Between the Lines

Larry Dignan, Andrew Nusca and Rachel King
Home / News & Blogs / Between the Lines

The browser battle: Where does security fit in the evaluation process?

By | March 20, 2009, 4:53am PDT

With the launch of Internet Explorer 8 as the latest volley in the browser wars—IE vs. Firefox vs. Google Chrome vs. Apple’s Safari—there’s a lot of talk about speed, browsing improvements and rendering engines. Where does security fit into the equation?

Frankly, when I’m evaluating browsers—I use IE, Firefox and Chrome daily—security rarely enters the picture. Apple’s Safari is the odd browser out for no reason in particular, but as hacker Charlie Miller notes Safari is the easiest to pop. 

As you ponder the browsing security topic you must peruse Ryan Naraine’s interview with security researcher Miller. He’s the one who broke into a fully patched MacBook via a Safari vulnerability. Safari, Firefox and IE were all exploited this week in the Pwn2Own contest.

When it comes to browsers everyone has an opinion, but security rarely is a part of the conversation. Ed Bott talks usability for IE 8Chris Duckett wants Canvas support for the latest IE. Others are Firefox loyalists. A growing percentage uses Chrome and naturally the Mac crowd has its Safari. Where does security fit into the equation? Will there be a day when consumers put browsing security front and center?

The lessons learned from Miller:

Safari on the Mac is an easy mark. Miller tells Naraine:

Safari on the Mac is easier to exploit.  The things that Windows do to make it harder (for an exploit to work), Macs don’t do.  Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

Vulnerabilities have a market value. That means you need to ponder what browser bug could deliver the biggest bang for a malicious hacker. Miller notes that an IE bug is worth more than a Safari one. 

Firefox on Windows is hard to exploit as is IE 8, according to Miller. 

Google Chrome is tough to exploit because it takes a sandbox model—that’s how Chrome can keep running even though a site crashes. In other words, a site crash means Chrome just loses a tab not the whole browser. However, Miller notes that if there’s enough money on the table Chrome could be exploited. 

Will these security factors matter more than add-on support, neat usability features and raw speed? Not just yet, but ultimately security will matter more—at least to the enterprise. In the not-to-distant future the Web browser will increasingly be running applications. That’s what Google’s Chrome launch was all about: The search giant wanted a stable platform for its Web apps. 

And if you’re going to be running applications and sharing important data via a browser security is going to matter—a lot.

More from Zero Day:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Between the Lines”

Topics

Mozilla Firefox, Apple Safari, Microsoft Internet Explorer, Web Browser, Google Chrome, Charlie Miller, Chris Duckett, Web Browsers, Security, Internet, Larry Dignan

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic.

Disclosure

Larry Dignan

Larry Dignan has nothing to disclose. He doesn’t hold investments in the technology companies he covers.

Biography

Larry Dignan

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CNET News.com. Larry has covered the technology and financial services industry since 1995, publishing articles in WallStreetWeek.com, Inter@ctive Week, The New York Times, and Financial Planning magazine. He's a graduate of the Columbia School of Journalism and the University of Delaware.

For daily updates, follow Larry on Twitter.

Talkback Most Recent of 15 Talkback(s)

  • Where?
    Where are all the Mac'n'Roids now apologizing and telling us this is all unpossible?

    I mean, didn't Apple tell us all that Safari is Teh Most Securetest Browser in Teh World? I mean, some of us actually believed them...

    Where?
    ZDNet Gravatar
    Qbt
    20th Mar 2009
  • Opera?
    I know Opera only has about 1% share of the browser market (compared to Chrome at just under 2%), but where does it stand? It's cross-platform, and with the scalability of it to mobile devices, a vulnerability could hit a whole lot of people on the road.
    ZDNet Gravatar
    MariusSilverwolf
    20th Mar 2009
  • Opera seconded
    If Secunia is anything to go by, Opera is the most secure browser of them all.

    But it would be good to see a second opinion.
    ZDNet Gravatar
    james.faction
    22nd Mar 2009
  • RE: The browser battle: Where does security fit in the evaluation process?
    Striking, Miller is saying without a doubt that Windows is more secure than OS X.

    "The things that Windows do to make it harder (for an exploit to work), Macs don?t do. Hacking into Macs is so much easier. You don?t have to jump through hoops and deal with all the anti-exploit mitigations you?d find in Windows."

    Simply put, Apple's claims of better security are at best dubious at worse just lies.
    ZDNet Gravatar
    Heatlesssun1
    20th Mar 2009
  • Yea but...
    But who are you going to believe?

    1) Apple and its Followers, because Apple told them it was Teh Most Securetest in Teh World ("...built from the ground up with security in mind").

    2) A security researcher whose job it is to analyze OSes and applications for vulnerabilities?

    Surely you can't believe the latter...!!??
    ZDNet Gravatar
    Qbt
    20th Mar 2009
  • Easier to hack
    I think the statement was that Safari on OSX was easier to hack - so it is not OSX that is the issue. Rather, it is the *browser* (Safari) on OSX. At least that is the way I read what Miller had to say.
    ZDNet Gravatar
    dancac
    21st Mar 2009
  • Wow
    You completely misread it then. He cleary states, multiple times, that OS X does not have the same safeguards in place that Windows does. So yes, it is an OS X issue.

    Safari on the Mac is easier to exploit. The things that Windows [That will be the OS] do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows [Once again that will be the OS].
    - Charlie Miller
    ZDNet Gravatar
    Qbt
    21st Mar 2009
  • It required loose rules
    and I guess the admin password as well.
    It's still not accomplished to infect by drive-by as with Windows and IE,
    i.e. by visiting a webpage.

    Everybody know that the security in Windows sucks and it has been
    highly profitable for the support biz through the years. They've tried for
    years to expand their biz to other platforms such as the Mac with scare
    tactics without much success. Maybe this is an other attempt, or maybe
    they just want to get paid by Apple for finding a bug.....
    ZDNet Gravatar
    Mikael_z
    22nd Mar 2009
  • Really?
    Miller exploited the Mac using a URL and had the machine completely under his control in 10 seconds.

    Furthermore, the mac was hacked on Day 1 twice with 2 different exploits - both hackers said it was easy. That's not encouraging stuff, my friend.
    ZDNet Gravatar
    eMJayy
    25th Mar 2009
  • A distinction without a difference?
    Unless you actually download and run infected files (and most people do not) your browser is your contact with the "infected" world. If the browser is compromised to allow the outside world to run code on your system, then the system incl. the OS is compromised. The malware is not confined to the browser in that case.
    ZDNet Gravatar
    Economister
    21st Mar 2009
  • Supposed to be comment on "Easier to Hack" (nt)
    nt
    ZDNet Gravatar
    Economister
    21st Mar 2009
  • For a Mac user, security isn't an issue.
    Having a Mac is like living in Mayberry. We keep our doors unlocked, our windows open and our sheriff doesn't carry a gun. Who would want to attack us? Mayberry is too damn small for it to make it any fun for the bad guys. They prefer LA (aka Windows). Over there, you have to have your doors bolted, bars on your windows, and a 45 under your bed.

    And besides, if security ever does become an issue in the Mac world, OSX is a certified UNIX build. How hard could it possibly be to port the security from BSD or Linux? I'm thinking a recompile of the source code would be in order. So... I ain't worried.
    ZDNet Gravatar
    ashdude
    21st Mar 2009
  • security isn't an issue,,,,
    It isn't Mayberry that you are living in, but rather a place of self-delusion. The first virus on desktops was on a Mac, admittedly it was intended to do no harm, just celebrate the aniversay of the Mac, but a small programming error meant a number of wiped disk drives.

    The attitude among Mac users that they don't need security, means some of them do not worry about stolen info, making them highly attractive even though there percentage is small.

    Finally, your assumption on just compile BSD, it don't work that way, a minor change to the code can still invoke a major security review. Somehow I don't see Apple announcing we are stopping all software shipments for a year to do a complete security review and fixes.
    ZDNet Gravatar
    oldsysprog
    23rd Mar 2009
  • Too many question marks???????????
    "Apple?s Safari is the odd browser out for no reason in
    particular, but as hacker Charlie Miller notes Safari is the
    easiest to pop."

    Exactly how did he do it? Did he have to enter admin's
    password? I consider this to be lots of smoke from people
    with an agenda of their own, likely to make money (of
    course).

    "Firefox on Windows is hard to exploit as is IE 8,
    according to Miller."

    Ha ha. Viewing history and IE's abysmal security and how it
    likely is responsible for the majority of many many millions
    of infections through the years, I can't help to conclude
    they're just talking nonsense. Ha!

    The world's IT is gradually improving, even Microsoft is
    trying, and security HAS to become better than it has been
    with Windows because we'll move more and more of our
    activities, business included, to the virtual world of the
    internet.
    Windows and IE simply aren't up to the task and
    responsibility. Get better or get lost!
    ZDNet Gravatar
    Mikael_z
    22nd Mar 2009
  • So...
    So basically you are completely clueless as to what is going on here.

    I guess it comes from years of believing the lies Apple has been telling you all this time.

    Fascinating...
    ZDNet Gravatar
    Qbt
    22nd Mar 2009

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources