Chrome Shines Bright In Controversial Security Fight
Major browsers have all made solid strides in security in the past few years, but Chrome's sandbox makes Google's browser a harder target, researchers say at RSA.
RSA CONFERENCE 2012--San Francisco--The major browsers have all made solid strides in security in the past few years, but Chrome's sandbox makes Google's browser a harder target for attackers to exploit with malicious code, four researchers said Thursday in a presentation at the RSA Security Conference in San Francisco.
The group of researchers--all current or former employees of security consultancy Accuvant--gave conference attendees an in-depth tour of their results, which were published late last year. Some controversy has surrounded the security comparison because Google--the maker of the Chrome browser--funded the study.
Microsoft Internet Explorer's and Google Chrome's countermeasures made both browsers more secure on the metrics used by Accuvant, with Google's browser edging out Microsoft's in sandboxing technology, Shawn Moyer, practice manager for Accuvant, said.
"We focused heavily on exploitation mitigation in this paper," Moyer said. "We accepted that users will click on things and the browser will be exploited, but if you have something that you can use to contain the hack, you are going to raise the bar for attackers."
The survey has been criticized by NSS Labs, a security testing firm that came to a different conclusion in a paper last year: Microsoft's SmartScreen URL reputation system helped Internet Explorer catch 96% of all malicious websites. Google's Chrome came in a distant second place, catching about 13% of websites.
At the RSA Conference, the researchers repeatedly stressed that their paper and methods are open. Anyone can review and redo the testing, Moyer argued. Moreover, they also pointed out that they could not replicate NSS Labs' findings. They found all three browsers were equally poor at catching malicious pages.
Chrome distanced itself from other browsers mainly because of its sandbox technology--a virtual playpen in which the browser runs but cannot impact other applications' data or the operating system. Internet Explorer has some sandboxing, but not as completely as Chrome, the researchers said. A strong sandbox helps keep the operating systems secure because a malicious program that runs inside the sandbox cannot access any system resources outside of the virtual machine.
It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)
Dark Reading Tech Digest, Dec. 19, 2014Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Published: 2015-01-28 Multiple cross-site scripting (XSS) vulnerabilities in (1) mainpage.jsp and (2) GetImageServlet.img in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 220.127.116.11, and 3.4.1 before 18.104.22.168 allow remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
Published: 2015-01-28 Open redirect vulnerability in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 22.214.171.124, and 3.4.1 before 126.96.36.199 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the out parameter.
Published: 2015-01-28 IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 188.8.131.52, and 3.4.1 before 184.108.40.206 allows remote attackers to bypass intended access restrictions and read the image files of arbitrary users via a crafted URL.
Published: 2015-01-28 Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media A...
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.