ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

New study claims that Chrome is the most secure browser

By | December 13, 2011, 4:54am PST

Summary: Which is the most secure browser around? According to a newly released study by Accuvant, that’s Google’s Chrome.

Which is the most secure browser around?

According to a newly released study by Accuvant, that’s Google’s Chrome.

The Google-commisioned research emphasizes on several key points that would make up a secure browser, namely the integration of sandboxing, plug-in security, JIT hardening, ASLR, DEP, GS and URL blacklisting.

Key summary point:

The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack.

Related posts:

Moreover, according to the report Mozilla’s Firefox has the highest vulnerability count compared to Google’s Chrome and Microsoft’s Internet Explorer. Firefox leads with 449 patched vulnerabilities, followed by Chrome with 321 and Internet Explorer with 168.

Would you switch browsers over the results from a comparative review such as this one commissioned by Google? Do you believe that Chrome is indeed the most secure browser around, or are they other factors to consider as well?

Talkback.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Web Browser, Web Browsers, Internet, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
46
Comments
Add Your Opinion

Join the conversation!

Just In

RE: New study claims that Chrome is the most secure browser
mejohnsn 23rd Dec
This study would have SO much more credibility if it were not sponsored by Google. As it is, I would not discount it completely, but still: independent studies are worth much more attention.

I also find it disappointing the article says nothing about attacks that work only because they take advantage of bugs in the underlying OS, nor about XSS.
View in thread
-1 Votes
+ -
test
Dietrich T. Schmitz * Your Linux Advocate 13th Dec
test
0 Votes
+ -
So Chrome is slightly more secure
William Farrel 13th Dec
@Dietrich T. Schmitz * Your Linux Advocate

but has far more vulnerabilities then Microsoft's IE, so this becomes a "pay no attention to the article, read what I want you to see"?

disturbing is correct
0 Votes
+ -
RE: This is disturbing behavior given the study was underwritten by Google.
Rabid Howler Monkey Updated - 14th Dec
@Dietrich T. Schmitz * Your Linux Advocate quoted:
"Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.

And yet Safari, Firefox and IE get pwn3d year after year at pwn2own (Firefox escaped this last year's, 2011, pwn2own). So far, Chrome has remained untouched. Perhaps this will change as the hackers become more familiar with Chrome. But, remember, both Safari and Chrome are built from the open-source WebKit. What's different with Chrome? Sandboxing, among other things. On both Mac OS X and Windows.

Plug-ins, especially Flash Player and Java, are a MUCH bigger problem than the browser. It would appear that the Vupen's Chrome hack earlier this year was related to a Flash vulnerability. This hack was really big news. Chrome ships with the Flash plug-in and, at least partially, sandboxes it. It also keeps the plug-in updated.

In response to your post above, I'll post this:

http://grsecurity.net/lsm.php
"Why LSM will harm the security of all Linux systems
"Because LSM is compiled and enabled in the kernel, its symbols are exported. Thus, every rootkit and backdoor writer will have every hook he ever wanted in the kernel. This will allow for a new generation of sophisticated backdoors and rootkits that will be nearly impossible to detect.

Nothing's perfect. Not Linux. Not Windows.
0 Votes
+ -
Rubbish
Dietrich T. Schmitz * Your Linux Advocate 14th Dec
@Rabid Howler Monkey
LSM is a module, so by definition is not compiled into the kernel.
You make the assumption that hackers can reach into LSM. Incorrect.

Another hip shooter files in and shows his ignorance.
0 Votes
+ -
LSMs are a framework
Rabid Howler Monkey Updated - 14th Dec
@@Dietrich T. Schmitz * Your Linux Advocate LSM support is *compiled* into the Linux kernel. Some references:

http://tuxguardian.sourceforge.net/documentation.php
"Requirements
"You need Linux kernel 2.6.12 or higher, compiled with LSM support.

"Linux kernel 2.6.36 adds AppArmor, ups performance
http://www.techworld.com.au/article/365249/linux_kernel_2_6_36_adds_apparmor_ups_performance/
"Linux kernel 2.6.36 has been released by Linus Torvalds and includes a number of ... security enhancements, including integration of the AppArmor access control system.

"Linux 2.6.30 Gets Faster Boot
http://www.internetnews.com/dev-news/article.php/3824421/Linux+2630+Gets+Faster+Boot.htm
"Security also gets a boost in the kernel with the addition of the Tomoyo framework, which offers an alternate approach to SELinux (which stands for "security enhanced Linux")

Linux security modules provide a neutral framework for various computer security modules such as SELinux, Tomoyo, AppArmor, etc. What on earth do you think that AppArmor is getting plugged into?

Thus, the concern of the grsecurity dev. The symbols are exported even if a Linux user or admin chooses not to use LSM.
0 Votes
+ -
Word games?
Dietrich T. Schmitz * Your Linux Advocate 14th Dec
@Rabid Howler Monkey

Your words (or you have copy/pasted another source):
"Because LSM is compiled and enabled in the kernel, its symbols are exported."

Indeed LSM is compiled, but it isn't running in the kernel--it is running in its own memory space and approves (or denies) 'both' the kernel's and user's application activity.

Get it? Goooooooooooood....
0 Votes
+ -
RE: Word games?
Rabid Howler Monkey Updated - 14th Dec
@Dietrich T. Schmitz * Your Linux Advocate First you write:

"LSM is a module, so by definition is not compiled into the kernel.

And later follow it up with this statement:

"Indeed LSM is compiled

This makes me think that you are confused.

The quote you reference from my above post is taken from the grsecurity site. Which is why (1) it's quoted and (2) a link is provided. Really no different than your pulling quotes from the chromium.org site.

As for the invincibility of LSMs, Check out the August, 2010, post entitled, "Skeletons Hidden in the Linux Closet: r00ting your Linux Desktop for Fun and Profit", from The Invisible Things Lab's blog (look it up).

Face it. You're head over heels in love with the Linux desktop and are incapable of seeing it's flaws. Sad, really.
0 Votes
+ -
None of your blathering changes what I originally wrote
Dietrich T. Schmitz * Your Linux Advocate 14th Dec
@Rabid Howler Monkey

Go back and read it. This time not for speed but comprehension.
0 Votes
+ -
Meh
Rabid Howler Monkey 14th Dec
@Dietrich T. Schmitz * Your Linux Advocate So both the Windows and Linux desktop are insecure. I can certainly live with that as I'm not in love with *any* operating system. Fortunately, for security conscious users, Qubes OS is on the horizon:

http://qubes-os.org/Home.html

Gotta love the Xen hypervisor and hardware virtualization. And Fedora too.

P.S. Note that I responded to your initial post, 'test'. Not the off-topic one where you trashed the Windows operating system.
0 Votes
+ -
Hem
Dietrich T. Schmitz * Your Linux Advocate 14th Dec
@Rabid Howler Monkey

Trash? I gave a citation to Google's Engineers' Caveats.
My points notwithstanding, if you find their remarks unacceptable take issue with them.

Come to terms young Man.
0 Votes
+ -
Chrome is only more secure if you don't mind Google spying on you.
JonathonDoe 13th Dec
Google makes no bones about how it makes it's money; selling targeted advertising. To target the ads effectively they track you online. Chrome is the most effective way of doing that. If you don't mind that, then perhaps Chrome is more secure ... after all, Google paid some third-party company to say so. How could it be wrong?

Since Chrome doesn't have No Script, Ad Block, and Flash Block it simply doesn't do what I need it to do. Thus it doesn't even merit consideration of inclusion on my machines. Without the critical functionality provided by those add ons a browser is just another attack vector allowing criminals into my home.

Frankly, Chrome has a LONG way to go before it begins catching up with Firefox.

Regards,
Jon
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
daikon 13th Dec
@JonathonDoe
Chrome does have Ad Bloc, Flash Bloc and NotScript same as No Script.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
jorjitop 13th Dec
@JonathonDoe

You have it right there. Google's business model is based on building profiles of their users so they can better sell their advertising. All Google apps and services are built to help them accumulate information on their users. This is incontrovertible.

The only question is whether you trust Google to have so much information about you. Since it is highly likely that user's profiles will get leaked somehow, I think it is foolhardy to trust Google. When your identity gets stolen, you will realise the stupidity of such trust.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
daikon Updated - 13th Dec
@jorjitop
What data of yours was taken by Google using Chrome?
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
ScorpioBlue 13th Dec
@daikon
What data of ours wasn't taken by Google using Chrome?
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
The Danger is Microsoft 15th Dec
@ScorpioBlue - NO data was taken. You did not list any, so none was taken. End of story.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
ScorpioBlue 15th Dec
@The Danger is Microsoft
How do you know? Can you say that for certain?
Not end of story.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
JimiKay 13th Dec
@JonathonDoe: Man-o-man Jon, where do you get your information? You say, "Chrome doesn't have no Script", (check your English: (i.e. replace 'no' with 'any'). More people use Chrome than any other browser; that's a fact. You are dead wrong in saying Chrome cannot block sites from setting data, cookies, images, JavaScript, or allow sites to handle protocols. Look on the "Content Settings" page of "Options". I have not used Firefox for years. The crashes, viruses, bugs, and slow down of my machine with Firefox made it nearly impossible to use. You'll find with Chrome, most sites open in a second and fully load in only a few. Google takes data from users to make comparisons and usage of the browser. Then they sit down and apply those numbers to making a better browser: what the people want without the interference. That's how they made their money, by giving the people what they want; a fast efficient program, without a bunch of toys, gadgets, or a Romper Room user experience, which attracts the hacks, and slows down finding what you want to browse to. Chrome has gone the extra mile. They need to keep what they have: the fastest no frills experience. Firefox on the other hand, where do I begin? Tons of toys, but I don't have all the time in the world to find information when I need to. I suppose much of these opinions are for either those who want to play or those who want to work.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
x I'm tc 13th Dec
@JimiKay
At basic page-loading, Firefox outperforms Chrome. For JavaScript-heavy Web "applications" Chrome may sometimes be faster.

As for crashing, try Firefox again. I have not had a crash of Firefox in a long time.

Finally, I trust Mozilla to do right by me a whole lot more than I trust Google.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
bitcrazed 14th Dec
@JimiKay - love your optimism, but Chrome is not the most widely used browser. Perhaps at some specific websites, but not in general use.
0 Votes
+ -
It actually does have AdBlock...
Zorched 13th Dec
@JonathonDoe : However, according to the author of NoScript, there is no capability, due to how Chrome is implemented, to be able to support NoScript, so for the foreseeable future there will be no NoScript for Chrome.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
ScorpioBlue 13th Dec
It actually does have AdBlock...

It isn't quite the same experience as it is for Firefox users.

https://adblockplus.org/en/chrome

"The warning displayed by Google Chrome applies to all extensions that modify web pages.

We are currently working on providing the same experience for Google Chrome as what you are used to from Firefox. Please keep in mind that we are not there yet and much work still needs to be done. There are also known Google Chrome bugs and limitations that need to be resolved."

In other words they still have a lot of work to do...
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
JoeBob_z 16th Dec
@JonathonDoe Don't forget that they'll also do the bidding of dictators and oppressive governments. Google will hand you over to the Chinese in a heartbeat - sometimes without even being asked (and after the Chinese attacked Google's servers!).
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
dllazarus 13th Dec
This report is total garbage because Firefox v5 was used in the evaluation. The current version is 8.01. Being that this report was just released, they should have, at minimum, evaluated Firefox v7. Version 8 is fairly recent. It came out less than 2 months ago. The bottom line is that evaluating Firefox v5 at this point is like evaluating IE v6. It's stupid. Firefox is a great AND secure browser.
0 Votes
+ -
I don't understand
LiquidLearner 13th Dec
the difference between "Implemented" and "Inudstry Standard". Is it just so they could show both browsers have the feature but Google "wins".

And just a side note, I got infected through Chrome while browsing the underbelly of the interwebs last weekend. All of a sudden Chrome just closed and when I launched it again it suddenly wanted administrative privileges. Did a few scans and managed to get it all cleaned up. So Chrome is certainly becoming a target these days. Especially since people probably believe they're safer so they take more risks.

It's like the seat belt argument. The number of accidents went up when seat belt laws went into effect. The number of fatalities went down so I'm not saying it's a bad thing. But because people felt safer wearing a seat belt they took more risks while driving and that leads to more accidents.
0 Votes
+ -
Correlational != causation
Richard Flude 13th Dec
"It's like the seat belt argument. The number of accidents went up when seat belt laws went into effect. The number of fatalities went down so I'm not saying it's a bad thing. But because people felt safer wearing a seat belt they took more risks while driving and that leads to more accidents."

There are many variables to consider in car accidents. An increasing number of accidents may or may not have been cause by the introduction of seat belt laws, no causality is demonstrated.

We get the same irrational talk surrounding AGW.
0 Votes
+ -
The Google-commisioned research...
dazzlingd 13th Dec
Says it all.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
Zurk_Orkin Updated - 13th Dec
@dazzlingd >

I have a Zalman S series ssd which uses the jmf-616 controller and Google Chrome is the only one of these three mentioned browsers that will perform perfectly online with this ARM based 128MB DDR2 cache 128GB SSD. Both IE9 and Firefox will freeze or black screen every few minutes requiring a reset.

I have since removed Firefox 8.0.1 completely and taken IE9 off my desktop. One thing I should mention is that there may just become a surplus of these drives since Sandforce 2281 has hit the marketplace with Sata III 6Gb/s.
0 Votes
+ -
How does a browser cause these types of issues?
ye 13th Dec
@Zurk_Orkin: Details please.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
tom@... 13th Dec
Chrome catches up wth IE so it's the most secure browser? Come oooooonnnnnn!!!!! Read your own chart!

In today's world, the most insecure component of any system is the USER! Avoiding malware and keeping a machine healthy isn't rocket science and only takes a decent AV/spyware app and a user who decided to educate himself.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
HCream 13th Dec
@tom@...
I agree with Tom that "the most insecure component of any system is the USER!". That's why I recommended my office to switch from Firefox to Chrome. There are 3 reasons: (1) Automatic update(on browser as well as the built-in Flash); (2) No admin privilege required to run the update; (3) It finally has all the extensions(Adblock+, NotScripts, FlashBlock, Safety - LinkExtend) we used to run on Firefox. The only missing equivalent add-on is FireFTP.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
Sqrly 13th Dec
I'd like to know how much Ryan Naraine and Dancho Danchev made for posting this advertisment for google?
0 Votes
+ -
Oh for **** sake...
Naryan 13th Dec
Here we go, "Google's EVIL, Google's spying on you, Google will steal your money, Google killed my grandmother"
Are you guys ever tired of being wrong? "Big" and "Evil" aren't synonyms and until you've learned that there should be measures on this site to make you keep your drivel to yourself.
"When they steal your money you'll realise how stupid you've been".
That's it, do a "Christian" and lodge yourself firmly in an unattainably defensive position, while prophesying the thing you swear will happen at any moment but remarkably never does.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
tonymcs@... 13th Dec
@Naryan

Yep they're a ethical and moral advertising company...

You did see "Mad Men" didn't you?
0 Votes
+ -
Interesting how Opera is left out of all these 'studies' and opionion piece
Gandalf The Grey 13th Dec
Just saying that Opera now supports add-ons just like fireofox including ad-block and other similar ones.
0 Votes
+ -
As long as I...
Zorched 13th Dec
Can't apply a password to keep my passwords safe in Chrome, I won't use it as my full-time browser. I can't seem to understand why Google fails to add such a simple ability.
I also question the security of their sync...
I have none of those concerns with FireFox.
0 Votes
+ -
Extensions?
kirovs@... 13th Dec
There are excellent security extensions for Firefox; there should be a comparison with a hardened variant of FF. I think hardened FF will be very close if not ahead of Chrome.
0 Votes
+ -
RE: Extensions?
Rabid Howler Monkey Updated - 14th Dec
@kirovs@... wrote:
"there should be a comparison with a hardened variant of FF

The referenced study concerned itself with ordinary users that do not touch the controls of their browser, let alone install add-ons or extensions like NoScript, FlashBlock, AdBlock, NotScript, etc. Dangerous features like JavaScript, IFRAMEs, 3rd party cookies, image loading (think malverts) and plug-ins (i.e., Java and Flash) are all enabled by default and the users are protected by what? A blacklist. And web site blacklists are reactive in nature, just like AV signatures. Meaning that they are always a step or two behind the miscreants.

Both Chrome and IE9 provide features out-of-the box that Firefox doesn't ship with. Like running the browser and a subset of plug-ins in a sandbox. Chrome ships with Flash and PDF reader plug-ins enabled, sandboxed (at least partially) and transparently updates the browser as well as the plug-ins. IE9 sandboxes Flash, but doesn't keep it updated. Neither Chrome nor IE9 sandbox the Java JRE plug-in. However, Chrome will block Java content if the JRE is out of date.

A motivated and knowledgeable user, presumably like yourself, can tighten up Firefox settings and can also place Firefox, along with plug-ins like Flash and Java, in a sandbox. Sandboxing options in Windows include DIY integrity levels for Firefox or 3rd party sandboxing apps like BufferZone Pro, Sandboxie and GeSWall.

Here's a great read (well worth the time) on Chrome vs. Firefox and OS vs. 3rd party sandboxing:

"Google Chrome vs. FX+NS; integral sandboxing vs. 3rd-party
http://forums.informaction.com/viewtopic.php?f=19&t=7727
0 Votes
+ -
That's kind of like trusting a study about smoking ...
mwagner@... 13th Dec
... that was commissioned by the tobacco industry! And what exactly does the number patched vulnerabilities have to do with anything? Isn't the number of UNPATCHED vulnerabilities the more important metric?

By their reasoning, the product that is the oldest should have the most patches, but hey, IE (not a particular version but all versions) has the lowest number - but Chrome still wins, based upon the criteria selected by a group hired by Google to do just that.

Let underwriter's laboratories (or one of the independent security firms) do a study and I might take this more seriously but not a "study" commissioned by Google.
0 Votes
+ -
I have no problem with a study commissioned by an interested party as...
ye 13th Dec
@mwagner@: ...long as the methodology is open to review and found to be sound by independent analysis.
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
aureolin 13th Dec
Google commissioned study says that Google Chrome is the most secure browser. How is this any more believable than the Microsoft commissioned studies that say IE is the most secure browser?

Fail.
0 Votes
+ -
As always, ZD makes believe Apple and Safari don't exist.
JoeBob_z 16th Dec
Best selling line of laptops, best selling tablet, best selling smartphone OS, and soon expected to be best selling computer maker on the planet, and they all run Safari. But why even mention it when you get paid so much money to shill for Microsoft? Journalism is fine, but commerce is the real concern
0 Votes
+ -
RE: As always, ZD makes believe Apple and Safari don't exist.
Rabid Howler Monkey Updated - 17th Dec
@JoeBob_z The article does seem focused on Windows. However, Windows *is* the most widely-used platform for web browsing today, despite the recent growth in smartphone and tablet usage. And, on Windows, Safari is not the most secure web browser. In addition, it's market share, like Opera's, is well behind IE, Chrome and Firefox.

Is Safari the most secure web browser on Mac OS X and iOS? Perhaps on Mac OS X Lion where Apple has finally become serious about security. On Lion, Safari is sandboxed by default and both dmg and pkg files have been excluded from the "Open Safe Files After Downloading" feature. The upcoming 2012 pwn2own will be an interesting test for Mac OS X Lion and Safari. We'll have to wait and see if it outperforms Chrome.

I submit that Chrome is more secure than Safari on Mac OS X Leopard and Snow Leopard for many of the same reasons it it more secure than Firefox on Windows. (Chrome is also more secure than IE8 on Windows XP.)

As for iOS, I believe that the Opera browser is more secure than both Safari and Firefox. All the above browsers are sandboxed on iOS. However, Opera *by default* includes NoScript functionality that Firefox users must get by downloading and installing the NoScript plug-in. (I also believe that Opera is more secure than Firefox on Windows for the same reason).
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
JoeBob_z 18th Dec
@Rabid Howler Monkey - You missed the point. Entirely.
0 Votes
+ -
NoScript
Rob C 16th Dec
Why hasn't anyone mentioned NoScript ? ? ?
FF and NoScript is the way to go.
Chrome does not have a viable NoScript equivalent
0 Votes
+ -
RE: New study claims that Chrome is the most secure browser
mejohnsn 23rd Dec
This study would have SO much more credibility if it were not sponsored by Google. As it is, I would not discount it completely, but still: independent studies are worth much more attention.

I also find it disappointing the article says nothing about attacks that work only because they take advantage of bugs in the underlying OS, nor about XSS.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix