I was wondering which browser is the most secure today, Firefox, Internet Explorer, Chrome, or Safari on a Windows machine with the user running as a Power User/Administrator account.
This is not a question about which browser is the best because its the most usable, but more of a question if asked for security, which browser is the most secure given an everyday user's experience (JavaScript, Flash, Ads, etc).
Also, would the choice for most secure change if the user was running as a restricted user?
To clarify, I'm looking for an answer that's based in research on potential and common exploits and how long it takes for critical problems to be patched.
Edit: My approach for this question is basically, what would you recommend to your boss, co-worker, or relative, who probably an average user.
Answer
I think it really depends on who you ask. I've never seen an end-all-be-all answer to this question, and I doubt I ever will. Each company takes their own approach to securing the browser, and even though the end result is almost always the same, their methods can be entirely different.
To answer your question about limited user? Absolutely, yes. Running as a limited user is the absolute best thing you can do to protect yourself (in my opinion, anyways). I am a well-learned computer user running Windows 7, and there has been a time or two where the UAC prompt pops up unexpectedly and I stop to see what it is that is asking for access1.
Having my users at work run as a limited user prevented AntiVirus 20102 from being installed (it still caused some issues I had to fix, but it didn't manage to install itself - that's the important part).
According to this article at Ars Technica, it's Google Chrome, when judged by hackers/exploiters:
A recent contest at CanSecWest, an event that brings together some of the most skilled experts in the security community, has demonstrated that the three most popular browser are susceptible to security bugs despite the vigilance and engineering prowess of their creators. Firefox, Safari, and Internet Explorer were all exploited during the Pwn2Own competition that took place at the conference. Google's Chrome browser, however, was the only one left standing—a victory that security researchers attribute to its innovative sandbox feature.
But then again, this article, also at Ars Technica, shows that Internet Explorer 8 is the most secure (it even has charts!):
During July 2009, a company called NSS Labs performed two separate browser security tests, which Amy Barzdukas, General Manager of Internet Explorer, told Ars that Microsoft had sponsored. Right off the bat, your suspicions have probably been raised, and rightly so. Internet Explorer 8 performed very well in all the tests and, while Microsoft insists that it had no impact on the results, we must still be cautious when examining the reports.
Before we go to the results, it's worth noting that NSS Labs chose to test what it thinks are the most important types of security threats:
The most common and impactful 'security threats' facing users today are socially engineered malware and phishing attacks. As such, they have been the primary focus of our initial research. While drive-by downloads and click-jacking are also effective attacks and have achieved notable publicity, they represent a smaller percentage of today's threats. According to Microsoft, the malware report is more important than the phishing report, so we've put it first. "We block 20 times more malware per day than phishing sites in IE8," Barzdukas told Ars. IE8 block malware for approximately 1 out of 40 users every week, and approximately 1 of every 200 downloads is blocked as malicious.
1 I'm looking at you, Java Updater!
2 Check out Microsoft's Malware Protection Portal page on AntiVirus 2010 - it's impressive!
No comments:
Post a Comment