Browser security is a big issue these days, with browsers being the main vulnerability exploited by today’s hackers. With browsers being cross-platform and often not security-hardened they can be the soft underbelly in an otherwise secure system.
So, how secure is your browser?
The Zero Day Initiative by puts up money for hackers, gives them a number of browsers and platforms and let’s them do what comes naturally (to hackers). The results at the latest ZDI competition tell a tale.
First up is a shock for the Mac converts. Many Mac users (I would say most) believe that their OS needs no security because they don’t get (many) viruses. Fact is, Safari was very quickly exploited, with the successful hacker running command lines and able to see all target files. My advise to Mac users: get some protection.
IE8 did not fair any better in the hacker stakes. The successful hacker was able to exploit IE8 and take over the PC. Hopefully Microsoft have hardened up with IE9.
As mentioned in my previous article, Firefox users can often be as zealously and blissfully uninformed as their Mac brethren. Unfortunately their simple faith in their product has not been supported by this competition. Firefox was hacked.
Chrome was secure against attacks.
Taking a different look at browser security NSS Labs tested browser security to see which would detect and alert against known malware. The results are revealing and a little unexpected.
IE8 and IE9 perform the best and Chrome and Opera the worst. Here are their results:
Windows Internet Explorer 9 (beta) caught an exceptional 99% of the live threats, leading the non-IE pack by 80%. IE9’s protection includes SmartScreen URL filtering, which is included in IE8 as well as SmartScreen application reputation, which is new to IE9.
Windows Internet Explorer 8 caught 90% of the live threats, an exceptional score which was a 5%improvement from the Q1 2010 test and built upon prior improvements from the Q3 2009 and Q12009 tests. IE8 showed a 71% lead over the next best browser.
Mozilla Firefox 3.6 caught 19% of the live threats, far fewer than Internet Explorer 8 or Internet Explorer 9. This is a 10% decrease in protection from the Q1 2010 test.Apple Safari 5 caught 11% of the live threats. Overall protection declined 18% from Q1 2010.
Google Chrome 6 caught 3% of the live threats, down 14% from the Q1 2010 test.
Opera 10 caught 0% of the live threats, providing virtually no protection against socially-engineered malware.
So, browser security is merging as our primary security concern but all we have are contradictory results. With pretty much every browser following the Chrome model (minimalist toolbars, fast loading speeds) we can only hope that the next thing they all start turning their minds to is security. In the meantime, whether you’re a Mac or PC person, get some security.
As a side note, the iPhone was also hacked at the ZDI hackers day. With the iPad effectively built on an iPhone OS if would be prudent to be careful when banking or doing business with your iPad. Note that the Android and Blackberry OS were not hacked.