Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Chrome Shines Bright In Controversial Security Fight

The major browsers have all made solid strides in security in the past few years, but Chrome's sandbox makes Google's browser a harder target, researchers say

Click here for more articles.
RSA CONFERENCE 2012 -- San Francisco, Calif. -- The major browsers have all made solid strides in security in the past few years, but Chrome's sandbox makes Google's browser a harder target for attackers to exploit with malicious code, four researchers said here in a presentation yesterday.

The group of researchers -- all current or former employees of security consultancy Accuvant -- gave attendees an in-depth tour of their results at the conference, which were published late last year. Some controversy has surrounded the security comparison because Google -- the maker of the Chrome browser -- funded the study.

Microsoft's Internet Explorer and Google's Chrome's countermeasures made both browsers more secure on the metrics used by Accuvant, with Google's browser edging out Microsoft's in sandboxing technology, Shawn Moyer, practice manager for Accuvant, told conference attendees.

"We focused heavily on exploitation mitigation in this paper," Moyer said. "We accepted that users will click on things and the browser will be exploited, but if you have something that you can use to contain the hack, you are going to raise the bar for attackers."

The survey has been criticized by NSS Labs, a security testing firm that came to a different conclusion in a paper last year: Microsoft's SmartScreen URL reputation system helped Internet Explorer catch 96 percent of all malicious Web sites. Google's Chrome came in a distant second place, catching about 13 percent of websites.

At the RSA Conference, the researchers repeatedly stressed that their paper and methods are open. Anyone can review and redo the testing, Moyer argued. Moreover, they also pointed out that they could not replicate NSS Labs' findings. They found all three browsers were equally poor at catching malicious pages.

Chrome distanced itself from other browsers mainly because of its sandbox technology -- a virtual playpen in which the browser runs but cannot impact other applications' data or the operating system. Internet Explorer has some sandboxing, but not as completely as Chrome, the researchers said. A strong sandbox helps keep the operating systems secure because a malicious program that runs inside the sandbox cannot access any system resources outside of the virtual machine.

Sandboxes are important because they help limit or prevent damage when a user inadvertently runs malicious code. "It's the difference between closing a tab versus reinstalling the operating system" because of malicious code, said Paul Mehta, an Accuvant researcher and presenter.

Patching is another area where Google excelled. The researchers analyzed the disclosure and patch timelines of vulnerabilities patched in each browser and found that Google took the shortest amount of time to patch -- 53 days. Mozilla came in second at 158 days and Microsoft took 214 days. Data on vulnerability disclosure was scarce, the researchers said because -- especially in Microsoft's case -- a complete timeline was generally not available.

Google and Firefox have an advantage in patching because they are standalone browsers, while Microsoft has to deal with the tight integration of Internet Explorer with the Windows operating system, said Chris Valasek, senior research scientist with software security firm Coverity. Valasek has originally worked on the project while employed at Accuvant.

"Internet Explorer is quite ingrained into the Windows operating system," Valasek said. "Therefore there is a lot more QA that has to be done for the browser. You don't want to fix a vulnerability and break stability with the entire operating system."

While Google Chrome does well with its strong sandbox and patching, Microsoft has done a solid job of hardening Internet Explorer against a common type of attack that can bypass two major operating-system countermeasure: data-execution protection and address space layout randomization. The attack, known as JIT spraying, uses the just-in-time compilation of a runtime language such as Javascript to circumvent an operating system's defenses.

It's such as popular technique that every piece of software should implement countermeasures. Microsoft created the most complete set of countermeasures in Internet Explorer, with Google having a subset of preventative measures, the researchers said.

"A big push right now is to harden software against exploits so that the cost of exploitation is increased," Mehta said. "Software that does not implement JIT hardening actually decreases the cost of exploitation."

In the end, if given a critical flaw that affected all three browsers, the researchers would likely attempt to exploit it first on Firefox because its easiest.

"If we had the same vulnerability in every browser, we would not pick Chrome to exploit," Valasek said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...