is an added “stealth” benefit to exploiting third party software such as Java.”

Google with holding important malware protection from its SafeBrowsing feed so that its own product has an advantage over Firefox and Safari, is an important precedent and contains echoes of accusations made against the company that it improperly provided preferential search results for its own products over third parties. While Google is entitled to improve its product, the way in which the company approached the break with Firefox should be noted.”

So let’s get this right, Google a company whose motto is “Don’t do evil” has dumbed down its SafeBrowing feed that it gives to Firefox and Safari. From a marketing point of view that’s an inteligent thing to do, it makes your browser look better. But from a white hat perspective that’s pretty EVIL with a capital EVIL, you putting you our there as pushing an open form of share security, and then you are making all the users on Firefox and Safari less safe.

Hmm I think you guys need to go read that motto again, because that sticks!

My browser of choice was and still is IE9.

What do you think?


Samsung And Google Postpone Huge Android Announcement Out Of Respect For Steve Jobs

Steve Kovach wrote in interesting article in the Business Inside, you can see he piece here.

STOP THE PRESS: A Google spokesperson said “We believe this is not the right time to announce a new product as the world expresses tribute to Steve Jobs’s passing.”

Are you MAD, this is not respect this is political and social correctness of the lowest order.

Steve Jobs’s is tragic for his family and friends. But do Samsung and Google really think his family and friends will give one hoot for any news about some HUGE Android announcement? If Steve Jobs could he would be falling over with laughter.

Get grip guys, if you have an announcement then make it!

I you are holding back due to some strange notion that it will make converts out of all the iPhone lovers holding vigils, then you are so wrong!

About the only way you will do that would be if the announcement said your next Android would look like Number Six (plaid by Tricia Helfer) from Battlestar Galactica.

On the other hand if your development flopped and you can’t make the announcement then be honest about it. Don’t try and hide behind a man’s death.


Why Microsoft is not dumping Bing or Why Should It!!

Image representing Bing as depicted in CrunchBase

Image via CrunchBase

I read a good blog by Mary-Jo Foley stating that Bing is here to
stay. Catch her blog here Why Microsoft isn’t dumping Bing anytime soon.

And why not, it’s fast, slick, gives good search responses, and it’s a great tool for Microsoft to leverage Windows Phone on, plus Bing has other market places uses for Microsoft.

If the truth be told I do use Google search. Let be honest for ages Google has pretty much been the first port of call for must internet searches, how many times have you heard someone say, “Ohhh just Google it” or even said it yourself.

Google has pretty much come to mean search, in the same was biro and hoover have come to be a type of thing, rather than just a brand of a type of thing. That in itself is an impressive achievement, and the Google engine is a good search engine.

But for over a year now I have been “Binging It” and Bing has been my first choice of search tool, if that fails then I move on to Google, sometimes I will use both for specific reasons. But Bing is my first choice.

Most of the time Bing comes up trumps, and there have been plenty times that Google could not find something, or the relevant result was much further down the page than on Bings search result.

The World needs a strong engine line Bing, to give balance to Google; and Microsoft has a set of pretty cool plans for integrated search that could not happen without something as deep and powerful as Bing.

And perhaps more importantly, I just love those Bing home pages images