Problem solve Get help with specific problems with your technologies, process and projects.

Web browser security comparison: Are Firefox security issues legit?

Expert Mike Cobb reacts to a Google-funded Web browser security comparison and whether it highlights legitimate enterprise Firefox security issues.

A recent Google-funded study conducted by Accuvant determined that Google Chrome, followed by IE9, were the safest...

browsers available. The study specifically singled out Firefox for lagging behind Chrome and IE9 in terms of security features, particularly JIT hardening. However, the validity of the study has come into question. What’s your reaction to the study, and should enterprises have legitimate concerns regarding Firefox security issues?

Browser studies have to be read carefully to fully appreciate the claims made within them, particularly if they are funded by one of the browser vendors. Not surprisingly, Chrome came out on top of Google’s funded research. Both the above-mentioned Web browser security comparison by Accuvant, and an NSS Labs report carried out in August 2011 (which  incidentally ranked IE9 as the safest browser when it came to socially engineered malware protection) looked at how well browsers protect the user, not vulnerabilities within the browsers themselves.

But a Web browser has two roles to play when it comes to secure browsing. First, it must protect the user from malicious sites and software, and second, it must be able to protect itself from malicious attacks. The Secunia Security Factsheets assess which browser is most prone to vulnerabilities. These not only show the number of reported vulnerabilities and their severity, but also the number of advisories. This is an approximation for the number of security events or administrative actions required to keep a program secure.

The major browsers all have a good record of making patches available within 30 days following a vulnerability disclosure, but this largely just protects the browser from malicious attacks. While this also helps protect browser users, Firefox lags on user-centric safeguards. Firefox must be concerned  it’s not scoring well in comparison to other browsers when it comes to protecting its users, even if the tests are being sponsored by its rivals. One advantage that Chrome certainly has over both Firefox and IE is that it has been built from scratch with sandboxing isolating all processes from the main system memory, while the others have had to build security features into legacy code. Firefox lagged behind Chrome and IE9 in three important security controls: sandboxing, plug-in security and Just-In-Time (JIT) hardening, which makes it more difficult for attackers to use JavaScript code to take control of a computer.

Ask a question

SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: editor@searchsecurity.com.

As the use of JavaScript for malicious purposes is so prevalent, a review of all recent studies on browser security and their security features is warranted in order to assess which browser best meets your particular needs. Changing the default browser across an entire enterprise is a big undertaking and I don’t currently feel that the difference between the main choices warrants such a time-consuming and disruptive task. Bear in mind that Chrome, IE9 and Firefox were all successfully hacked in this year’s Pwn2Own computer hacking contest, so you cannot rely on any browser to be fully secure.

If privacy is a concern, then Firefox may still be your browser of choice. Firefox 5 is the first browser to support Do Not Track privacy on multiple platforms. With the Do Not Track feature turned on, an HTTP header is sent every time a user requests data from the Web, telling the site the user wants to opt out of any online behavioral tracking. Firefox is certainly no longer the undisputed “secure” browser, but the battle for the title of safest browser means all vendors are working to add more security features to their latest releases.

This was last published in April 2012

Dig Deeper on Web browser security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.