Mozilla fixes Firefox 16 web browser flaw with update

Mozilla has updated its Firefox browser to fix a flaw that could have allowed sites to find out which other web pages its users had visited.

The security vulnerability was introduced in the 16th edition of its software, temporarily causing Mozilla to replace it with an older version.

The flawed version of the software was only online for a day.

Firefox had a 20% share of the global desktop browser market in September, according to a study by Netmarketshare.

That places it second only to Microsoft's Internet Explorer.

"We were quick to recognise the security vulnerability of Firefox 16 and took immediate action to temporarily remove the update from the current installer page," a spokesman from Mozilla told the BBC.

"As a precaution we asked Firefox users to revert back to using Firefox 15.0.1 whilst we worked to fix the problem. Firefox 16 was released with updates completely 'throttled', which meant that users were not automatically updated.

"We take security issues extremely seriously and were able to address the problem with Firefox quickly with limited impact to our users."

Browser bugs

Tal Be'ery, a web researcher at Imperva, explained how the error could have been exploited.

"Firefox is basically leaking a URL's [web address] data across domains by not restricting [programming language] Javascript's location method," he said.

He added that a proof-of-concept exploit had already been created to show how this might be used by hackers to obtain a user's Twitter ID.

It is not unusual for flaws to be discovered in web browsers.

Last month Microsoft was spurred to action by news that a previously unknown security hole in older versions of Internet Explorer was being used to download malware to PCs. The Poison Ivy Trojan allowed hackers to take control of infected computers.

Google recently awarded a teenage researcher $60,000 (£37,400) after he revealed a flaw in Chrome that could be used by a hacker to take control of a victim's system.

The search giant has since issued a fix, but said it would not publish details of how the exploit worked until Apple issued a fix to Safari, which is also vulnerable.

Quick fix

Graham Cluely, senior technology consultant at security software firm Sophos, said Mozilla's flaw could have proved serious had it not been spotted so quickly.

Source: bbc.co.uk

Read More

Mozilla previews 'Metro'-ized Firefox for Windows 8

But it won't ship until months after Windows 8 debuts

Mozilla last week released the first public preview of a Firefox browser that runs in Windows 8's touch-first "Modern" or "Metro" user interface (UI).

he Firefox app for Modern -- the UI dubbed "Metro" until Microsoft ditched the term over trademark issues -- will be partnered with the traditional desktop browser in a package that may appear in early January 2013 as Firefox 18.

Asa Dotzler, product manager for Firefox, announced the preview last Thursday in a short post to a Mozilla blog.

"Over the coming weeks and months, we'll be adding more features, tightening up Windows integration, improving performance and responsiveness, and finishing up all the necessary work to deliver a first-class Firefox experience for Windows 8," Dotzler wrote.

Users running Windows 8 RTM (release to manufacturing), the final code Microsoft started distributing in mid-August, can download and install a Modern-ized Firefox from Mozilla's "Nightly" channel, a rough-edged, in-development build that precedes the better-known Aurora, Beta and Final stages for each edition.

As Dotzler acknowledged, Firefox for Modern harbors bugs and omits features that should appear in the final.

Computerworld, in fact, was unable to run the Firefox app in the Modern UI on a 32-bit version of Windows 8 RTM. The touch-sensitive browser, however, did launch and work properly in Windows 8 64-bit.

Mozilla engineers are investigating the issue.

Brian Bondy, a Firefox platform engineer who has been working on the Modern version for Windows 8 for most of the year, was more specific than Dotzler in describing what is in the preview, and to a lesser extent, what will be in the future.

Last spring, Mozilla committed to creating a browser for Windows 8's new UI, the first of Microsoft's rivals to do so; Google followed suit a month later.

Browsers are a special case for Windows 8. After a several-month delay last year, Microsoft allowed hybrid desktop-Modern browsers.

Modern-style enabled browsers can run outside the normal security sandbox required for all other apps, and have access to most Windows APIs (application programming interface) on the classic desktop side, as well as the new WinRT API, the backbone of the Modern side of Windows 8 application development.

The category also gets an important pass from Microsoft: A Modern-enabled desktop browser circumvents the Windows Store -- the Microsoft-curated distribution channel -- and when installed on the Windows 8 classic desktop, simultaneously installs the Modern version.

The biggest caveat for a Windows 8 hybrid browser is that only the default browser -- which is set by the user -- can run in the Modern UI. During setup Windows 8 assigns Internet Explorer 10 (IE10) as the default browser.

Source: computerworld.com

Read More

Mozilla confirms critical Firefox bug

Slates patch for March 30; flaw can't be used in upcoming Pwn2Own hack contest
Mozilla yesterday confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month.

Although the patch won't be added to Firefox before next week's Pwn2Own browser hacking challenge, researchers won't be allowed to use the flaw, according to the contest's organizer.

"The vulnerability was determined to be critical and could result in remote code execution by an attacker," Mozilla acknowledged in a post to its security blog late Thursday. "The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix."

Firefox 3.6, which Mozilla launched in January, is affected, Mozilla said, adding that it would be patched in version 3.6.2, currently slated to ship on March 30.

The bug was disclosed by Russian researcher Evgeny Legerov a month ago in a message posted on a forum hosted by Immunity, the Miami Beach, Fla. developer best known for its Canvas penetration testing framework. Legerov works for Moscow-based Intevydis, which produces the VulnDisco add-on for Canvas.

Legerov did not publish attack code, and initially refused to provide details to Mozilla, according to a March 4 entry he posted on his blog. "I've ignored e-mails ... from Mozilla, please do not waste my and your time anymore," Legerov wrote. The blog has since been deleted, but is still available via Google's cache.

In comments appended to a vulnerability alert published by Danish bug tracker Secunia, several users questioned Legerov's motives for making the announcement, while others chided Secunia for not thoroughly testing the flaw or claimed that it was all a hoax.

Mozilla yesterday said Legerov had eventually sent them "sufficient details to reproduce and analyze the issue."

Until the March 30 patch is released, users can upgrade Firefox to the beta of version 3.6.2, which includes the fix, by downloading the preview.

Although Apple and Google have recently updated Safari and Chrome, respectively -- beefing up the browsers' security before the $100,000 Pwn2Own hacking contest starts March 24 -- the version of Firefox that will be used in the challenge will lack the patch for Legerov's vulnerability. Pwn2Own will pit only production versions of Chrome, Firefox, Internet Explorer (IE) and Safari against the hacking talents of researchers.

However, that doesn't mean hackers will be able to use the bug to claim one of the $10,000 prizes for successfully exploiting Firefox. "We will have our entire research team on-site so that we can do our best to ensure that known issues such as this one do not turn up at our contest," said Aaron Portnoy, a research team lead with 3Com TippingPoint, the company sponsoring Pwn2Own.

Portnoy, who organized the fourth annual contest, has predicted that Microsoft's IE8 will be the first browser to fall during the three-day event.

Mozilla will also patch Firefox 3.0 (with 3.0.19) and Firefox 3.5 (with 3.5.9) on March 30. Firefox 3.0.19 will be the final security update for the browser Mozilla debuted in mid-2008.

Source: ComputerWorld.com

Read More

Hands on: Internet Explorer 9 Platform Preview shows speed, not much else

For now, the main selling points are increased performance and support for HTML 5
The Internet Explorer 9 Platform Preview exhibits to good effect two of what Microsoft says will be the new browser's selling points: speed and HTML 5 support. If the final version is as fast as or faster than the preview, IE will no longer be a laggard in the browser race and will most likely beat out Firefox. HTML 5 support is a nice extra, but it's still too early to tell how important that will be.

At this point, the IE9 Platform Preview is little more than a browser display engine, and it isn't intended for users. Instead, it's Microsoft's attempt to give developers a heads-up about where the browser is headed. There's no address bar, no navigation features or Favorites, no Back or Forward buttons, no multiple tabs, no malware protection or other basic or advanced browser features. To visit a Web site, you have to press Ctrl-O, type in the URL and then press Enter. When you click a hyperlink that would normally open a new window, that page will open in your default browser.

Not surprisingly, the IE9 Platform Preview doesn't replace your existing version of IE. Instead, it runs alongside it. It cannot be set as your default browser. It runs only with Windows Server 2008 R2, Windows Vista Service Pack 2 or Windows 7. To run it on Vista SP2 and Windows Server R2, you'll need the Platform Update. It won't run on Windows XP -- now, or when it finally ships, according to Microsoft.
The need for speed

IE8 and previous versions of IE have been criticized for being far slower than competing browsers such as Firefox and Chrome, and tests have proved that out. The IE9 Platform Preview fixes that problem. In my testing on two PCs -- one with Windows Vista and other with Windows 7 -- I found it far speedier than earlier versions of IE, and faster than Firefox.

I ran the SunSpider JavaScript Benchmark on a Dell Dimension 9200 with an Intel Core 2 Quad CPU and 2GB of RAM. I tested the Internet Explorer 9 Platform Preview, Internet Explorer 8, and the current versions of Firefox (3.6) and Chrome (4.1). IE9 exhibited a dramatic speed improvement; with an average score of 804ms, it performed more than six times faster than IE8 (5078ms) and nosed out Firefox (914ms) but was beaten by Chrome (489ms).


Microsoft says that one way it sped up the browser was by using a separate processor core to compile JavaScript in the background. JavaScript is only one benchmark for speed, of course. The vendor says it has taken steps to speed up the browser in other ways as well, notably by using a PC's graphics processor to accelerate the rendering of text and graphics.

There's no way to adequately test this, so I can't report on it accurately. But on the IE9 Test Drive site, you can find several impressive demonstrations of interactive HTML 5 graphics powered by your graphics processor. I also tested Chrome and Firefox; both were significantly slower than IE9 and did not display the test graphics properly. However, there's no way to know whether the graphics on the page have been specifically tuned for IE9, so it's hard to know how significant the results are.

Adherence to standards

Microsoft is also touting IE9's adherence to HTML 5 standards, including a variety of features such as the ability to embed video and to interactively change and animate the borders of Web pages. To show them off, the company has created a set of Web pages on its IE9 Test Drive site.

The results are fast and impressive, but again, it's hard to know how well the browser will work in the real world, since the pages may have been tuned for it. And because HTML 5 is not in general use, this may not be a big selling point in the short term, although it could be important in the long term.

Currently, IE9 doesn't play HTML 5 videos using the HTML 5

Read More

Chrome sets browser security standard, says expert

Dino Dai Zovi urges browser makers to follow Google's lead
All browser makers should take a page from Google's Chrome and isolate untrusted data from the rest of the operating system, a noted security researcher said today.

Dino Dai Zovi, a security researcher and co-author of The Mac Hacker's Handbook, believes that the future of security relies on "sandboxing," the practice of separating application processes from other applications, the operating system and user data.

In a Wednesday entry on Kaspersky Labs' ThreatPost blog, Dai Zovi described sandboxing, as well as the lesser security technique of "privilege reduction," as "[moving] the bull (untrusted data) from the china shop (your data) to the outside where it belongs (a sandbox)."

The idea behind sandboxing is to make it harder for attackers to get their malicious software onto machines. Even if an attacker was able to exploit a browser vulnerability and execute malware, he would still have to exploit another vulnerability in the sandbox technology to break into the operating system and, thus, get to the user's data.

"Sandboxing raises the bar significantly enough that attackers will have to turn to other [types of attacks], like rogue anti-virus software," Dai Zovi said today in a telephone interview.

The pervasiveness of Web-based attacks calls for browser sandboxing, Dai Zovi argued. "It's crucially important because, in my opinion, the browser will become the OS," he said. "Google is the first to realize that the browser is the operating system, and Chrome is a huge leap forward with its ground-up rewrite."

Chrome has included sandboxing since its September 2008 debut. And while Dai Zovi considers it easily the leader in security because of that, other browser have, or will, make their own stabs at reducing users' risks.

For example, Microsoft's Internet Explorer 7 (IE7) and IE8 on Vista and Windows 7 include a feature dubbed "Protected Mode," which reduces the privileges of the application so that it's difficult for attackers to write, alter or destroy data on the machine, or to install malware. But it's not a true sandbox as far as Dai Zovi is concerned.

Currently, Mozilla's Firefox, Apple's Safari and Opera Software's Opera lack any sandboxing or privilege reduction features. "Apple, for example, has implemented some sandboxing in Snow Leopard, but [although] security researchers were hoping to see some of that technology used in Safari, that hasn't happened," Dai Zovi said.

Mozilla is working on Chrome-like sandboxing for Firefox -- the project's dubbed "Electrolysis" -- but the feature probably won't make it into the browser until Firefox 4.0, which is now slated to ship in late 2010 or early 2011.

Dai Zovi sees browser sandboxing as an answer to the flood of exploits that have overwhelmed users in the past year. "This isn't perfect, but it's the direction we should be heading in," he said. "The idea of fixing every vulnerability is clearly not working. We can't always win the race to patch."

But sandboxing, or at the least, reducing the browser's ability to affect the rest of the OS, may be the way to block most attacks. "It adds more defense-in-depth and impedes attackers," Dai Zovi said.

Read More

Mozilla ships Firefox 3.6 release candidate, nears final

Barring problems, RC1 will turn into final as early as Jan. 18
Mozilla on Friday shipped a release candidate build of Firefox 3.6 that, barring problems, will become the final, finished version of the upgrade.
irefox 3.6 Release Candidate 1 (RC1), which followed a run of betas that started in early November, features nearly 100 bug fixes from the fifth beta that Mozilla issued Dec. 17. The fixes resolved numerous crash bugs, including one that brought down the browser when it was steered to Yahoo's front page.

Another fix removed a small amount of code owned by Microsoft from Firefox. The code was pointed out by a Mozilla contributor, and after digging, another developer found the original Microsoft license agreement. "Amusingly enough, it's actually really permissive. Really the only part that's problematic is the agreement to 'include the copyright notice ... on your product label and as a part of the sign-on message for your software product,'" wrote Kyle Huey on Bugzilla, Mozilla's bug- and change-tracking database. Even so, others working the bug said the code needed to be replaced with Mozilla's own.

RC1 may be the last preview before Mozilla declares the edition done. "Should everything run smoothly during testing this is what will be released to our users as the official version after a beta period," noted a page on the Mozilla wiki dedicated to Firefox 3.6 RC1 testing.

If past practice is any clue, the final of Firefox 3.6 could be ready for downloading as early as Jan. 18. Last summer, Mozilla delivered the release candidate of Firefox 3.5 on June 20, then launched the browser 10 days later. In 2008, the window between the last release candidate of Firefox 3.0 and the final was 13 days.

RC1 was once slated for release in October 2009, with a final Firefox 3.6 scheduled for the following month. But Mozilla delayed Firefox 3.6 as it struggled to make deadlines, then decided Dec. 17 to issue a fifth beta rather than push for a release candidate. Even so, Mozilla maintained that it would get RC1 out by the end of 2009.

Mozilla has had trouble making its development schedules. In 2008, the company originally shot for a late-2008 release of Firefox 3.5, but eventually postponed the ship date to mid-2009 in order to add features and quash troublesome bugs in the then-new TraceMonkey JavaScript engine.

Among the new features in Firefox 3.6 are built-in support for the scaled-down browser skins dubbed "Personas;" warnings of out-of-date plug-ins; support for new CSS, DOM and HTML 5 technologies; support for full-screen video embedded with the video HTML tag; and support for the Web Open Font Format (WOFF).

TraceMonkey has also been refreshed to boost JavaScript performance, something Mike Shaver, Mozilla's chief engineer, bragged about last week on Twitter. "I am excited about upcoming JS [JavaScript] engine work, and I don't care who knows it," Shaver tweeted.

As is usual for a Firefox preview, not all of the available browser's add-ons are compatible with the release candidate. According to Mozilla, about 75% can be used with Firefox 3.6.

Firefox controls about 25% of the global browser market, according to the most recent data from U.S.-based metrics company Net Applications. But while Firefox's usage share remained flat last month, Google's Chrome surged into third place, pushing Apple's Safari into the No. 4 slot for the first time.

Firefox 3.6 RC1 can be downloaded from Mozilla's Web site for Windows, Mac and Linux. Users running a beta of Firefox 3.6 should see upgrade notices shortly if they haven't already.

Read More

Test Center guide to browser security

Chrome, Firefox, Internet Explorer, Opera, and Safari have different security advantages and shortcomings. More important than the browser you choose, however, is how you maintain and use it.
The recent out-of-band emergency patch for Internet Explorer has many pundits recommending any browser but IE as the best security defense. Although there is some safety in using less frequently attacked software, a better question is which is the safest choice among the most popular browsers? What are the most important security features to look for in a browser, and what are the weaknesses to beware?

This review focuses on security features of the following Windows-based Internet browsers: Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Opera Software's Opera, and Apple's Safari. All but Chrome are included because they rank among the most popular browsers, with long track records and millions of users. Google Chrome is included because it boasts a unique security model and the wide expectation to significantly eat into the other browsers' market share. The latest publicly available versions (including beta versions) have been used in the review. Each browser has been tested on Windows XP Pro SP3 and Windows Vista Enterprise.

The purpose of this review was to test each browser's security fitness. As such, these reviews generally do not cover any new features not related to security. Also, since this review was focused on testing the security of each particular browser, all browsers were tested with the default vendor-installed add-ons only. For example, although NoScript is a popular Firefox browser add-on often installed to enhance security, it isn't installed by default and isn't created by the vendor, so it wasn't included in the review.

Full disclosure: The author of this article is employed full-time by Microsoft as a security architect. He has no involvement in the development or marketing of Internet Explorer. He uses multiple browsers across several OS platforms on a daily basis and has several favorites, including browsers not included in this review.

Making a secure browser
If you're looking for the perfectly secure browser, stop looking. Each new browser entry typically promises a more secure browsing experience, only to prove that making a truly secure Web browser is difficult. Each of the most popular browsers has dozens of patched vulnerabilities. Even the newest, Google's Chrome, released in beta form in September 2008, has nearly a dozen exploits already. Perhaps the strongest testament to how hard it is to make a secure Internet browser is the fact that even the text-only Lynx browser, which is as simple as a browser can be (it can't even display pictures or video without external programs), has had five vulnerabilities. If attackers can cause buffer overflows in a text-based browser, any browser more complex will have its issues.

In general, administrators must consider every Internet-connected Web browser as high risk. In very high-security environments, Web browsers aren't allowed to run or aren't allowed to render content from the Internet. But assuming your enterprise needs to browse the Internet and seeks a Web browser with an acceptable level of security, keep reading. A secure browser must include the following traits as a minimum:

* It was coded using Security Development Lifecycle (SDL) techniques.
* It has undergone code review and fuzzing.
* It logically separates network and local security domains.
* It prevents easy malicious remote control.
* It prevents malicious redirection.
* It has secure defaults.
* It allows the user to confirm any file download or execution.
* It prevents URL obscurity.
* It contains anti-buffer overflow features.
* It supports common secure protocols (SSL,TLS, etc.) and ciphers (3DES, AES, RSA, etc.).
* It patches and updates itself automatically (with the user's consent).
* It has a pop-up blocker.
* It utilizes an anti-phishing filter.
* It prevents Web site cookie misuse.
* It prevents easy URL spoofing.
* It provides security zones/domains to segregate trust and functionality.
* It protects the user's Web site logon credentials during storage and use.
* It allows browser add-ons to be easily enabled and disabled.
* It prevents mischievous window use.
* It provides privacy controls.
* It has been battle tested by hackers over a sufficient period of time.

Another good place to start learning the detailed basics of Web browser security is Part 2 of the Browser Security Handbook, maintained by Michal Zalewski. The Browser Security Handbook gives a great introduction to many of the behind-the-scenes security policies that underlie most of today's browsers and indicates which features are supported in various browsers.

How to measure the security of a browser
Vulnerability counts and the frequency of announced exploits account for much of the overall risk to a Web browser, but they are far from the only relevant factors to consider. In this security review, the following criteria were used during evaluation:

Security model. Each browser is coded on the underlying strength of the browser vendor's chosen security model. This model is what keeps the untrusted network side separated from the more trusted security zones. If malware is able to exploit the browser, how easily can it compromise the whole system? What defenses did the vendor include in the browser's underlying design to prevent malicious use? How is malicious redirection (such as cross-domain cross-site scripting and frame theft) prevented? Is memory secured and cleared against malicious reuse? Does the browser give end-users multiple security domains or zones with varying levels of functionality in which to place different Web sites according to their level of associated trust? What end-user protections have been built into the browser? Does the browser attempt to update itself? All of these questions, and more, go into determining the fitness of a browser's security model.

When the browser runs on Windows does it take advantage of Data Execution Prevention (DEP)? If it runs on Windows Vista, does it use file and registry virtualization, Mandatory Integrity Controls (see sidebar), or Address Space Layout Randomization? These topics require too much space to discuss appropriately in this review, but all four mechanisms can make it harder for malware to gain system control.

Feature set and complexity. More features and increased complexity are the antithesis of computer security. Additional features mean more code available to exploit with more unexpected interactions. Conversely, a browser with a minimal feature set may not be able to render popular Web sites, which forces the user to use another browser or to install potentially insecure add-ons. Popular add-ons are often exploited by malware writers.

User-definable security zones (also known as security domains) are also an important feature. Ultimately, less functionality translates into better security. Security zones provide a way to classify various Web sites as more trustworthy and, hence, suited for greater functionality. You should be able to trust your company's Web sites significantly more than a Web site offering pirated software or a small Web page served up by someone you don't know. Security zones allow you to set various security settings and functionalities based upon the Web site's location, domain, or IP address.

Security domains are used in every computer security product (firewalls, IPSes, and so on) to establish security boundaries and areas of default trust. Having a security zone in a browser extends that model. Browsers without security zones encourage you to treat all Web sites with the same level of trust -- as well as to reconfigure the browser or use another browser for less trustworthy Web sites before each visit.

Vulnerability announcements and attacks. How many vulnerabilities have been found and publicly announced against the browser product? Are the vulnerability counts going up or down as the vendor patches its browser? How severe have the vulnerabilities been? Do they allow full system compromise or denial of service? How many vulnerabilities are currently unpatched? What is the history of zero-day attacks against the vendor? How often is the vendor's browser targeted versus a competitor's product?

Browser security tests. How did the browser fare against popularly available browser security test suites? In this review, all of the products passed the most well-known browser security tests located on the Internet, so each item was further exposed to dozens of real-life malicious Web sites. Often the outcome was not pretty. I experienced frequent browser lockups, objectionable content, and sometimes complete system reboots.

Enterprise manageability features. InfoWorld caters to administrators and technicians who need to accomplish tasks across an entire enterprise. It is generally easy to secure a favorite individual browser for personal use, but doing so for an entire business requires special tools. If the browser were selected for enterprise use, how easy is it to install, set, and manage secure configurations for every user?

These are the general categories that were considered when reviewing each Internet browser.

How I tested
I downloaded the latest publicly available version of each browser (including beta products) and installed it on fully patched 32-bit versions of Windows Vista Enterprise SP1 and Windows XP Pro SP3. I reviewed all security settings and options and checked the vendor documentation for clarification. I then subjected each browser to numerous tests, including dozens of pre-defined tests made in the lab, Internet-based test suites, and exposing the browsers to known-malicious Web sites.

The Internet-based test suites included several browser security test sites, such as scanit and Jason's Toolbox; several JavaScript, Java, and pop-up blocker testing sites; several cross-site scripting (XSS) testing Web sites; and several browser privacy test sites. I tested the security of the browsers' password handling using the Password Manager Evaluator Web site and the security of cookie handling using the Gibson Research Corporation's Cookie Forensics Web site. I tested Extended Validation certificates using links provided on the IIS7 site.

I surfed to dozens of Web sites known to contain live malware from several public and private malware site lists, including ShadowServer. I also visited dozens of known phishing Web sites, courtesy of PhishTank and similar referral sites. I used Process Explorer to monitor local processes and resources during install and ongoing operations. And I sniffed the browsers' network traffic using Microsoft Network Monitor or Wireshark and examined the results for information leaks.

Finally, I also relied on public vulnerability testing for these evaluations, including Metasploit and milw0rm.com. Vulnerability statistics were taken from Secunia.com or CVE.

Additionally, each browser was used over a series of several weeks (or longer) to test general use, patching intervals, and other involved functionality.

The most secure browser
Which of the browsers tested can claim to be the most secure? Here's the big shocker: None of the fully patched browsers allowed silent infections or exploitation beyond simple DoS attacks. All of the browsers stopped the latest malicious attacks available on the Internet. Occasional zero-day attacks could silently infect a particular browser during a particular period of time, but all of the browsers have this same risk, and all of the browser vendors in this review are fairly consistent in patching significant problems in a timely manner.

Hence, the overall conclusion of this review is that any fully patched browser can be used relatively safely. You can change browsers, but your risk is the same with all of them -- nearly zero -- if your browser, OS, and all add-ons and plug-ins are fully patched.

However, if I pretended to be an end-user tricked into running a malicious executable (such as a fake anti-virus program), each browser allowed the system to be infected and compromised. End-users running on Windows Vista without elevated credentials would have prevented most malware infections from occurring, but even those users were readily exploited if they purposefully elevated themselves to install the rogue program.

Browser security tips
Instead of accusing one browser of being weaker than another, real-world testing has revealed that users should pick a browser that has the security features and functionality they desire, and implement the following suggestions.

* Don't log on as admin or root when running an Internet browser (or use UAC on Windows Vista, SU on Linux, etc.).
* Make sure the browser, OS, and all add-ons and plug-ins are fully patched.
* Don't be tricked into running malicious code.
* If unexpectedly prompted to install third-party software while browsing a site, open another tab and download the requested software directly from the software vendor's Web site.
* Be careful about which add-ons and plug-ins you use. Many aren't secure, many are very insecure, and some are actually malware in disguise.

Browser findings
As expected, each Web browser had its fair share of security advantages and disadvantages. All of the browsers reviewed here, save Google Chrome, have had years to mature in response to previous malicious attacks. All of the browsers had SSL/TLS (Secure Sockets Layer/Transport Layer Security) support, anti-phishing filters, pop-up ad blocking, cross-site script (XSS) filtering, automated updates, private session browsing, and cookie handling. The following review summaries highlight their differences. Click the links to the full reviews for more detail. See also the table, "Web browser security features," comparing security features among all of the browsers.

Google Chrome 1.0
Google's first browser is a security paradox. It begins with the best browser security model, but then layers questionable decisions over a dearth of security features. It utilizes Windows Vista's new security features even better than the browser that came with Vista. JavaScript runs inside of a virtual machine environment, where it is further restricted.

Unfortunately, Chrome has almost no significant security granularity, and no separate security zones in which to place Web sites with different trust expectations. More disappointing, you cannot disable JavaScript at all. This is a huge security oversight, even if Google believes the browser can trap malicious JavaScript within the sandbox. Perhaps most troubling, Chrome has been plagued by relatively simple buffer overflow problems.

Chrome has the potential to be one of the most secure Internet browsers, but its initial showing only leaves significant questions. Read the complete review.

Mozilla Firefox 3.12
Mozilla's Firefox deserves the growing market share it has today. It is a battle-tested veteran with best-in-class cipher support, excellent add-on management, and growing enterprise features. Firefox has a fair amount of security granularity and is the only browser besides Internet Explorer to provide multiple security zones, although they are not easy to configure.

JavaScript can be disabled on a global basis, but it takes a separate add-on (called NoScript) to enable or disable it on a per-site basis. Using the About:security option in the URL bar allows the user to configure dozens of features and security settings, but the only enterprise deployment and management tools are offered by third parties. Firefox makes a good browser choice for anyone, especially for users who want to avoid the risk of native ActiveX support.
Microsoft Internet Explorer 8 beta 2
Internet Explorer is the most frequently attacked browser in the world. Its popularity, complexity, and support of ActiveX controls gives it an elevated risk as compared to the rest of the competition. Still, it also has best-in-class enterprise support, superior security granularity, and multiple security zones in which to deploy Web sites with different trust requirements. It's the only browser with built-in parental controls and a granular add-on manager.

It is also the only browser with serious enterprise management features, providing more than 1,200 customizable settings across multiple security zones. For example, the U.S. government requires what is called FDCC (Federal Desktop Core Configuration) on all of its software, and FIPS (Federal Information Processing Standards) ciphers only. Tens of millions of PCs fall under these requirements. Only IE allows these policies to be enforced across all desktops. It is difficult to achieve with any of the other browsers.

IE 8 is bringing many new features to the table, including per-user and per-site control of ActiveX programs and other add-ons. Its improved base security model is second only to Google's Chrome, and nearly every security feature it has is mature and built for enterprise use. Read the complete review.

Opera 9.63
Opera is a solid browser that deserves more market share in the PC world. It has impressive security granularity, good anti-DoS handling, strict Extended Validation certificate handling, and many unique features. Its lack of market share means it hasn't been as tested as Internet Explorer and Firefox, but it has been involved in fighting many found vulnerabilities.

On the downside, Opera doesn't support DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), or ECC (Elliptical Curve Cryptography) ciphers. These deficiencies need to be corrected before its use can be more highly recommended. Even now, I invite readers to check out Opera. I think many people will be pleasantly surprised. Read the complete review.

Apple Safari 3.2.1
Apple's Safari browser has many good features, but lacks security granularity and zones. It has good pop-up blocking, good local password protection, and a surprisingly accurate anti-phishing filter. Unfortunately, DEP is disabled, something that needs to be corrected. Safari has the weakest cipher support, failing to offer AES ciphers, 256-bit keys, or ECC ciphers.

Safari always automatically prompts the user before downloading files, and it prevents some high-risk files from being executed before downloading. Safari has good default cookie control. It is one of only two browsers in this review (the other is Chrome) to prevent all writes by third-party cookies by default, which is a nice privacy bonus. Although local password protection is strong, Safari had the weakest remote password handling of the bunch. Safari is a great-looking browser but a mixed bag with respect to security

Read More

Test Center: How secure is Google Chrome?

Google's shiny new open source Web browser is a frustrating blend of excellent security model, questionable decisions, and a dearth of critical security controls.
Google Chrome was built from the ground up to be a more secure Web browser, and Google and its Chromium developers should be applauded for the attention they have brought to browser security. Google deserves much credit for the wealth of security information posted on the Internet and on the Google Chrome blog, and for making Chrome's source code available for anyone to examine.

he security model Chrome follows is excellent. Chrome separates the main browser program, called the browser kernel, from the rendering processes, which are based upon the open source WebKit engine, also used by Apple's Safari. The browser kernel starts with all privileges removed, the null SID (a security identifier in Windows Vista that denotes the user as untrusted), and multiple "restrict" and "deny" SIDs enabled. On Windows Vista, Chrome runs as a medium-integrity process.

Every Web site is given its own separate rendering process, memory space, global data structures, access token, tab, URL bar, desktop, and so forth. Currently, Chrome will open as many as 20 separate processes, one for each Web site, and start sharing processes between Web sites after that. Rendering processes are highly restricted as to what they can and can't do. On Windows Vista, Chrome's rendering processes run with low integrity, much like Internet Explorer in Protected Mode. But Chrome actually uses Vista's mandatory integrity controls more securely than Microsoft does. For one, Chrome attempts to prevent low-integrity browser processes from reading high-integrity resources, which is not normally prevented. (By default, Vista prevents lower to higher modifications, but not reads.)

Both the browser kernel and rendering processes run with DEP (Data Execution Prevention) and ASLR (Address Space Layout Representation) enabled, and with virtualization disabled. Any supplementary browser add-ons are run in a separate, medium-integrity (or higher-integrity) process. This screen image shows the various browser processes and their security settings, as enumerated by Process Explorer on Windows Vista. Chrome even has its own Task Manager and internal page to show memory and CPU statistics. With respect to the base security model, Chrome is leading the pack. It's beautiful.

Interesting innovations
A slightly questionable choice is Google's decision to allow Chrome to be installed without requiring Administrator-level access. This can make Chrome installs difficult to manage in an enterprise environment, but Microsoft is encouraging this sort of behavior in all vendors (to prevent Windows system modifications). Chrome is just one of the first major apps to follow Microsoft's advice.

Chrome also installs the Googleupdate.exe application, scheduled to run automatically in Windows Vista Task Scheduler, which frequently dials home (although only when the user is logged on and the computer is idle) and checks for browser (and other Google application) updates, and silently installs them. This is a great way to keep the browser up to date (patches are currently applied more frequently than once a week), but it riles many security administrators because there is no notification of the outward-bound search, no notification of pending patches, and no approval requested for patches to be applied; plus, this behavior cannot be easily changed.

Another interesting concept is Chrome's virtual JavaScript machine, called V8. Google's Chromium team built its own virtual environment for all JavaScript execution. V8 even converts JavaScript code into native machine language (to speed up Web-page loading) and has its own memory garbage-collection processes, source-code inspector, and debugger. V8 significantly limits what can be accomplished by JavaScript against the user's system, including preventing the normal JavaScript pop-ups. In testing, Chrome did pretty well against pop-up ads but suffered from UI problems and slowness on some of the JavaScript modal tests.

Chrome has many standard security features, including a browser-session privacy mode (called Incognito); anti-phishing capability (called Google Chrome's Safe Browsing); one-button setting resets; forced file saves before launching; moniker handling (which helps thwart attempts to fool the browser into launching helper applications that can be exploited); and MIME content-type sniffing (which helps thwart attempts to fool the browser into downloading malicious content). Chrome actually has many more security features that I could go on about; so far, so good.

Questionable controls
But then reality hits hard. One of the most glaring lapses is the inability to disable JavaScript. Because JavaScript is involved with most malicious Web attacks, all of Google's competitors allow its use to be disabled globally, or per site or per zone (albeit Firefox requires a third-party add-on, NoScript, to be site-specific). The world has yet to create a virtual machine that was not able to be breached, so despite all the cleverness that went into V8, I cannot understand how Google committed such an oversight, even if the company is trying to promote JavaScript-enriched applications and sites. If a large JavaScript exploit happens against Chrome -- or rather, when it happens -- the only recommendation Google will be able to offer, it seems, is to stop using it.

Most user-selectable security settings are under an option tab called Under the Hood. It's when you first go here that you realize how little Chrome offers in the way of fine-grained security settings. The options are very sparse and often lack a secure default. For example, all cookie types (both first- and third-party) are allowed by default. This isn't surprising for a company that makes its living from ads. But even the third-party-cookie restricted mode allows the reading of any third-party cookie, which is almost as bad as allowing modifications. In another example of a poor default, HTTP data is allowed to commingle with HTTPS data in the same view, without warning to the user.

Another critical security feature that's missing is the ability to place different Web sites into separate security zones or domains. Most browsers provide at least two zones (Internet Explorer has five) or the binary ability to whitelist or blacklist sites. Chrome is also glaringly absent of enterprise management features. SSL/TLS (Secure Sockets Layer/Transport Layer Security) server revocation checking is enabled by default, but Chrome does not support the more efficient OCSP (Online Certificate Status Protocol) revocation-checking protocol, though all of its competitors do.

Google has also washed its hands of responsibility for the security of add-ons. Reviewers are very mixed on this approach. While it is true that browser vendors should not be ultimately held responsible for others' add-ons and applications, Chrome offers no add-on management. You cannot easily determine which add-ons will render particular content, nor easily disable them.

Many users are perturbed by the treatment of their own saved passwords. Chrome allows the current user to reveal the saved log-on names and passwords in plaintext with a few clicks of the mouse. This is convenient for the user -- and for anyone else who wants to learn all of the user's passwords and finds the computer left unattended for a few seconds. Internet Explorer doesn't allow this at all, and Firefox and Opera at least have the ability to assign another password to protect the saved passwords. On the Password Manager Evaluator testing Web site, Chrome scored the worst among all of the browsers I've tested (including Firefox, Internet Explorer, Opera, and Safari), passing only 4 of 21 tests.

Bugaboos
Chrome has a very limited feature set and relatively moderate complexity. This might help it avoid some security issues in the long run, but so far it hasn't. Chrome has had 10 exploits in the five months it has been released (you can search on keyword Chrome at milw0rm.com to see the individual exploits). They have been patched. Most were simple denial-of-service exploits, but at least one allowed complete system compromise and another allowed malicious redirection.

On a good note, Chrome passed all of the browser security tests I threw at it and prevented the automatic installation of any malware. These tests included dozens of predefined tests made in the lab, several browser-security tests on the Web (including scanit and Jason's Toolbox). I sniffed traffic looking for information leaks, tested the browser's handling of XSS (cross-site scripting), tested privacy features, confirmed digital certificate handling, and surfed to more than one hundred malicious Web sites. With less than 2 percent market share, Chrome isn't yet the popular target of hackers. That gives its users additional insulation compared with its competitors.

One key feature simply doesn't work as promised. Google repeatedly makes the claim that Chrome's rendering-process isolation prevents one browser session from bringing down another or affecting the whole browser. Yet, vulnerability after vulnerability has proven that Chrome's process separation isn't nearly as perfect as it sounds on paper. Malicious Web pages of all kinds have caused DoS problems, lockups, and complete system failure. I and every other Chrome user I know have experienced complete browser lockups while browsing ordinary, legitimate Web pages.

Far more indicative of systematic problems is that the initial vulnerabilities found in Chrome were very simple, well-known exploits. Initially, Google shipped its beta with a known vulnerable version of the WebKit engine, for which a patch had been issued months before. I realize it was only beta code, but how embarrassing. The buffer overflow attacks that were soon discovered were often simple string overflows, a vulnerability that any normal security code review or fuzzing tool should have found. Most of the other vulnerabilities were flaws that had been widely reported in other browsers and should not have been present in Google's first try. Google should have known better.

This is the security paradox of Chrome. It begins with a beautiful idea and an excellent security model but then compromises the vision with questionable decisions, a dearth of granular security controls, and the obvious failure to perform a serious code review. This may be Google's first version of its first browser, but it has more experience with browsers and malicious content than any of its competitors. Why introduce yet another new Web browser and not blow away the competition?

Chrome's excellent security model and newness give it a chance to quickly improve in areas where other vendors must tread more slowly because of backward-compatibility issues. The real challenge is that the bigger flaws are human- and process-oriented, and cannot be solved with fast patching. They are systematic and will require a serious paradigm shift within Google to achieve.

Read More