Web browsers have become a universal application for today’s PCs and mobile devices. And with new uses for the Internet, web browsers have also become more complicated in order to deliver applications with complex protocols that support modern day applications, such as videos, images, and interactive web programs.
Along with more complex applications, comes additional opportunity for security vulnerabilities. This makes web browsers a magnet for tech savvy criminals to exploit these vulnerabilities and inevitably compromise your PC or mobile device. In this article, we will explore three major web browsers to help you gain a better understanding safety and security levels in each application.
First, it is important to mention that the most recent browser architecture is comprised of both a multi-process and multi-threaded infrastructure. Without having to understand technical jargon, this means the level of capability of the browser to support security barriers and trust zones and allows for browser comparison when it comes to safety and security.
Google Chrome
Google Chrome was first released in 2008 and utilizes the WebKit layout and V8 Java Script engines. Google Chrome’s functionality is delivered via the Chromium interface with some of the components delivered via open source licensing.
- Sandbox: Google Chrome is multi-process and uses a low integrity token, which increases the capabilities of the sandbox. Sandboxing is the technology which traps any malicious software or files collected during the browsing session. A sandbox will run in an isolated space in the browser, which prevents malicious files from entering your PC. When you close your browser, the sandbox deletes the files which were trapped in the sandbox.
- Security Updates: In terms of security updates Google does not provide a rigid schedule for releasing updates and security patches. However, the updates tend to be released more frequently than Firefox and Internet Explorer and do not include non-security updates or Flash.
- Patch Distribution: In terms of patching, the time it takes for a browser vendor to become aware of a vulnerability to reaching a solution is an indication of their commitment to browser security. Google Chrome takes an average of 50 days to produce a security patch once the browser vulnerability is discovered. This typically applies to high impact vulnerabilities instead of other ones that are less severe.
- Add-Ons: Add-ons are software written by a third party. The software adds different functionality to a browser, such as video streaming, cookie blocking, viewing particular files, and more. Add-Ons add an extra code to the browser which presents more security risks in addition to plugins, which can be silently activated without user intervention. This represents an opportunity for unauthorized code to be installed, which is disguised as an Add-On. Google Chrome places strict limitations on Add-Ons, which will limit what you can do with the browser but makes it more secure.
Internet Explorer
Internet Explorer offers a user interface framework where tabs operate independently of one another. This allows the browser tab processes to function at low integrity. The low integrity tabs are used for managing independent processes such as downloads and toolbars in addition to browsing and hosting ActiveX controls.
- Sandbox: Internet Explorer utilizes a multi-process which runs a permissive sandbox. The sandbox allows for the use of ActiveX controls, software exclusive to Internet Explorer. ActiveX comes preinstalled in Windows operating systems and is a small application which enhances your browsing experience. For many sites accessed in Internet Explorer, ActiveX controls are necessary for accessing and viewing components on a website. If the sandbox permits Active X, it may not be able to block other malicious files and activities. This places the sandbox technology in Internet Explorer at a medium security level.
- Security Updates: According to Microsoft Security Bulletin, the Internet Explorer team operates on a two month cycle for security updates splitting high impact vulnerabilities that directly affect the browser and pose a threat to your PC with low impact advisories related to Internet Explorer. The release of updates is more related to patch distribution, rather than something that is non-security and directly related to the browser.
- Patch Distribution: Internet Explorer takes an average of just over 200 days to produce a security patch once a browser vulnerability is discovered. It is significantly slower than Google Chrome. This means that the browser’s susceptibility to an attack is much greater until a security patch is finally released.
- Add-Ons: The primary method for Add-On functionality in Internet Explorer is via ActiveX controls we described above. IE also offers an extended number of ways to enhance functionality through the use of browser and content extensions. These add functionality to the menu and the toolbar in IE. In most cases, installation requires user interaction, but plugins can be activated silently without user interaction. Due to the many extensions that enhance the functionality this presents more opportunity for hacker exploits.
Firefox
Firefox uses a single-process medium integrity browser which contains the entire browsing session. Firefox plugins are hosted out of process and run independently of one another and at medium integrity. For this reason, a browser crash causes total failure of the browser itself and all of the plugin processes.
- Sandbox: Since Firefox deploys a single process with medium integrity, this obliterates the sandbox technology due to browsing components operating separately from one another. In order to improve sandbox security, it is necessary to install a third party sandbox application if you desire to tighten up security in this area.
- Security Updates: The Firefox team offers no set pattern for releasing security updates. When you use Firefox, you will experience periods where there are multiple updates, but then a period of time will pass before there are additional ones. Overall, the release of security updates is much less than those released by Google and Microsoft.
- Patch Distribution: In terms of developing a security patch following the discovery of security vulnerability, the Firefox team falls in between the patch release time of Chrome and IE with a release time of 152 days.
- Add-Ons: Firefox offers multiple methods for extending browser capability and functionality including themes, extensions, and plugins. Extensions extend existing browser functionality where plugins introduce new browser behavior. Plugins also extend the code which is native to the browser. Plugins are capable of accessing any files on your PC in addition to installing software and establishing network connections. This is typical of malicious software behavior, which makes plugins a security risk. Installation of plugins typically originates from the official Mozilla website and passes through a review process prior to installation, but there is always a chance for risk.
So, in terms of sandboxing Google Chrome and Internet Explorer are ahead of Mozilla Firefox. When it comes to security updates, all three browsers are almost equal since they all vary. When considering patch release speed, Internet Explorer is the worst with Firefox and Chrome releasing security patches faster. When you consider Add-On functionality, Chrome is the most secure with Internet Explorer coming in second, and Firefox third.