New study claims that Chrome is the most secure browser

New study claims that Chrome is the most secure browser

Summary: Which is the most secure browser around? According to a newly released study by Accuvant, that's Google's Chrome.

SHARE:
TOPICS: Browser
48

Which is the most secure browser around?

According to a newly released study by Accuvant, that's Google's Chrome.

The Google-commisioned research emphasizes on several key points that would make up a secure browser, namely the integration of sandboxing, plug-in security, JIT hardening, ASLR, DEP, GS and URL blacklisting.

Key summary point:

The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack.

Related posts:

Moreover, according to the report Mozilla's Firefox has the highest vulnerability count compared to Google's Chrome and Microsoft's Internet Explorer. Firefox leads with 449 patched vulnerabilities, followed by Chrome with 321 and Internet Explorer with 168.

Would you switch browsers over the results from a comparative review such as this one commissioned by Google? Do you believe that Chrome is indeed the most secure browser around, or are they other factors to consider as well?

Talkback.

Topic: Browser

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

48 comments
Log in or register to join the discussion
  • test

    test
    Dietrich T. Schmitz *Your
    • So Chrome is slightly more secure

      @Dietrich T. Schmitz * Your Linux Advocate

      but has far more vulnerabilities then Microsoft's IE, so this becomes a "pay no attention to the article, read what I want you to see"?

      disturbing is correct
      William Farrel
    • RE: This is disturbing behavior given the study was underwritten by Google.

      @Dietrich T. Schmitz * Your Linux Advocate quoted:<br>"Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.<br><br>And yet Safari, Firefox and IE get pwn3d year after year at pwn2own (Firefox escaped this last year's, 2011, pwn2own). So far, Chrome has remained untouched. Perhaps this will change as the hackers become more familiar with Chrome. But, remember, both Safari and Chrome are built from the open-source WebKit. What's different with Chrome? Sandboxing, among other things. On both Mac OS X and Windows.<br><br>Plug-ins, especially Flash Player and Java, are a MUCH bigger problem than the browser. It would appear that the Vupen's Chrome hack earlier this year was related to a Flash vulnerability. This hack was really big news. Chrome ships with the Flash plug-in and, at least partially, sandboxes it. It also keeps the plug-in updated.<br><br>In response to your post above, I'll post this:<br><br><a href="http://grsecurity.net/lsm.php" target="_blank" rel="nofollow">http://grsecurity.net/lsm.php</a><br>"Why LSM will harm the security of all Linux systems<br>"Because LSM is compiled and enabled in the kernel, its symbols are exported. Thus, every rootkit and backdoor writer will have every hook he ever wanted in the kernel. This will allow for a new generation of sophisticated backdoors and rootkits that will be nearly impossible to detect.<br><br>Nothing's perfect. Not Linux. Not Windows.
      Rabid Howler Monkey
      • Rubbish

        @Rabid Howler Monkey
        LSM is a module, so by definition is not compiled into the kernel.
        You make the assumption that hackers can reach into LSM. Incorrect.

        Another hip shooter files in and shows his ignorance.
        Dietrich T. Schmitz *Your
      • LSMs are a framework

        @@Dietrich T. Schmitz * Your Linux Advocate LSM support is *compiled* into the Linux kernel. Some references:<br><br> <a href="http://tuxguardian.sourceforge.net/documentation.php" target="_blank" rel="nofollow">http://tuxguardian.sourceforge.net/documentation.php</a> <br>"Requirements<br>"You need Linux kernel 2.6.12 or higher, compiled with LSM support.<br><br>"Linux kernel 2.6.36 adds AppArmor, ups performance<br> <a href="http://www.techworld.com.au/article/365249/linux_kernel_2_6_36_adds_apparmor_ups_performance/" target="_blank" rel="nofollow">http://www.techworld.com.au/article/365249/linux_kernel_2_6_36_adds_apparmor_ups_performance/</a> <br>"Linux kernel 2.6.36 has been released by Linus Torvalds and includes a number of ... security enhancements, including integration of the AppArmor access control system.<br><br>"Linux 2.6.30 Gets Faster Boot<br> <a href="http://www.internetnews.com/dev-news/article.php/3824421/Linux+2630+Gets+Faster+Boot.htm" target="_blank" rel="nofollow">http://www.internetnews.com/dev-news/article.php/3824421/Linux+2630+Gets+Faster+Boot.htm</a><br>"Security also gets a boost in the kernel with the addition of the Tomoyo framework, which offers an alternate approach to SELinux (which stands for "security enhanced Linux")<br><br>Linux security modules provide a neutral framework for various computer security modules such as SELinux, Tomoyo, AppArmor, etc. What on earth do you think that AppArmor is getting plugged into?<br><br>Thus, the concern of the grsecurity dev. The symbols are exported even if a Linux user or admin chooses not to use LSM.
        Rabid Howler Monkey
        • Word games?

          @Rabid Howler Monkey

          Your words (or you have copy/pasted another source):
          [i]"Because LSM is compiled and enabled in the kernel, its symbols are exported."[/i]

          Indeed LSM is compiled, but it isn't running in the kernel--it is running in its own memory space and approves (or denies) 'both' the kernel's and user's application activity.

          Get it? Goooooooooooood....
          Dietrich T. Schmitz *Your
      • RE: Word games?

        @Dietrich T. Schmitz * Your Linux Advocate First you write:<br><br>"LSM is a module, so by definition is not compiled into the kernel.<br><br>And later follow it up with this statement:<br><br>"Indeed LSM is compiled<br><br>This makes me think that you are confused.<br><br>The quote you reference from my above post is taken from the grsecurity site. Which is why (1) it's quoted and (2) a link is provided. Really no different than your pulling quotes from the chromium.org site.<br><br>As for the invincibility of LSMs, Check out the August, 2010, post entitled, "Skeletons Hidden in the Linux Closet: r00ting your Linux Desktop for Fun and Profit", from The Invisible Things Lab's blog (look it up).<br><br>Face it. You're head over heels in love with the Linux desktop and are incapable of seeing it's flaws. Sad, really.
        Rabid Howler Monkey
        • None of your blathering changes what I originally wrote

          @Rabid Howler Monkey

          Go back and read it. This time not for speed but comprehension.
          Dietrich T. Schmitz *Your
      • Meh

        @Dietrich T. Schmitz * Your Linux Advocate So both the Windows and Linux desktop are insecure. I can certainly live with that as I'm not in love with *any* operating system. Fortunately, for security conscious users, Qubes OS is on the horizon:

        http://qubes-os.org/Home.html

        Gotta love the Xen hypervisor and hardware virtualization. And Fedora too.

        P.S. Note that I responded to your initial post, 'test'. Not the off-topic one where you trashed the Windows operating system.
        Rabid Howler Monkey
        • Hem

          @Rabid Howler Monkey

          Trash? I gave a citation to Google's Engineers' Caveats.
          My points notwithstanding, if you find their remarks unacceptable take issue with them.

          Come to terms young Man.
          Dietrich T. Schmitz *Your
  • Chrome is only more secure if you don't mind Google spying on you.

    Google makes no bones about how it makes it's money; selling targeted advertising. To target the ads effectively they track you online. Chrome is the most effective way of doing that. If you don't mind that, then perhaps Chrome is more secure ... after all, Google paid some third-party company to say so. How could it be wrong?

    Since Chrome doesn't have No Script, Ad Block, and Flash Block it simply doesn't do what I need it to do. Thus it doesn't even merit consideration of inclusion on my machines. Without the critical functionality provided by those add ons a browser is just another attack vector allowing criminals into my home.

    Frankly, Chrome has a LONG way to go before it begins catching up with Firefox.

    Regards,
    Jon
    JonathonDoe
    • RE: New study claims that Chrome is the most secure browser

      @JonathonDoe
      Chrome does have Ad Bloc, Flash Bloc and NotScript same as No Script.
      daikon
      • Hi,

        Don't rely on NotScripts or ScriptNo.
        Check this out:
        http://forums.informaction.com/viewtopic.php?f=8&t=7020
        FFreestyleRR
    • RE: New study claims that Chrome is the most secure browser

      @JonathonDoe

      You have it right there. Google's business model is based on building profiles of their users so they can better sell their advertising. All Google apps and services are built to help them accumulate information on their users. This is incontrovertible.

      The only question is whether you trust Google to have so much information about you. Since it is highly likely that user's profiles will get leaked somehow, I think it is foolhardy to trust Google. When your identity gets stolen, you will realise the stupidity of such trust.
      jorjitop
      • RE: New study claims that Chrome is the most secure browser

        @jorjitop <br>What data of yours was taken by Google using Chrome?
        daikon
      • RE: New study claims that Chrome is the most secure browser

        @daikon
        What data of ours [b]wasn't[/b] taken by Google using Chrome?
        ScorpioBlue
      • RE: New study claims that Chrome is the most secure browser

        @ScorpioBlue - NO data was taken. You did not list any, so none was taken. End of story.
        The Danger is Microsoft
      • RE: New study claims that Chrome is the most secure browser

        @The Danger is Microsoft
        How do you know? Can you say that for certain?
        Not end of story.
        ScorpioBlue
    • RE: New study claims that Chrome is the most secure browser

      @JonathonDoe: Man-o-man Jon, where do you get your information? You say, "Chrome doesn't have no Script", (check your English: (i.e. replace 'no' with 'any'). More people use Chrome than any other browser; that's a fact. You are dead wrong in saying Chrome cannot block sites from setting data, cookies, images, JavaScript, or allow sites to handle protocols. Look on the "Content Settings" page of "Options". I have not used Firefox for years. The crashes, viruses, bugs, and slow down of my machine with Firefox made it nearly impossible to use. You'll find with Chrome, most sites open in a second and fully load in only a few. Google takes data from users to make comparisons and usage of the browser. Then they sit down and apply those numbers to making a better browser: what the people want without the interference. That's how they made their money, by giving the people what they want; a fast efficient program, without a bunch of toys, gadgets, or a Romper Room user experience, which attracts the hacks, and slows down finding what you want to browse to. Chrome has gone the extra mile. They need to keep what they have: the fastest no frills experience. Firefox on the other hand, where do I begin? Tons of toys, but I don't have all the time in the world to find information when I need to. I suppose much of these opinions are for either those who want to play or those who want to work.
      JimiKay
      • RE: New study claims that Chrome is the most secure browser

        @JimiKay
        At basic page-loading, Firefox outperforms Chrome. For JavaScript-heavy Web "applications" Chrome may sometimes be faster.

        As for crashing, try Firefox again. I have not had a crash of Firefox in a long time.

        Finally, I trust Mozilla to do right by me a [i]whole[/i] lot more than I trust Google.
        x I'm tc