Firefox is least secure browser according to Google-funded study

Forbes reports that researchers at the security firm Accuvant released a new study on Friday assessing the security features of Microsoft Internet Explorer, Mozilla Firefox and Google Chrome, the three most popular web browsers. Accuvant's findings show that Google is the leader when it comes to security criteria, with Internet Explorer close behind and Firefox in last place.

There is one major reason for pause at these results, however: the independent study was commissioned and funded by Google. "Although both Google Chrome and IE are competitive, Chrome is a little better," said Ryan Smith, an Accuvant researcher. "We've tried to point out areas where Firefox can improve its code base."


Credit: Forbes

Rather than counting the known vulnerabilities in the three browsers, Accuvant's study assumes that hackers will find exploits and instead rated the three browsers on how well they would deal with an attack that had already gained access to the machine. The areas that the browsers differed the most in were sandboxing, JIT hardening, and plug-in security. Google tied or beat the other two browsers in these areas, while Firefox's features were labeled "unimplemented or ineffective."

Sandboxing limits the commands available to a website exploit, and Chrome was found to have the strictest sandboxing of the three. Just-In-Time hardening is a feature that prevents Javascript on websites from compiling code to run on the user's machine, and plug-in security limits the access of exploits that don't require user interaction on a site and also exploits that trick users into downloading add-on programs with malicious behavior.

Jonathan Nightingale, Mozilla's director of Firefox engineering, responded to the Forbes article with this statement:

Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform level features like address space randomization to internal systems like our layout frame poisoning system. Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet.

We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We’re proud of our reputation on security, and it remains a central priority for Firefox.

The full 140-page study can be viewed at Scribd.

Report a problem with article
Previous Story

Microsoft: Windows Phone already supports NFC

Next Story

Microsoft shows off clear prototype Arc Touch Mouse

50 Comments

Commenting is disabled on this article.

Only if you trust Google and what they do with the information extracted from your web usage. Adblocker doesn't work well and noscript is not available. Hmmm wonder why?

Whether this was a Google funded study or not, it doesn't take much to realize the following;
Chrome & IE = sandboxed
Firefox = not sandboxed

Therefore, Firefox is in theory the least secure of the three. It's really that simple.

According to Secunia's Q3 reports, Firefox 4.0 has had 18 vulnerabilities this year compared to Chrome with 6. Now throw in the fact that Chromes sandbox has yet to be broken. That is, if you don't count the old Vupen report that Chrome devs claim was actually a flash vulnerability plus there have been no reports in exploits in the wild.

I dunno... Almost all of the threats Norton catches attempting to get on my machine are through Chrome... This study seems "funny"...

Flaw number 1: they compared only those three browsers.
Flaw number 2: by what benchmark did they base 'industry standards' on for the first two to give Chrome an edge over IE?

Denis W said,
Flaw number 1: they compared only those three browsers.
Flaw number 2: by what benchmark did they base 'industry standards' on for the first two to give Chrome an edge over IE?

Google is an industry.
Google has standards.
Thus, Google Chrome respects industry standards.

/s

Good job! That google funded researcher finds the three useless features that are better than Firefox.
But, it fails to find hundreds of features that are lagging behind Firefox.
To me, I find that Chrome is good at crash when viewing YouTube!

ray_bk said,
Good job! That google funded researcher finds the three useless features that are better than Firefox.
But, it fails to find hundreds of features that are lagging behind Firefox.
To me, I find that Chrome is good at crash when viewing YouTube!

Yeah, Chrome crashes all the time for me...

ray_bk said,
Good job! That google funded researcher finds the three useless features that are better than Firefox.
But, it fails to find hundreds of features that are lagging behind Firefox.
To me, I find that Chrome is good at crash when viewing YouTube!

you did it wrong, it never crash and i am using chrome dev

This Google funded research has some really surprising findings! Google's product have better security. /s

O RLY? Firefox is not secure, that's been known for ages...
The nonsense in this study is not Firefox's result but the "industry standard" thing - IE only works on Windows, it's completely logical that they use Windows' built-in sandboxing mechanisms instead of reinventing the wheel.

I'm sorry, but given the chart in the original article, Internet Explorer should be the clear winner here.

What is IE's SmartScreen if it isn't URL black listing?

DonC said,
I'm sorry, but given the chart in the original article, Internet Explorer should be the clear winner here.

What is IE's SmartScreen if it isn't URL black listing?

Maybe its not "industry standard"

Morden said,

Maybe its not "industry standard"

True, but surely it should have an inplemented under the IE heading then?

What about Compartment security, it is more like a sandboxing. What about separating Plugins in Plugin-container, is it security in itself?

Who didn't know this already? Exactly why I've never used it for more than a minute and that was only to see what all the fascination was with it. Never been anything fascinating about it, to me.

Googles Chrome is in a dead nuts tie with Firefox for least appealing browsers to me also.

I do use variants of both those browsers some times though. Palemoon, Waterfox, and SRWare Iron. Not all the same phoning home and stuff with these browsers as much.

cork1958 said,
Who didn't know this already? Exactly why I've never used it for more than a minute and that was only to see what all the fascination was with it. Never been anything fascinating about it, to me.

Googles Chrome is in a dead nuts tie with Firefox for least appealing browsers to me also.

I do use variants of both those browsers some times though. Palemoon, Waterfox, and SRWare Iron. Not all the same phoning home and stuff with these browsers as much.

So you use web browsers that major of internet users never heard of?

cork1958 said,
Who didn't know this already? Exactly why I've never used it for more than a minute and that was only to see what all the fascination was with it. Never been anything fascinating about it, to me.

Googles Chrome is in a dead nuts tie with Firefox for least appealing browsers to me also.

I do use variants of both those browsers some times though. Palemoon, Waterfox, and SRWare Iron. Not all the same phoning home and stuff with these browsers as much.

Internet Browser Hipster?

Kyle said,

Internet Browser Hipster?

Apparently so, his hating on chrome and particularly Firefox has gotten old. enough is enough already, i think we all got the damn point.

I still feel safer running Firefox, with the extensions, NoScript, Ghostery and AdBlock+
than the other browsers. While Chrome may support AdBlock, it does not yet have NoScript, and the clones of that same extension such as scriptno, have been proven unreliable.

Tartan said,
I still feel safer running Firefox, with the extensions, NoScript, Ghostery and AdBlock+
than the other browsers. While Chrome may support AdBlock, it does not yet have NoScript, and the clones of that same extension such as scriptno, have been proven unreliable.

Try to block all network traffic with a firewall... you'll be safer.

Tartan said,
I still feel safer running Firefox, with the extensions, NoScript, Ghostery and AdBlock+
than the other browsers. While Chrome may support AdBlock, it does not yet have NoScript, and the clones of that same extension such as scriptno, have been proven unreliable.

In Internet Explorer, an ad-blocking list is available in Tracking Protection and you can change script settings in the Internet options without needing any add-ons.

So is this one of those investigations that checks how many of Google's security features are present in other browsers?

Various methods designed to stop the compiled JS code from doing bad things (like reading random memory, etc.)

Mozilla's hardening patches look to be ready to land soon, they've been working on it for a few months.

yowan said,
According to wikipedia, Firefox uses a sandbox security model too.

according to the rest of the world (including mozilla), it doesn't.

Zeet said,
Last time I checked, Safari was the least secure browser.

I guess Google didn't implement them in the list because they didn't want to hurt Apple even more (after this iBan in Germany..).

Intrinsica said,
Err, good for you? What does Safari have to do with this? Granted, it's a browser, but it isn't included in this study...

the study is targeted at certain features to make google look better. Every company does it, for example we compare some of our software to competitors, but then we single out custom 1-off features we have, and then claim the competitors don't. Firefox is a great browser

Coi said,

I guess Google didn't implement them in the list because they didn't want to hurt Apple even more (after this iBan in Germany..).

You mean the potential ban that won't actually happen?

It's more likely that it was due to marketshare, Safaris marketshare among the desktop browsers is pretty small, IE and Firefox are the main competitors to Chrome, that's why Google would aim at the two?

stevember said,

Makes it slightly bias maybe, but not wrong.

Its not just wrong, it's laughable... industry standard sandboxing, wow. FUD much, google?

Morden said,

Its not just wrong, it's laughable... industry standard sandboxing, wow. FUD much, google?

You're right, it is laughable and completely biased towards Chrome.

If sandboxing was industry standard then why does IE just have Implemented underneath it, when if I remember correctly, it had sandboxing before Google Chrome.

neo158 said,

If sandboxing was industry standard then why does IE just have Implemented underneath it, when if I remember correctly, it had sandboxing before Google Chrome.

For IE, it depends on what OS it's running on.

farmeunit said,

For IE, it depends on what OS it's running on.

+ You have to have UAC enabled.... and we all know how "experts" like to recommend people to turn UAC off....

I don't get why 'URL Blacklisting' is 'Unimplemented or ineffective' even for Internet Explorer. They should have pointed out that IE9 blocks more than 90% of malicious URLs and Chrome just around 5%.

Coi said,
I don't get why 'URL Blacklisting' is 'Unimplemented or ineffective' even for Internet Explorer. They should have pointed out that IE9 blocks more than 90% of malicious URLs and Chrome just around 5%.

And Firefox has this feature too if I'm not mistaken...

funded by google - say no more!

lol - what did they do, spend weeks looking for any 3 areas where they thought chrome was better than firefox, and declare the result based on the only 3 problem areas they could come up on?

hey chrome - when are you going to be USABLE, you know - by allowing adons to block google ads (etc) ??

dvb2000 said,
funded by google - say no more!

lol - what did they do, spend weeks looking for any 3 areas where they thought chrome was better than firefox, and declare the result based on the only 3 problem areas they could come up on?

hey chrome - when are you going to be USABLE, you know - by allowing adons to block google ads (etc) ??

They do allow you to block Google Ads...

dvb2000 said,
funded by google - say no more!

lol - what did they do, spend weeks looking for any 3 areas where they thought chrome was better than firefox, and declare the result based on the only 3 problem areas they could come up on?

hey chrome - when are you going to be USABLE, you know - by allowing adons to block google ads (etc) ??


this prooves that you have no clue and u are a troll... first Chrome has adon to block all ads.... it came at least a year ago.... second even if its funded by google chrome has the best security.... it a no brainer... oh wait!!