Can any browser be considered 'safe'?

A recent NSS Labs report on browser security rates Internet Explorer versions 8 and 9 head-and-shoulders above Google Chrome, Firefox, Safari, and Opera for blocking socially engineered malware, but these results may be misleading.

Judging from the headlines appearing this week on tech Web sites, you'd guess anyone using a browser other than Internet Explorer was a fool.

After all, IE version 9 scored a whopping 99.2 percent in NSS Labs' worldwide test (PDF) of the ability of top browsers to detect socially engineered malware. IE 8 wasn't far behind at 96 percent--the difference attributed by NSS Labs to the Application Reputation component added to IE 9's SmartScreen technology.

By comparison, the four other browsers tested were veritable social-malware sieves: Google Chrome 12 had a 13.2-percent detection rate, Firefox 4 and Safari 5 detected 7.6 percent, and Opera 6.1 percent. The report's chart illustrating the test results is even more striking.

NSS Labs browser-security test results
NSS Labs' socially engineered malware-detection test results show IE 8 and 9 to be the runaway winners. screenshot by Dennis O'Reilly

Such dramatic results should be easy to corroborate, but a search for similar results from other sources came up empty. Every other browser comparison I could find rated Firefox, Chrome, and (usually) Opera above IE in terms of security. In fact, SecurityFocus lists 62 current vulnerabilities in IE 8, some dating back more than two years. The site reports 17 vulnerabilities in IE 9 (note that some of the vulnerabilities for each browser are listed as "retired").

By comparison, there are no vulnerabilities reported currently for Chrome 13, Firefox 6, Safari 5, or Opera 11. (A complete list of unpatched browser vulnerabilities is in the Vulnerabilities section of Wikipedia's browser-comparison page.)

Google researchers track the evolution of Web-borne threats
Malware purveyors are attempting to take advantage of users' propensity to click first and think second. A Google Technical Report released last month entitled Trends in Circumventing Web-Malware Detection found that the number of malware sites using social-engineering techniques increased from one in January 2007 to 4,230 in September 2010.

Still, this number represented only 2 percent of all malware-distribution sites. Drive-by downloads remain the primary delivery mechanism for Web-borne malware, according to the researchers, although they note that attacks using social engineering will continue to increase. The researchers recommend a "multi-pronged approach" that also addresses two other growing malware techniques: JavaScript obfuscation and IP cloaking.

For more information on social engineering, see Elinor Mills' Q&A with Chris Hadnagy of security firm Offensive Security in Elinor's InSecurity Complex blog.

A plea for tighter security baked into future browsers
The European Network and Information Security Agency (Enisa) is calling for improvements in the security features of next-generation browsers. In a report released late last month, Enisa identifies 51 "issues and potential threats" in such upcoming Web technologies as HTML 5, cross-origin resource sharing (CORS), Web storage, and geo-location and media APIs.

The W3C's current target date for an HTML 5 Recommendation is 2014, although aspects of the standard will be ready to implement before that date. That's a long time to wait for improved browser security. The good news is that the current versions of all the popular browsers are much safer than their predecessors. The bad news is that they need to be made even safer continually.

Whichever browser you prefer, ensure that you're using the most recent version. Google Chrome updates automatically, IE gets its patches as part of Windows updates, and Safari is kept current via Apple Software Update. To set Firefox to update automatically, click Tools > Options > Advanced > Update (Windows) or the Firefox menu > Preferences > Advanced > Update (Mac) and make sure "Automatically download and install the update" is selected.

Mozilla Firefox Advanced > Update settings
Make sure Firefox is set to update automatically by selecting this option in the browser's Advanced settings. screenshot by Dennis O'Reilly

You can also have Firefox warn you if an update will cause one of your add-ons to stop working. Other options let you set the browser to update your add-ons and "search engines" automatically. For a comparison of three free services that offer to keep all your software up-to-date, see my post from last May, " Free scanners spot outdated, insecure software ."

About the author

    Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    HOT ON CNET

    Find Your Tech Type

    Take our tech personality quiz and enter for a chance to win* high-tech specs!