MUST READ: Congress demands answers from Google over Glass privacy concerns

Topic: Browser

Internet Explorer is the safest Web browser!? Ha!

Summary: Microsoft is trying again to con people into thinking that Internet Explorer is the safest browser around. It's not. At best, it's tied with Chrome.

Steven J. Vaughan-Nichols

By for Networking |

According to Microsoft, Chrome on Linux only gets a 2.5 for security!

According to Microsoft, Chrome on Linux only gets a 2.5 for security!

Microsoft has always been fond of paying analysts to say that its products are best, or having partners release reports showing how their rivals' products are second-rate, and, now, Web sites that "show" how Internet Explorer (IE) is better than Chrome and Firefox when it comes to security. Really? Didn't Microsoft just release yet another major Internet Explorer patch?

I quote from the IE patch update (MS11-081), which apples to all currently supported versions of Microsoft Windows and Internet Explorer and IE 6 as well: "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Yes, that includes IE 9, the best and most up-to-date IE which is only available on Windows 7. Isn't it funny how Microsoft claims that IE 9 is the most secure of its browser family, but somehow it has to have the same problems fixed that exist in IE 6, 7, and 8? Could it be that it's really not that different after all from the rest of its historically insecure family?

If you go to Microsoft's Web browser security "test" site, Your Browser Matters though, it will tell you that IE 9, with a score of four, is the most secure browser of all. Funny, it told me that it was the most secure both before and after the patch.

As for the other browsers, it informs me that Firefox 7.01 only rates a 2, and Chrome 14 gets a 2.5. And, this I might add, were my scores on my Mint Linux desktop!

How can they produce such clearly nonsensical results? It's because they're setting the rules on what's important and what's not. So, for example, Microsoft give IE full credit for its SmartScreen malware detection software. With SmartScreen, software that signed with a digital certificate that Microsoft trusts is allowed to be saved or ran. Chrome, on the other hand, blocks known malware, but lets you save unknown, potentially dangerous programs.

On the other hand, if you do download malware with Chrome, the program is still stuck in a sandbox, where it has very limited abilities to actually attack your system.

Besides that, Chrome automatically upgrades browser extensions as security fixes come out. Since programs like Adobe Flash are often used for attacks these days, and in Flash's case there have been 17 significant patches in the last 16 months, I think automatic security updates for Flash and other potential problem programs are a big deal. While Microsoft acknowledges that it doesn't provide these important features, it doesn't take away any points for lacking them from its perfect score.

Interesting judgement call there Microsoft.

Johnathan Nightingale, Mozilla's director of Firefox engineering, also has trouble with what factors Microsoft considers important and what it doesn't. "Mozilla is fiercely proud of our long track record of leadership on security. We believe that being safe on the Web means having a robust browser that defends against malware and phishing, includes new technologies to help sites and users secure themselves, and a responsive security team that gets security updates out quickly and reliably. Microsoft's site is more notable for the things it fails to include: security technologies like HSTS [HTTP Strict Transport Security], privacy tools like Do Not Track, and vendor response time when vulnerabilities are discovered," said Nightingale.

Exactly so. Firefox has long been a leader in browser security. True, Microsoft has gotten a lot better about security, but Firefox was doing it when the horribly unsafe IE 6 was still the best Microsoft could do. True, today. you can make Windows and IE relatively safe. No, really you can. All you have to do is constantly and regularly patch it.

Those of us who use other operating systems, like Linux and Mac OS X, and alternative browsers such as Chrome and Firefox, can sit back and relax more. Don't get me wrong. We must patch our software as well. As security guru Bruce Schneier points out, "Security is a process, not a product."

Security also isn't something though that you measure by a Web site that, when you get down to it, simply checks to see what your browser you're running is IE 9 or not. Deciding what's a secure Web browser a lot more complicated than that. Personally, thanks to Chrome's auto-updating and sandboxing, I feel a lot safer running Chrome on Windows than I ever will running IE.

Related Stories:

Internet Explorer 9 haunted by 'critical' security vulnerabilities

Microsoft calls out Firefox and Chrome for security weaknesses

If your PC picks up a virus, whose fault is it?

Firefox 7: Better Memory Management, Meh Performance (Review)

Chrome 14: The best Web browser keeps getting better (Review)

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

161 comments
Log in or register to join the discussion

  • With Linux LSM: Zero-Days Don't Matter

    It's funny. Ed Bott writes well. I like him. He knows Windows reasonably well but puts out a 'contentious' article.<br><br>Naturally, the comments were the typical mix, but I have to say the Moderators have been doing a tap dance with football cleats again and tore through the blog with deletions left and right, mine included.<br><br>Anyhow, I think I am safe with my comments here.<br><br>Personally, I think it's Microsoft trying to do damage control and prop up the 'image' of their security in general by making a showing and taking a position against Chrome and Firefox.<br><br>That's understandable but it's sort of like Pot meets Kettle.<br>I have a job to do and I am working cooperatively with both camps.<br><br>As for browser security in general here is my take:<br><br>o Microsoft feathers their own nest by putting Office and IE in a sandbox <br>o Microsoft Windows does not offer third-party developers any form of sandbox facility <br>o Google Chrome offers a sandbox (for Windows, but cannot guarantee it will not be compromised)<br>o Google Chrome offers an SUID sandbox for Linux which is reasonably secure insofar as stopping zero-day and other vulnerabilities.<br>o Linux offers Linux Security Modules (LSM)<br>o Ubuntu Linux uses LSM AppArmor as its sandbox facility<br>o Linux Developers can trust that their App will be protected by LSM and so not need to bolster their code with security features as is needed in Windows, for example Adobe Reader.<br><br>Personally, I use Chrome less than I do Firefox and given there is a standard profile for Ubuntu (/etc/apparmor.d/usr.bin.firefox) I trust LSM to do its job regarding security.<br><br>The patches for *whatever* is reported on a daily basis will come along if/as/when they become available in Ubuntu daily updates. I pay no attention to the 'noise chatter' on Zero-Day when it comes to Linux. <br><br>But I have to focus on the Zero-Day stuff for Windows b/c it's pretty problematic as far as security is concerned.<br><br>Windows security is so problematic that a recent article shows that the 'Father of SSL' has been so outspoken as to say<b> "Windows is a terrible operating system..."</b>:<br><br>h-t-t-p://www.networkworld.com/news/2011/101111-elgamal-251806.html?hpg1=bn<br><br>Now, if you took the time to read the above link, you'd plainly see, the issue is not so much SSL as it is Windows 'accomodating' malware to perpetrate a unique exploit.<br><br>Had Windows kept the Malware from attaching in the first place, there'd have been no SSL hack.<br><br>So, I really have to laugh about the Internet Explorer thing--safe?--nah.<br><br>Is Firefox going to have a zero-day exploit tomorrow?<br>Maybe, but with Linux and LSM, it doesn't matter.<br><br>Thanks Steve.
    Dietrich T. Schmitz *Your
    Reply Vote

    • RE: Internet Explorer is the safest Web browser!? Ha!

      @Dietrich T. Schmitz:

      Now go read the article again without the ABM-tinted glasses on. Elgamal, one of the authors of SSL also proclaimed that "All the different browsers in the world are using TLS which is known to have that weakness". This is a weakness in SSL/TLS1.0 which has been known for over four years now and yet is still not fixed.

      What he DID say that was valid is that if you have a machine that is compromized with malware, then it's game over. Period. Doesn't matter if its Windows, Linux, OSX, iOS, Android or whatever - if you're infected, you're (potentially) hosed.

      Elgamal made an off the cuff comment about something he's clearly not up to date on since Vista, Windows has employed UAC - a security barrier similar to Linux' SUDO. Ever since Windows Vista, Windows users are pretty much as protected as Linux users. If they use IE, they're also protected via a number of important anti-phishing and anti-malware capabilities that have improved exponentially over the coming years. Chrome and (to a lesser degree), FF, also have improved their security capabilities, but not necessarily to the same degree.

      Oh, and for what it's worth, WebKit, the HTML rendering engine Chrome uses, patches HUGE numbers of vulns on a regular basis. Take, for example, Apple's iTunes 10.5 update wthat patches 86 vulns, of which 73 were WebKit vulns.

      Patching vulns is good - it results in significantly improved user safety.

      Oh ... and as I have pointed out each time you bleat on about LSM/AppArmor - those technologies are not without their own issues either:
      <ol>
      <li>AppArmor is only enabled selectively on a per-app basis - it's not a system-wide barrier. This can lull the ignorant into a false sense of security which can INCREASE their vulnerability to malware</li>
      <li>LSE can be compromized via RootKits and malware masquerading as security modules so it doesn't prevent or protect a user if malware gets installed.</li>
      bitcrazed
      Reply Vote

      • Specious arguments

        @bitcrazed

        <i>"AppArmor is only enabled selectively on a per-app basis - it's not a system-wide barrier. This can lull the ignorant into a false sense of security which can INCREASE their vulnerability to malware"</i>

        <b>Of course AppArmor is designed for use by application. There's no getting lulled -- just configure the app, enable, and forget it's there. It does the job.</b>

        <i>"LSE can be compromized via RootKits and malware masquerading as security modules so it doesn't prevent or protect a user if malware gets installed."</i>

        <b>Your saying so does not make it so. Please substantiate how. </b>
        Dietrich T. Schmitz *Your
        Reply Vote

      • RE: Internet Explorer is the safest Web browser!? Ha!

        @Tsingi: Like UAC, SUDO is a barrier, not a platform-level security "feature". Once you've crossed the barrier, you're able to affect the OS at the most fundamental level.

        While most users shouldn't ever need to elevate in UAC / enter SUDO, some will. For example - I am a software developer and so need to make system-wide changes to my machine in order to debug, profile, deploy and manage the apps I build.

        However, most of my users don't.
        bitcrazed
        Reply Vote

      • RE: Internet Explorer is the safest Web browser!? Ha!

        @ldo17 You are saying that group policy is not able to prevent you from running certain programs? Do some reading before you flame...
        fabspro
        Reply Vote

    • A simple example: Sandboxing SumatraPDF reader in Windows Vista/7

      @Dietrich T. Schmitz * Your Linux Advocate wrote:<br>"Microsoft Windows does not offer third-party developers any form of sandbox facility<br><br>SumatraPDF is a light, open-source alternative to Adobe Reader. It is also a Windows-only app.<br><br>Sandboxing SumatraPDF using the the icacls command. First the exe and dll files:<br>$ cd C:\Program Files\SumatraPDF<br>$ icacls SumatraPDF.exe /setintegritylevel low<br>$ icacls libmupdf.dll /setintegritylevel low<br>$ icacls npPdfViewer.dll /setintegritylevel low<br>$ icacls PdfFilter.dll /setintegritylevel low<br>$ icacls PdfPreview.dll /setintegritylevel low<br><br>Now a folder for SumatraPDF to save (i.e., write) downloaded PDF files in:<br>$ cd C:\Users\username<br>$ icacls Downloads /setintegritylevel (OI)(CI)low<br><br>SumatraPDF now runs as a low integrity level process and cannot save (or write) PDF files to folder C:\Users\username\Documents. However, it can save PDF files to folder C:\Users\username\Downloads.<br><br>Now, why could not a 3rd party developer add similar to his/her install program?<br><br>You can use Sysinternals Process Explorer to verify that SumatraPDF runs as a low integrity level process. For added protection, download, install and configure EMET from Microsoft and add SumatraPDF as a protected app. This setup will also offer protection from 0-days.
      Rabid Howler Monkey
      Reply Vote

      • RE: Internet Explorer is the safest Web browser!? Ha!

        @Rabid Howler Monkey - NIIIIIIICE! :) Thanks for sharing :)
        bitcrazed
        Reply Vote

      • RE: Internet Explorer is the safest Web browser!? Ha!

        @Rabid Howler Monkey <br>...not to mention a disallowed-by-default Software Restriction Policy, which has been a staple of my security strategy for years. Even a successful exploit still needs to execute its payload, and SRP arbitrarily nukes the usual approaches from orbit (for a non-Admin). If you can save the payload somewhere, you can't run it. Anywhere you can run it from, you can't save it to. This was solid gold on WinXP, and only got better with Vista and 7 since everyone is a de-facto non-Admin by default.<br><br>The beauty of IE is central manageability, something Google finally got clued in to last year, and which Mozilla apparently has vowed never to support. The ability to deploy, audit, patch, configure, enforce and secure it by the thousands, whether the users want to cooperate or not... that's big.
        mechBgonII
        Reply Vote

    • RE: Internet Explorer is the safest Web browser!? Ha!

      @Dietrich T. Schmitz * Your Linux Advocate

      You really like to hear yourself talk huh? Non-squitur at best.
      Ternarybit
      Reply Vote

    • RE: Internet Explorer is the safest Web browser!? Ha!

      @DTM - you're smugness about experiencing a zero-day attack makes Mac users seem, well, HUMBLE.
      Champ_Kind
      Reply Vote

    • RE: Internet Explorer is the safest Web browser!? Ha!

      @Dietrich T. Schmitz * Your Linux Advocate
      Say Ole Buddy, where were you yesterday?? You were no where to be found, I'll stake my reputation on it!
      eargasm
      Reply Vote

    • RE: Internet Explorer is the safest Web browser!? Ha!

      @Dietrich T. Schmitz *
      I don't even use Internet Explorer anymore. <a title="magento templates" href="http://www.galathemes.com/">magento templates</a>
      galathemes
      Reply Vote

  • RE: Internet Explorer is the safest Web browser!? Ha!

    <i>SJVN is trying again to con people into thinking that Chrome is the safest browser around. Its not. At best, its tied with Internet Explorer.</i><br><br>That was easy to debunk your arguments.

    [i]And, this I might add, were my scores on my Mint Linux desktop![/i]

    Congrats, you just told the world that linux is insecure! Let it be known that Chrome has its share of vulnerabilities, and I wouldn't trust Google since they have to pay people to find and fix the bugs in it.
    LoverockDavidson_-24231404894599612871915491754222
    Reply Vote

    • RE: Internet Explorer is the safest Web browser!? Ha!

      @LoverockDavidson_ Also note that SJVN regularly proclaims Chrome's dominance based on the results of vendor-supplied benchmarks and HTML compliance test suites that are out of date and/or massively boost a browser's compliance scores if they implement features that aren't even part of the proposed standard.

      In short, SJVN will do anything and everything to promote Anyone But Microsoft's browsers while berating Microsoft for playing him at his own game.

      If you're expecting objective journalism, you won't find it here.
      bitcrazed
      Reply Vote

    • RE: Internet Explorer is the safest Web browser!? Ha!

      @LoverockDavidson_

      Are you suggesting Microsoft's IE developing team works for free?
      Michael Kelly
      Reply Vote

    • Got you now, Lovey, you crafty devil!

      @LoverockDavidson_ I can't help it, lovey.......
      HAHAHAHAHA!
      You are.one funny fellow. I used to think.you were just a simple, ignorant MS troll. Now I realize that somebody as ignorant (ei. Wrong) as you are couldn't possibly make a living (or remember to breath), so now I know you're actually bait for (other) MS shills that are stupid enough to believe the crap you espouse.
      Way to go, lovey, keep up the good.work.
      "Linux can only play one note at a time." Remember that one, Lovey? HAHAHAHAHA!
      Hilarious!
      radleym
      Reply Vote

      • RE: Internet Explorer is the safest Web browser!? Ha!

        @radleym

        Creepiest post ever written.
        FuzzyBunnySlippers
        Reply Vote

      • RE: Internet Explorer is the safest Web browser!? Ha!

        @radleym

        Where is the post you are responding to?
        YetAnotherBob
        Reply Vote

    • RE: Internet Explorer is the safest Web browser!? Ha!

      @LoverockDavidson_
      Just one simple question. How can a Linux Mint desktop be tested for IE9, or any version of IE for that matter? It isn't that Mint is or is not secure, it's that the web site put up by Microsoft is irrelevant.
      benched42
      Reply Vote

  • RE: Internet Explorer is the safest Web browser!? Ha!

    IE9 offers better protection against social engineering attacks more than any other browser out there. It also offers smartscreen technology that no other browser has, and ActiveX controls that Chrome and Firefox only get with the inclusion of the Adblock and NoScript addons.<br><br>Combined with the underlying safety feature in Windows 7, and you have yourself a sturdy wall of protection. <br><br><br><br>Take Firefox 7 and go download a file. What do you see? You get the name of the file, it's size, and the domain you're downloading from. Neat, right? Right there Firefox is making the user judge whether or not it's a legit file. You call that secure? Epic fail.<br><br>IE9 can check that file against a list of known bad files, and if it's flagged, makes you jump through hoops to even begin downloading it.
    The one and only, Cylon Centurion
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close