ie8 fix

Between the Lines

Larry Dignan, Andrew Nusca and Rachel King
Home / News & Blogs / Between the Lines

The browser battle: Where does security fit in the evaluation process?

By | March 20, 2009, 4:53am PDT

With the launch of Internet Explorer 8 as the latest volley in the browser wars—IE vs. Firefox vs. Google Chrome vs. Apple’s Safari—there’s a lot of talk about speed, browsing improvements and rendering engines. Where does security fit into the equation?

Frankly, when I’m evaluating browsers—I use IE, Firefox and Chrome daily—security rarely enters the picture. Apple’s Safari is the odd browser out for no reason in particular, but as hacker Charlie Miller notes Safari is the easiest to pop. 

As you ponder the browsing security topic you must peruse Ryan Naraine’s interview with security researcher Miller. He’s the one who broke into a fully patched MacBook via a Safari vulnerability. Safari, Firefox and IE were all exploited this week in the Pwn2Own contest.

When it comes to browsers everyone has an opinion, but security rarely is a part of the conversation. Ed Bott talks usability for IE 8Chris Duckett wants Canvas support for the latest IE. Others are Firefox loyalists. A growing percentage uses Chrome and naturally the Mac crowd has its Safari. Where does security fit into the equation? Will there be a day when consumers put browsing security front and center?

The lessons learned from Miller:

Safari on the Mac is an easy mark. Miller tells Naraine:

Safari on the Mac is easier to exploit.  The things that Windows do to make it harder (for an exploit to work), Macs don’t do.  Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

Vulnerabilities have a market value. That means you need to ponder what browser bug could deliver the biggest bang for a malicious hacker. Miller notes that an IE bug is worth more than a Safari one. 

Firefox on Windows is hard to exploit as is IE 8, according to Miller. 

Google Chrome is tough to exploit because it takes a sandbox model—that’s how Chrome can keep running even though a site crashes. In other words, a site crash means Chrome just loses a tab not the whole browser. However, Miller notes that if there’s enough money on the table Chrome could be exploited. 

Will these security factors matter more than add-on support, neat usability features and raw speed? Not just yet, but ultimately security will matter more—at least to the enterprise. In the not-to-distant future the Web browser will increasingly be running applications. That’s what Google’s Chrome launch was all about: The search giant wanted a stable platform for its Web apps. 

And if you’re going to be running applications and sharing important data via a browser security is going to matter—a lot.

More from Zero Day:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Between the Lines”

Topics

Mozilla Firefox, Apple Safari, Microsoft Internet Explorer, Web Browser, Google Chrome, Charlie Miller, Chris Duckett, Web Browsers, Security, Internet, Larry Dignan

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic.

Disclosure

Larry Dignan

Larry Dignan has nothing to disclose. He doesn’t hold investments in the technology companies he covers.

Biography

Larry Dignan

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CNET News.com. Larry has covered the technology and financial services industry since 1995, publishing articles in WallStreetWeek.com, Inter@ctive Week, The New York Times, and Financial Planning magazine. He's a graduate of the Columbia School of Journalism and the University of Delaware.

For daily updates, follow Larry on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
15
Comments
Add Your Opinion

Join the conversation!

Just In

Really?
eMJayy 25th Mar 2009
Miller exploited the Mac using a URL and had the machine completely under his control in 10 seconds.

Furthermore, the mac was hacked on Day 1 twice with 2 different exploits - both hackers said it was easy. That's not encouraging stuff, my friend.
View in thread
0 Votes
+ -
Where?
Qbt Updated - 20th Mar 2009
Where are all the Mac'n'Roids now apologizing and telling us this is all unpossible?

I mean, didn't Apple tell us all that Safari is Teh Most Securetest Browser in Teh World? I mean, some of us actually believed them...

Where?
0 Votes
+ -
Opera?
MariusSilverwolf 20th Mar 2009
I know Opera only has about 1% share of the browser market (compared to Chrome at just under 2%), but where does it stand? It's cross-platform, and with the scalability of it to mobile devices, a vulnerability could hit a whole lot of people on the road.
0 Votes
+ -
Opera seconded
james.faction 22nd Mar 2009
If Secunia is anything to go by, Opera is the most secure browser of them all.

But it would be good to see a second opinion.
0 Votes
+ -
RE: The browser battle: Where does security fit in the evaluation process?
Heatlesssun1 20th Mar 2009
Striking, Miller is saying without a doubt that Windows is more secure than OS X.

"The things that Windows do to make it harder (for an exploit to work), Macs don?t do. Hacking into Macs is so much easier. You don?t have to jump through hoops and deal with all the anti-exploit mitigations you?d find in Windows."

Simply put, Apple's claims of better security are at best dubious at worse just lies.
0 Votes
+ -
Yea but...
Qbt Updated - 20th Mar 2009
But who are you going to believe?

1) Apple and its Followers, because Apple told them it was Teh Most Securetest in Teh World ("...built from the ground up with security in mind").

2) A security researcher whose job it is to analyze OSes and applications for vulnerabilities?

Surely you can't believe the latter...!!??
0 Votes
+ -
Easier to hack
dancac 21st Mar 2009
I think the statement was that Safari on OSX was easier to hack - so it is not OSX that is the issue. Rather, it is the *browser* (Safari) on OSX. At least that is the way I read what Miller had to say.
0 Votes
+ -
Wow
Qbt Updated - 21st Mar 2009
You completely misread it then. He cleary states, multiple times, that OS X does not have the same safeguards in place that Windows does. So yes, it is an OS X issue.

Safari on the Mac is easier to exploit. The things that Windows [That will be the OS] do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows [Once again that will be the OS].
- Charlie Miller
0 Votes
+ -
It required loose rules
Mikael_z 22nd Mar 2009
and I guess the admin password as well.
It's still not accomplished to infect by drive-by as with Windows and IE,
i.e. by visiting a webpage.

Everybody know that the security in Windows sucks and it has been
highly profitable for the support biz through the years. They've tried for
years to expand their biz to other platforms such as the Mac with scare
tactics without much success. Maybe this is an other attempt, or maybe
they just want to get paid by Apple for finding a bug.....
0 Votes
+ -
Really?
eMJayy 25th Mar 2009
Miller exploited the Mac using a URL and had the machine completely under his control in 10 seconds.

Furthermore, the mac was hacked on Day 1 twice with 2 different exploits - both hackers said it was easy. That's not encouraging stuff, my friend.
0 Votes
+ -
A distinction without a difference?
Economister Updated - 21st Mar 2009
Unless you actually download and run infected files (and most people do not) your browser is your contact with the "infected" world. If the browser is compromised to allow the outside world to run code on your system, then the system incl. the OS is compromised. The malware is not confined to the browser in that case.
0 Votes
+ -
Supposed to be comment on "Easier to Hack" (nt)
Economister 21st Mar 2009
nt
0 Votes
+ -
For a Mac user, security isn't an issue.
ashdude Updated - 21st Mar 2009
Having a Mac is like living in Mayberry. We keep our doors unlocked, our windows open and our sheriff doesn't carry a gun. Who would want to attack us? Mayberry is too damn small for it to make it any fun for the bad guys. They prefer LA (aka Windows). Over there, you have to have your doors bolted, bars on your windows, and a 45 under your bed.

And besides, if security ever does become an issue in the Mac world, OSX is a certified UNIX build. How hard could it possibly be to port the security from BSD or Linux? I'm thinking a recompile of the source code would be in order. So... I ain't worried.
0 Votes
+ -
security isn't an issue,,,,
oldsysprog 23rd Mar 2009
It isn't Mayberry that you are living in, but rather a place of self-delusion. The first virus on desktops was on a Mac, admittedly it was intended to do no harm, just celebrate the aniversay of the Mac, but a small programming error meant a number of wiped disk drives.

The attitude among Mac users that they don't need security, means some of them do not worry about stolen info, making them highly attractive even though there percentage is small.

Finally, your assumption on just compile BSD, it don't work that way, a minor change to the code can still invoke a major security review. Somehow I don't see Apple announcing we are stopping all software shipments for a year to do a complete security review and fixes.
0 Votes
+ -
Too many question marks???????????
Mikael_z 22nd Mar 2009
"Apple?s Safari is the odd browser out for no reason in
particular, but as hacker Charlie Miller notes Safari is the
easiest to pop."

Exactly how did he do it? Did he have to enter admin's
password? I consider this to be lots of smoke from people
with an agenda of their own, likely to make money (of
course).

"Firefox on Windows is hard to exploit as is IE 8,
according to Miller."

Ha ha. Viewing history and IE's abysmal security and how it
likely is responsible for the majority of many many millions
of infections through the years, I can't help to conclude
they're just talking nonsense. Ha!

The world's IT is gradually improving, even Microsoft is
trying, and security HAS to become better than it has been
with Windows because we'll move more and more of our
activities, business included, to the virtual world of the
internet.
Windows and IE simply aren't up to the task and
responsibility. Get better or get lost!
0 Votes
+ -
So...
Qbt 22nd Mar 2009
So basically you are completely clueless as to what is going on here.

I guess it comes from years of believing the lies Apple has been telling you all this time.

Fascinating...

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix