Google Chrome better than other popular browsers to protect against online threats. It is clear from the study, during which the score abilities Chrome, Internet Explorer and Mozilla Firefox mitigate exploits of, recognize malicious links, etc.
The basis for the 102-page report, prepared by researchers at the company Accuvant, was the assumption that no complex software can not avoid buffer overflows and other gaps in security. Instead of relying on such methods of assessment, as the number of defects corrected and the time it took to release updates, the report examined the practical protection, which by default are available in each browser.
“We found that in terms of sandboxing Chrome coped better than anyone else,” – said Chris Valasek, a senior fellow Accuvant. “It limits the action more than other browsers. Microsoft IE came second, because it allows more sand than in Chrome. Mozilla ranked last as a sandbox in the browser is not yet implemented.”
Report created on behalf of Google, but the authors insist that they were completely independent in the use of methods and findings. The researchers have posted more than 20 MB of data , tools and methodologies to their colleagues could test them or create them on the basis of his own research. The aim of the study was only Accuvant security offered by Chrome, Microsoft IE and Mozilla, which, according to the report, used by more than 93%. All tested browsers run on Windows 7.
Findings of researchers supported by the evidence and unfounded. Chrome for three consecutive years out unscathed from Pwn2Own hacker annual competition , which no other browser do not succeed. In addition to this are extremely rare reports that the browser being in-the-wild attacks.
Not all the same sandbox
Much like ordinary sand, which prevent sand blend with the grass on the playground, sandbox security hinder the application code in the perimeter, fenced from the sensory functions of the operating system. By limiting the ability of applications to read and write data to disk, the sandbox can reduce the damage that may be caused by attackers in the successful use of vulnerabilities in the underlying code.
The so-called tokens in the sandbox Chrome, for example, do not allow the processes of the browser to access files outside of a very limited set of directories. They also forbid you to create connections, known as network sockets to communicate with servers on the Internet. Sandbox in Microsoft IE, unlike Chrome, according to the researchers, the browser allows resources to be read almost all of the hard drive, and imposes minimal restrictions on the creation of network sockets.
As a result, attackers that exploit vulnerabilities in the browser Microsoft, it will be much easier to get access to contacts, documents and other data on the hard drive of the affected computer and upload them to the command and control server.
“Token Google imposes more restrictions,” – said the chief researcher Accuvant Ryan Smith, compared the tokens with a driver’s license, which indicated what cars can drive their owner, if he needed glasses, etc. “It can be compared with the educational privileges, while the token Internet Explorer – it’s customary rights with all the categories.”
The researchers analyzed the possible browsers to read files, write files and execute another 13 actions. As shown in the chart below, Chrome not only blocked two of them. One of the two, known as the “System Settings”, he blocked a part.Meanwhile, the Explorer was able to completely block the action of only two, and partially blocked seven. Seven other actions, including the ability to read files, network access and creation processes remain without any restrictions.
At the last place was Firefox, which has managed to completely restrict only six actions, and the remaining nine left without any restrictions.
The sin of inaction
The report refers to the sandbox as a “best practice standard in many popular applications.” Chrome implements the sandbox in versions that run under Windows, Mac OS X and Linux. Microsoft has a sandbox in service for more than five years ago, when people started to use IE7 on Windows Vista or later versions. Even Apple, which have in the browser market a tiny fraction, including the strength of the sandbox Safari for Lion, the latest version of OS X.
In this light, it is very difficult to justify Firefox, which continues to ignore the function of the sandbox.
In a statement issued before the publication of a report Accuvant, technical director of Firefox, Jonathan Nightingale said:
“Firefox includes a set of technologies that can eliminate or reduce threats. From the platform level functions, such as address space randomization, to internal systems such as our system layout frame poisoning system. Sandbox – is a useful addition to the tools that we investigate. But no technology not a panacea. We invest in safety through the development process with internal and external validation code, a constant review and analysis of the current code, and an immediate response to security issues as they arise. We are proud of our reputation in the field of security, and it remains our central priority “.
The researchers also gave high marks for Chrome is that it imposes strict limits on the add-ons that can extend the set of actions that the user can make the web browser. As a result of hackers who exploit the bug get extensions, or fraudulently coerce the victim to download a malicious add-on, will cause far less damage. Firefox and Explorer extensions provide much greater freedom. Addons Explorer, for example, are able to create processes and access to the clipboard of Windows, which may allow malicious data to move from one application to another.
Apart from assessing the security of the three major browsers, the report also states that methods of measuring the ability of software to withstand attacks are not exact and should not be relied upon. One such method – the number of fixed vulnerabilities. This method is based on the assumption that a larger number of bugs means a lower quality code. Among other factors – how quickly corrected the bugs and how serious they are.
In the end, yield to any browser exploits, or not. And that’s all that matters to the authors of the report.
“We do not believe that these methods of assessment are worthy to use them, because they are very difficult to correlate, especially between browsers and manufacturers,” – said Valasek, who, except for Smith, assisted other colleagues from Accuvant: Joshua Drake Paul Mehta, Charlie Miller and Shawn Moyer. “So we decided: let’s focus on technologies to mitigate exploits and check how they are actually able to resist the attackers, who discovered the vulnerability.”