NSS Labs Study Finds Internet Explorer Most Secure Against Click Fraud

An NSS Labs study conducted over 175 days has found that Internet Explorer is the most secure browser when it comes to protecting against Click Fraud.

Key findings from the NSS Labs report include:

  • Click fraud itself causes minimal direct harm to the typical end user as the ultimate target is the ad buyer.
  • Consumer and corporate users, however, are infected by additional malware as a by-product of click fraud installation.
  • Click fraud catch rates are Chrome 1.6%, Firefox 0.8%, Internet Explorer 96.6%, and Safari 0.7%.
  • Services are available that may help ad buyers identify click fraud.  However, service contracts with ad networks may contain clauses that restrict ad buyers’ ability to recover damages for click fraud.
  • The average lifespan of a click fraud URL was 32 hours with over 50% expiring within 54 hours.

The results show Internet Explorer ahead by an incredibly sizable portion – leaving Chrome in second place at a measly 1.6%, Firefox at .8%, and Safar at .7%.

Click Fraud is a type of attack that really hits advertisers, not so much the users. That’s why it’s so surprising that Chrome, a product driven by Google, is receiving such a poor score.

I’m also not about to call NSS labs out but they sure do seem to have a lot of reports indicating Internet Explorer is the most secure browser or rather they only seem to release reports about things that IE excels at (and often by massive margins). It would be really nice to have another independent research group test things out. When Accuvant did a study comparing browsers (NOT that this study was unbias) they found basically no difference between IE and Chrome in terms of detecting malware, which was contrary to a study by NSS labs that showed IE outperforming Chrome by about 60%.

Take it with a grain of salt but it’s worth noting.

Browser Wars – Everyone Else Does It

Browser Wars – Security Style

Browser wars are monthly blogs (typically following the latest release of a browser) that basically pit the latest versions of todays browsers against each other. It’s kinda lame and I feel like a tool for doing it but I’m also really bored and I think browsers in the context of security are awesome.

So, let’s start.

What Makes A Program Secure?
In an ideal world we humans would be perfect and our code would be perfect and vulnerabilities wouldn’t exist. This is not an ideal world and we are not perfect nor is our code. Vulnerabilities do exist and for the foreseeable future this will not change. So what do we do to secure programs if they’ll always be full of holes? We accept that those holes are there and we make it as hard for hackers to make use of them as we can. There are various ways to accomplish this.

So What About Browsers?
Browsers aren’t typical programs. They’re fast paced, constantly changing, plugin-filled conduits to the wide open internet. By design they take in untrusted code. They’re just dangerous and that’s why they’re so great to look at for security.

Internet Explorer 9
Internet Explorer has laughable security, right? I mean, hey, IE6 on XP was terrible and nothing’s changed. Not exactly. Microsoft has learned from their (massive, gaping) mistakes and then some. IE9 is no IE6 by any stretch of the imagination. It’s got a multiprocess architecture that allows for tabs to be separated into low-rights processes, which means that an exploit in a tab is confined to that low-rights process.
On top of that IE9 has a new version of SmartScreen, a URL and File Blacklist based on “File Reputation” and heuristics. There hasn’t been a formal study other than the one by NSS Labs on this that I know of but NSS Labs gave a remarkable score of blocking 96+% socially engineered malware (compared to trivial scores hovering around 13% for other browsers.)
As I recall Adobe Flash also runs at low integrity when used with IE9.
The low rights sandbox and smart screen make IE9 a very secure browser.
IE is Windows only and closed source.

Mozilla Firefox 4.0+
The Firefox browser, which is developed by Mozilla, is a free and open source browser that’s been very successful. In terms of customizing UI and features Firefox is top notch and it blows Chrome and IE9 out of the water in that respect. In terms of security it is… lacking.
Firefox does implement modern techniques like ASLR, DEP, and SEHOP and it even forces ASLR on toolbar binaries.
It also makes use of the Safe Browsing API 1.0, which (last I checked) blocks something like 15-20% of malware downloads.
Firefox does not implement any “extraordinary” security measures. There is no sandbox, there is no special file reputation whatever or special memory hardening technique. There’s just nothing that really stands out about Firefox.
Firefox users are able to make use of the NoScript extension, which is potentially a really great tool, but it’s not exactly accessible for the average user and I’m partial to security features that don’t bug me.
Linux users can make use of a “whole-browser” sandbox via Apparmor/LSM. A profile is provided by default on Ubuntu but it may take some tweaking, I highly recommend you check out AppArmor for your browser – check out my guide here.

All in all, I want to love Firefox, but I can’t really give it a ton of credit here.

Google Chrome X.XXX.XX.XXXX+ (or whatever)
Google Chrome is the (relatively) new player in the browser market. At only 3 and change years old it’s had a pretty impressive start, now holding market share close to Firefox. Chrome is based on Chromium, which is an entirely open source project – the difference being that Chrome packages Flash, a PDF viewer, and an update manager (on Linux it also packages support for closed codecs.)
It uses the Safe Browsing API 2.0, which includes a file reputation module. I think NSS  Labs puts it up around 40% block rate. Again, there hasn’t been what I would consider a formal study on this.
Chrome’s main feature is a sophisticated sandbox based on the Windows integrity access control and job tokens. It is similar in architecture to IE9’s sandbox but the restrictions are much tighter, with the renderer having no file access and most of the browser running at absolute lowest rights possible  on Windows.
Chrome also sandboxes the GPU process and all extensions. Each has its own separate process.
Chrome sandboxes the Flash plugin (responsible for a large number of infections) and will soon include a much more powerful sandbox for Flash via the PPAPI(nterface, which is in beta 20.)
On Linux Chrome makes use of a namespace and chroot sandbox as well as the seccomp mode 2 filters. This allows for a strong sandbox, it’s very tight. Apparmor profiles exist for it, which are useful as they’ll even restrict the zygote process. The weakness is that the zygote process must be setUID, which is why an apparmor profile is suggested.
Chrome also limits inter process communication between it and the Java plugin, which can potentially prevent Java exploitation though it’s uncommon.

Opera 11.x
Opera is the lonely browser. On a good day it gets 4% of the market. It’s got something of a cult following and boasts pretty nice performance and a ton of features built in. As with Firefox it’s pretty lacking when it comes to security.
Opera is closed source and there isn’t a ton of documentation for security. There does not seem to be anything special about it.
No sandbox (there might be one on Linux actually but I’m not sure), not too great at filtering malware (I think NSS labs had it at 0-5%, again there needs to be more formal studies here.)
Closed source doesn’t inspire confidence either frankly.

I can’t really suggest Opera if you’re looking for security.

Conclusion:
I guess I should order them or rank them or something – answer that “Which browser is most secure?” question. I won’t try to apply anything numeric to this, that would be dumb, the system is basically an amalgamation of the above and my own personal beliefs on security.

Greatest to least: Chrome, IE9, Firefox, Opera.

I think it’s pretty close between Chrome and IE9. Firefox with NoScript and Apparmor is a pretty secure browser but for a defense in depth approach I’ve got to go with Chrome. It’s dependent on what you’re trying to secure against – when it comes to system compromise you’ll want Chrome but if it’s about preventing XSS/Clickjacking Firefox with NoScript is the way to go.

There you have it. My opinion.

I left a lot out. JIT Hardening isn’t something worth measuring as the javascript VMs all work pretty differently and they just don’t apply. I didn’t both going into ASLR or other mitigation techniques, all of the browsers have these by default at this point and the differences are subtly and in the implementation. I didn’t go into privacy, incognito/ private browsing modes, not much into extensions (this could be its own post), and some other stuff to. So consider this a very simple rundown on security. Even if I were to include everything the results would be the same, you’d just be better informed.

I’m also not going into IE10, which will include some fairly significant security improvements.

Choose the browser that is right for you. Maybe that’s the one that you think is most secure, maybe it’s the one with the UI you like best, or really any other reason. It’s your choice and it’s entirely up to you.
Sources:
http://www.accuvant.com/blog/2011/12/05/which-web-browser-is-most-secured
https://www.nsslabs.com/assets/noreg-reports/2011/nss%20labs_q3_2011_browsersem%20GLOBAL-FINAL.pdf [PDF]
http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do

Chrome, Internet Explorer, Firefox Response To ‘Exploit’

A recent blogpost showed how Chrome, Internet Explorer 9, and Firefox are all vulnerable to a specific bug that can be used to trick the user into downloading a file when they meant to download something else.

 the fake flash11_updater.exe download supposedly served from adobe.com is, in reality, supplied by the attacker

The bug isn’t really the issue here, though. I mean, it’s definitely useful for social engineering and I can think of a millions ways that I could infect people with this but what I’d like to draw attention to is the response given by the browser vendors.

The response to this has apparently been:

  • Chrome: reported March 30 (bug 121259). Fix planned, but no specific date set.
  • Internet Explorer: reported April 1 (case 12372gd). The vendor will not address the issue with a security patch for any current version of MSIE.
  • Firefox: reported March 30 (bug 741050). No commitment to fix at this point

I think that says a lot about browser security. None of them have fixed it and only Chrome has stated they ever plan to, though they’ve given no date. At least Firefox and Chrome gave some discussion.

Think about it this way. If I were to post “Hey guys, update Adobe Flash Player, big security update!” and I linked to the Flash page with the download started I bet a lot of you would install it without a second thought. I’d probably fall for it too if it were linked from a forum I frequent.

This isn’t the biggest security flaw ever, it’s useful for social engineering and there’s definitely potential here but it’s not going to lead to millions of infections (on its own at least.) I just think it’s interesting to see how vendors see ‘low priority’ security flaws.

Check out the proof of concept here. Tell me this wouldn’t fool you if I’d linked to it saying that it was a security update for Flash. Be honest.

Sources:

http://lcamtuf.blogspot.com/2012/05/yes-you-can-have-fun-with-downloads.html