Browser security wars

I recently spent several months security testing the five most popular Web browsers: Chrome, Firefox, Internet Explorer, Opera, and Safari. Although I work full-time for Microsoft, I’ve been using nearly a dozen browsers in my personal life for many years. I’ve always been a big fan of Konqueror for KDE versions of Linux, and Netscape and Mozilla during their heydays. Lynx is a great browser for safely troubleshooting known malware sites and has appeared in many of my columns. And one of my new personal favorites is Maxthon, for its ability to allow individual file downloads of embedded video content.

InfoWorld has been releasing individual browser reviews all this week (see Chrome, Firefox, Internet Explorer, Opera, and Safari), and the main story, along with several technology sidebars, will be released soon.

[ Find these reviews and more in the special report: “InfoWorld Test Center’s guide to browser security” ]

Web-based browsers are guaranteed to play an even bigger role in our lives in the future, especially with software as a service and cloud computing gaining traction. It’s not hyperbole to say that in the near future, the majority of your professional and personal life will be filtered through a browser. Who am I kidding — we’re already that way.

I tested each browser over several months (or longer), did a security feature review, and subjected them to popular browser security tests and hundreds of malicious Web sites (see the main story for the details). I used the latest publicly available browser version (beta or not) on fully patched Windows XP Pro SP3 and Windows Vista.

So which one is guaranteed to make your Internet browsing experience perfectly safe?

None, of course. If you have the need for high security on a computer you manage, don’t allow it to surf on the public Web. It’s that simple. Internet browsers are highly complex pieces of software interacting with millions of combinations of highly complex active content and programming code, much of it not so friendly. There is no “super secure” browser. The number of known exploits against a particular browser exactly tracks to its popularity. No surprise there. Even secure alternatives to Internet Explorer, which all new browsers seem to claim to be, had dozens of exploits (or were on track to have dozens of exploits if they haven’t been around that long).

Today, a significant portion of computer attacks comes from legitimate Web sites that have been maliciously modified. Surfing to only clean sites does not mean a safe Internet browsing experience. And the problem will only be getting worse, not better, for the near-term future.

But here might be a surprise: None of the browsers allowed malware to silently install on my test systems. I’m constantly hearing how Internet Explorer is an insecure browser because it is attacked the most and is the most complex. That’s true, but it didn’t allow any malware to silently install on the test systems. I’ve also heard that the newer, less functional browsers, which haven’t yet undergone the test of time, are more exploitable because they have less sophisticated security. That may be true as well, but again, none of the real-life malicious Web sites were able to exploit any of the browsers. In the end, I think the choice of which browser to use comes down to feature set, (both security and non-security features), functionality, and the user’s comfort level with the product.

I asked many friends and readers which browser they preferred, and most were surprised to hear that their favorite features (security or otherwise) were available in all the other browsers, too. Not all features were shared, but most were. Some people, especially enterprise managers, like products with lots of features and the ability to customize them. Home users often preferred slimmed-down browsers with faster load times, but often complained of “missing” features. Many people claimed to use two browsers for different tasks.

Yes, there will always be zero day exploits that can silently infect through a browser, but in testing, I found out that on every malware site that I visited (and I am confident that it was a good representative sample), each offered up an executable to install or tried to use an exploit for software that had already been patched. Using a fully patched system (all software, not just the browser) prevented all silent attacks in my real-world tests.

I spent weeks looking for zero day exploits to test against, and by the time I found the sites, they had been taken down or the hole had been patched. This is not to say that zero day exploits won’t get some people. Obviously, they do. But they are a very small minority, and currently, the risk is very, very small. The average end-user is far more likely (say, 99.999 percent) to come across exploits trying to leverage holes that have patches available.

Almost all the malicious Web sites I came across offered an executable to install, usually in the form of bogus anti-malware software or some sort of content player. In order to be infected, I had to intentionally run the offered executable — not always, but nearly so. There was a smattering of sites that tried to use malformed or mismatched content to trick the third-party software into silently executing code, but it was uncommon; and when my system was fully patched, it never silently succeeded. The converse is also true. When I intentionally installed the offered malware, every browser allowed the underlying host system to become compromised.

The results back up everything I’ve been saying for the past few years. Your best defense against malicious attacks is a fully patched system (OS, browser, browser add-ins, and all other software), and educating your end-users to not install the bogus offered executable (which can often look very legitimate).

Nearly all real-life exploits use JavaScript to launch the executable. It’s easy to disable JavaScript support in all the browsers, except for Chrome, but doing so can also cause problems with a high percentage of legitimate Web sites (throwing the baby out with the bathwater). Disabling JavaScript makes sense when an unpatched zero day is launched and becomes super popular (it does happen occasionally). But most serious zero day exploits are patched within a few days, so the days of risk exposure are minimized.

Also, every tested browser fell to various DoS Web sites, causing either the browser or the entire system to lock up. I don’t worry about DoS browser attacks because they require that the end-user visit the Web site, which they surely won’t if the Web site keeps locking up their computer.

I was also surprised by how many security features each of the browsers shared (Anti-Phish, cookie control, anti-XSS handling, pop-up blocking, file download detection, digital certificate handling, and so on). Each browser also presents certain strengths that will appeal to different users.

I encourage all readers to check out the individual reviews, or at least next week’s main story, to see what where the security strengths and weaknesses of each browser reviewed. But don’t forget the main lesson: A fully patched system prevented all silent attacks regardless of the browser.