Microsoft has always been fond of paying analysts to say that its products are best, or having partners release reports showing how their rivals' products are second-rate, and, now, Web sites that "show" how Internet Explorer (IE) is better than Chrome and Firefox when it comes to security. Really? Didn't Microsoft just release yet another major Internet Explorer patch?
I quote from the IE patch update (MS11-081), which apples to all currently supported versions of Microsoft Windows and Internet Explorer and IE 6 as well: "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Yes, that includes IE 9, the best and most up-to-date IE which is only available on Windows 7. Isn't it funny how Microsoft claims that IE 9 is the most secure of its browser family, but somehow it has to have the same problems fixed that exist in IE 6, 7, and 8? Could it be that it's really not that different after all from the rest of its historically insecure family?
If you go to Microsoft's Web browser security "test" site, Your Browser Matters though, it will tell you that IE 9, with a score of four, is the most secure browser of all. Funny, it told me that it was the most secure both before and after the patch.
How can they produce such clearly nonsensical results? It's because they're setting the rules on what's important and what's not. So, for example, Microsoft give IE full credit for its SmartScreen malware detection software. With SmartScreen, software that signed with a digital certificate that Microsoft trusts is allowed to be saved or ran. Chrome, on the other hand, blocks known malware, but lets you save unknown, potentially dangerous programs.
On the other hand, if you do download malware with Chrome, the program is still stuck in a sandbox, where it has very limited abilities to actually attack your system.
Besides that, Chrome automatically upgrades browser extensions as security fixes come out. Since programs like Adobe Flash are often used for attacks these days, and in Flash's case there have been 17 significant patches in the last 16 months, I think automatic security updates for Flash and other potential problem programs are a big deal. While Microsoft acknowledges that it doesn't provide these important features, it doesn't take away any points for lacking them from its perfect score.
Interesting judgement call there Microsoft.
Johnathan Nightingale, Mozilla's director of Firefox engineering, also has trouble with what factors Microsoft considers important and what it doesn't. "Mozilla is fiercely proud of our long track record of leadership on security. We believe that being safe on the Web means having a robust browser that defends against malware and phishing, includes new technologies to help sites and users secure themselves, and a responsive security team that gets security updates out quickly and reliably. Microsoft's site is more notable for the things it fails to include: security technologies like HSTS [HTTP Strict Transport Security], privacy tools like Do Not Track, and vendor response time when vulnerabilities are discovered," said Nightingale.
Exactly so. Firefox has long been a leader in browser security. True, Microsoft has gotten a lot better about security, but Firefox was doing it when the horribly unsafe IE 6 was still the best Microsoft could do. True, today. you can make Windows and IE relatively safe. No, really you can. All you have to do is constantly and regularly patch it.
Those of us who use other operating systems, like Linux and Mac OS X, and alternative browsers such as Chrome and Firefox, can sit back and relax more. Don't get me wrong. We must patch our software as well. As security guru Bruce Schneier points out, "Security is a process, not a product."
Security also isn't something though that you measure by a Web site that, when you get down to it, simply checks to see what your browser you're running is IE 9 or not. Deciding what's a secure Web browser a lot more complicated than that. Personally, thanks to Chrome's auto-updating and sandboxing, I feel a lot safer running Chrome on Windows than I ever will running IE.