Firefox is least secure browser according to Google-funded study

[bogdan]

If you exclude privacy, Chrome may very well be more secure than Internet Explorer or Firefox. While Firefox doesn't have strong security features built-in, Mozilla manages to patch vulnerabilities in time. In any case, I would put Internet Explorer in the last place, regardless of security features implemented, because it is the most targeted browser and Microsoft sometimes finds it appropriate to wait until "Patch Tuesday" to fix vulnerabilities.

 

[jamescv7]

Firefox with NoScript running in a restricted sandbox is :+1: rock solid.

Bo

Agree, its like NoScript could increase the security for Firefox.

Well even Chrome have the privacy issues the impact for the users isn't would dramatically low the browser usage. Since Google Chrome definitely implemented more in speed and security much so even in test no surprise that Google Chrome is in the top spot.

 

[Jack]

And now we officially know that Google influenced the Accuvant report ,just so that Firefox would look bad.......

Researchers: Google gamed browser report that dissed Firefox

Security researchers at NSS Labs have charged Google with gaming the methodology and timing of a recent, Google-funded analysis of browser security — one that placed Mozilla Firefox lowest on the totem pole when compared with security in Google Chrome and Microsoft Internet Explorer.

NSS on Tuesday released a report on the browser evaluation, which was produced by product reseller Accuvant at Google's behest.

Titled The Browser Wars Just Got Ugly, NSS's report points out a myriad of methodology deficiencies in Accuvant's analysis, such as the omission of frame poisoning: a Firefox feature that blocks exploits of layout code crashes.

Here are a few more of what NSS deems Accuvant's methodology shortcomings:

The JIT hardening analysis failed to give ample credit to the more proactive technologies employed by IE9, which happened to not be present in Chrome.

Accuvant disabled highly relevant portions of non-Google browsers' protection without noting the impact on the overall results. This error in testing resulted in an erroneously negative assessment of the browsers' protection capabilities, since some browsers will only block malware during or after download and before execution.

By utilizing malware sites garnered exclusively from free public lists, the malware sample set was highly skewed in Google's favor. Justifying not using high-quality, professional malware feeds because Microsoft and/or Google may or may not subscribe to them is highly suspect.

Read more>>

 

[Hungry Man]

Not really Jack,

It's been said from the beginning (Accuvant puts it in their first or second page) that Google funded the project.

They only disabled the smartscreen in IE9 that applies to files, they did the same thing to Google and Firefox with the Google API. This gave a significant advantage to Google and Firefox, specifically Google, which also implements heuristics and other methods besides URL blacklisting.

Was this fair? In the scope of the article they were looking only at URL blacklisting, so it's arguable.

Their last point that they used exclusively public lists is BS frankly. That gives the same advantages to both Google and IE while (unlike what NSS labs) allowing the public to verify the results.

As for crediting the JIT hardening technologies... I can see that. Though they did give IE a lot of credit for using Null Pages, which they explicitly say that Google lacks.

Frankly, it's obvious that Chrome and IE are miles ahead of Firefox int erms of out of the box security, there's not a lot of arguing otherwise. The more interesting bits were the comparisons of IE and Chrome - they pointed out a lot of interesting holes in IE's sandbox.

"The historical vulnerability analysis section applied highly quesitonable logic .... Having to disclose over 300 vulnerabilities during a 30 month period is a problem, not a virtue."
This quote from the NSS article is laughable and frankly it's just idiotic. It really detracts from their stronger points.

This report by NSS is less about the Accuvant study being wrong and more about them wanting to:
1) Make Accuvant look bad
2) Question Google's (and extensively Accuvant's) motives

There are multiple rather shameless plugs for NSS
ie: "Well, this is what happens with vendor studies but WE don't do those (anymore) !!"

It's very evident in this quote how they feel about the raw information:
"For those curious about the inner workings of Sandbox and JIT hardening technologies, the detail provided in this report is informative and mostly accurate."

They say what I've said from the beginning, read it for the information and not the conclussions.

I would love to see NSS labs redo this or Accuvant append their latest report to address these issues.