The Web is teeming with venomous exploits. And an ever-increasing quantity of that malware sneaks onto hard drives via the browser.
Which begs the question: Does your choice of browser affect your chances of being infected? Conventional wisdom says to avoid Internet Explorer, simply because it’s the target of a magnitude more malware than any other browser.
That reasoning makes sense, but we couldn’t settle for the easy answer.
That’s why we drilled deep into the security workings of the five most popular browsers: Internet Explorer, Firefox, Opera, Safari and Chrome.
Every control, checkbox, and slider was poked and prodded, as we browsed the most infected sites on the Web.
In the end, we concluded that sensible user behaviour and a commitment to install the latest patches had a vastly greater impact on security than which browser you choose.
Rogue Programs: Click Me!
Most malicious exploits require an accomplice: you.
By now, you’d think people would know that if they’re visiting a site they’re unfamiliar with, and they’re asked whether they want to download something, the correct answer is “No.”
But naiveté apparently knows no bounds. Ironically, the great majority of exploits occur when an end user falls for a bait and switch such as the fake anti-virus scam (“you’ve been infected; download this anti-virus program”).
No browser can protect against such folly.
The good news is that smart users who don’t make those mistakes and keep up with patches have little to fear, even from the worst neighborhoods on the Web.
In our tests, which included exposure to more than one hundred known-malicious public Web sites, none of the fully patched browsers let through stealth infections or exploits, though browser lockups were frequent and complete system reboots sometimes necessary.
Just keep in mind that the browser is not alone in the battle. Through the browser, Web-based malware can exploit vulnerabilities in the operating system and in browser plug-ins such as Flash, Java, and QuickTime.
In addition to the browser itself, these too should be kept fully patched.
The good news is, the Web also mends. For most popular software these days — including the five browsers we tested — automated updates are available.
Browsers have many security features that help the end user avoid being bitten by malware, as well as some privacy protections.
All five browsers have pop-up blockers, anti-phishing filters, and password protection.
Except for Opera, they allow for private session browsing where the browser saves nothing from the session that can be used to track your online movements — no browsing history, no cookies, no temporary Internet files, and so on.
But only two, Internet Explorer and Firefox, have the coolest browser security feature of all: configurable security zones, which let end users set up different levels of security for Web sites based on their trustworthiness.
For instance, an end user can set up a “zone” where obscure, shady-looking Web sites must face the browser’s most stringent security measures, such as disabled JavaScript, which often plays a role in malicious exploits.
Firefox and Internet Explorer also let end users turn off add-ons, whereas Safari, Opera and Chrome do not.
These browser security features play an important role in keeping the end user safe.
They also vary from browser to browser: some browsers have certain features, others do not. And some browsers are simply better at security than others. Here’s a quick look at each of the five browsers.
Microsoft Internet Explorer 8 beta 2
Pros: Internet Explorer is the powerhouse browser, boasting more than 1,300 security controls, whereas the second closest browser (Firefox) has 150.
Internet Explorer has five security zones that are easily configurable, and allows you to turn off JavaScript and add-ons. It’s the only browser with parental controls.
Cons: Explorer’s popularity makes it the primary target of hackers. Its unique support of ActiveX (another way malicious exploits get into a computer) poses an additional security threat that other browsers don’t have.
Takeaway: Internet Explorer’s superior security controls should be weighed against the fact that it’s the most frequently attacked browser in the world.
Mozilla Firefox 3.12
Pros: This battle-tested veteran has security zones and a built-in add-on manager that allows you to easily turn off add-ons and JavaScript.
Cons: Setting up security zones isn’t easy.
Takeaway: Firefox makes a good browser choice for PC users. In terms of security granularity and choices of controls, it’s second only to Internet Explorer.
Apple Safari 3.2.1
Pros: Safari boasts the most accurate anti-phishing filter and always prompts users before downloading files. Safari (like Chrome) does a good job at blocking unwanted cookies.
Cons: Lacks security zones and the ability to turn off add-ons.
Takeaway: While Safari is a great looking browser, it’s a mixed bag with respect to security. Still, Safari — if fully patched and running on a fully patched system — can be a secure environment.
Opera 9.63
Pros: Opera has extensive security controls and good protections against “denial-of-service” attacks.
Cons: Lacks security zones, the ability to turn off add-ons, and private-session browsing. Its lack of support for key Windows security features may put it at higher risk of buffer overflow attacks.
Takeaway: Opera is a great browser but hasn’t been exposed to the crucible of constant attacks. Support for Windows’ Data Execution Prevention and Address Layout Space Randomization features is needed before its use can be more highly recommended.
Google Chrome 1.0
Pros: JavaScript runs inside a virtual machine, thus providing some containment. Chrome (like Safari) does a good job at blocking unwanted cookies.
Cons: Chrome can’t disable JavaScript — a big problem considering JavaScript is involved in some of the most malicious Web exploits. Chrome allows passwords to be displayed in plain text, potentially exposing them to passersby, and has been plagued by relatively simple buffer overflow problems.
Takeaway: The security model Chrome follows is excellent, but the security choices Google has made for its browser are often abysmal. More troubling, the vulnerabilities that have been found in Chrome are simple and common ones that Google easily should have avoided.