Browser Wars – Everyone Else Does It

Browser Wars – Security Style

Browser wars are monthly blogs (typically following the latest release of a browser) that basically pit the latest versions of todays browsers against each other. It’s kinda lame and I feel like a tool for doing it but I’m also really bored and I think browsers in the context of security are awesome.

So, let’s start.

What Makes A Program Secure?
In an ideal world we humans would be perfect and our code would be perfect and vulnerabilities wouldn’t exist. This is not an ideal world and we are not perfect nor is our code. Vulnerabilities do exist and for the foreseeable future this will not change. So what do we do to secure programs if they’ll always be full of holes? We accept that those holes are there and we make it as hard for hackers to make use of them as we can. There are various ways to accomplish this.

So What About Browsers?
Browsers aren’t typical programs. They’re fast paced, constantly changing, plugin-filled conduits to the wide open internet. By design they take in untrusted code. They’re just dangerous and that’s why they’re so great to look at for security.

Internet Explorer 9
Internet Explorer has laughable security, right? I mean, hey, IE6 on XP was terrible and nothing’s changed. Not exactly. Microsoft has learned from their (massive, gaping) mistakes and then some. IE9 is no IE6 by any stretch of the imagination. It’s got a multiprocess architecture that allows for tabs to be separated into low-rights processes, which means that an exploit in a tab is confined to that low-rights process.
On top of that IE9 has a new version of SmartScreen, a URL and File Blacklist based on “File Reputation” and heuristics. There hasn’t been a formal study other than the one by NSS Labs on this that I know of but NSS Labs gave a remarkable score of blocking 96+% socially engineered malware (compared to trivial scores hovering around 13% for other browsers.)
As I recall Adobe Flash also runs at low integrity when used with IE9.
The low rights sandbox and smart screen make IE9 a very secure browser.
IE is Windows only and closed source.

Mozilla Firefox 4.0+
The Firefox browser, which is developed by Mozilla, is a free and open source browser that’s been very successful. In terms of customizing UI and features Firefox is top notch and it blows Chrome and IE9 out of the water in that respect. In terms of security it is… lacking.
Firefox does implement modern techniques like ASLR, DEP, and SEHOP and it even forces ASLR on toolbar binaries.
It also makes use of the Safe Browsing API 1.0, which (last I checked) blocks something like 15-20% of malware downloads.
Firefox does not implement any “extraordinary” security measures. There is no sandbox, there is no special file reputation whatever or special memory hardening technique. There’s just nothing that really stands out about Firefox.
Firefox users are able to make use of the NoScript extension, which is potentially a really great tool, but it’s not exactly accessible for the average user and I’m partial to security features that don’t bug me.
Linux users can make use of a “whole-browser” sandbox via Apparmor/LSM. A profile is provided by default on Ubuntu but it may take some tweaking, I highly recommend you check out AppArmor for your browser – check out my guide here.

All in all, I want to love Firefox, but I can’t really give it a ton of credit here.

Google Chrome X.XXX.XX.XXXX+ (or whatever)
Google Chrome is the (relatively) new player in the browser market. At only 3 and change years old it’s had a pretty impressive start, now holding market share close to Firefox. Chrome is based on Chromium, which is an entirely open source project – the difference being that Chrome packages Flash, a PDF viewer, and an update manager (on Linux it also packages support for closed codecs.)
It uses the Safe Browsing API 2.0, which includes a file reputation module. I think NSS  Labs puts it up around 40% block rate. Again, there hasn’t been what I would consider a formal study on this.
Chrome’s main feature is a sophisticated sandbox based on the Windows integrity access control and job tokens. It is similar in architecture to IE9’s sandbox but the restrictions are much tighter, with the renderer having no file access and most of the browser running at absolute lowest rights possible  on Windows.
Chrome also sandboxes the GPU process and all extensions. Each has its own separate process.
Chrome sandboxes the Flash plugin (responsible for a large number of infections) and will soon include a much more powerful sandbox for Flash via the PPAPI(nterface, which is in beta 20.)
On Linux Chrome makes use of a namespace and chroot sandbox as well as the seccomp mode 2 filters. This allows for a strong sandbox, it’s very tight. Apparmor profiles exist for it, which are useful as they’ll even restrict the zygote process. The weakness is that the zygote process must be setUID, which is why an apparmor profile is suggested.
Chrome also limits inter process communication between it and the Java plugin, which can potentially prevent Java exploitation though it’s uncommon.

Opera 11.x
Opera is the lonely browser. On a good day it gets 4% of the market. It’s got something of a cult following and boasts pretty nice performance and a ton of features built in. As with Firefox it’s pretty lacking when it comes to security.
Opera is closed source and there isn’t a ton of documentation for security. There does not seem to be anything special about it.
No sandbox (there might be one on Linux actually but I’m not sure), not too great at filtering malware (I think NSS labs had it at 0-5%, again there needs to be more formal studies here.)
Closed source doesn’t inspire confidence either frankly.

I can’t really suggest Opera if you’re looking for security.

Conclusion:
I guess I should order them or rank them or something – answer that “Which browser is most secure?” question. I won’t try to apply anything numeric to this, that would be dumb, the system is basically an amalgamation of the above and my own personal beliefs on security.

Greatest to least: Chrome, IE9, Firefox, Opera.

I think it’s pretty close between Chrome and IE9. Firefox with NoScript and Apparmor is a pretty secure browser but for a defense in depth approach I’ve got to go with Chrome. It’s dependent on what you’re trying to secure against – when it comes to system compromise you’ll want Chrome but if it’s about preventing XSS/Clickjacking Firefox with NoScript is the way to go.

There you have it. My opinion.

I left a lot out. JIT Hardening isn’t something worth measuring as the javascript VMs all work pretty differently and they just don’t apply. I didn’t both going into ASLR or other mitigation techniques, all of the browsers have these by default at this point and the differences are subtly and in the implementation. I didn’t go into privacy, incognito/ private browsing modes, not much into extensions (this could be its own post), and some other stuff to. So consider this a very simple rundown on security. Even if I were to include everything the results would be the same, you’d just be better informed.

I’m also not going into IE10, which will include some fairly significant security improvements.

Choose the browser that is right for you. Maybe that’s the one that you think is most secure, maybe it’s the one with the UI you like best, or really any other reason. It’s your choice and it’s entirely up to you.
Sources:
http://www.accuvant.com/blog/2011/12/05/which-web-browser-is-most-secured
https://www.nsslabs.com/assets/noreg-reports/2011/nss%20labs_q3_2011_browsersem%20GLOBAL-FINAL.pdf [PDF]
http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do