Can any browser be considered 'safe'?

Judging from the headlines appearing this week on tech Web sites, you'd guess anyone using a browser other than Internet Explorer was a fool.

After all, IE version 9 scored a whopping 99.2 percent in NSS Labs' worldwide test (PDF) of the ability of top browsers to detect socially engineered malware. IE 8 wasn't far behind at 96 percent--the difference attributed by NSS Labs to the Application Reputation component added to IE 9's SmartScreen technology.

By comparison, the four other browsers tested were veritable social-malware sieves: Google Chrome 12 had a 13.2-percent detection rate, Firefox 4 and Safari 5 detected 7.6 percent, and Opera 6.1 percent. The report's chart illustrating the test results is even more striking.

Such dramatic results should be easy to corroborate, but a search for similar results from other sources came up empty. Every other browser comparison I could find rated Firefox, Chrome, and (usually) Opera above IE in terms of security. In fact, SecurityFocus lists 62 current vulnerabilities in IE 8, some dating back more than two years. The site reports 17 vulnerabilities in IE 9 (note that some of the vulnerabilities for each browser are listed as "retired").

By comparison, there are no vulnerabilities reported currently for Chrome 13, Firefox 6, Safari 5, or Opera 11. (A complete list of unpatched browser vulnerabilities is in the Vulnerabilities section of Wikipedia's browser-comparison page.)

Google researchers track the evolution of Web-borne threats
Malware purveyors are attempting to take advantage of users' propensity to click first and think second. A Google Technical Report released last month entitled Trends in Circumventing Web-Malware Detection found that the number of malware sites using social-engineering techniques increased from one in January 2007 to 4,230 in September 2010.

Still, this number represented only 2 percent of all malware-distribution sites. Drive-by downloads remain the primary delivery mechanism for Web-borne malware, according to the researchers, although they note that attacks using social engineering will continue to increase. The researchers recommend a "multi-pronged approach" that also addresses two other growing malware techniques: JavaScript obfuscation and IP cloaking.

For more information on social engineering, see Elinor Mills' Q&A with Chris Hadnagy of security firm Offensive Security in Elinor's InSecurity Complex blog.

A plea for tighter security baked into future browsers
The European Network and Information Security Agency (Enisa) is calling for improvements in the security features of next-generation browsers. In a report released late last month, Enisa identifies 51 "issues and potential threats" in such upcoming Web technologies as HTML 5, cross-origin resource sharing (CORS), Web storage, and geo-location and media APIs.

The W3C's current target date for an HTML 5 Recommendation is 2014, although aspects of the standard will be ready to implement before that date. That's a long time to wait for improved browser security. The good news is that the current versions of all the popular browsers are much safer than their predecessors. The bad news is that they need to be made even safer continually.

Whichever browser you prefer, ensure that you're using the most recent version. Google Chrome updates automatically, IE gets its patches as part of Windows updates, and Safari is kept current via Apple Software Update. To set Firefox to update automatically, click Tools > Options > Advanced > Update (Windows) or the Firefox menu > Preferences > Advanced > Update (Mac) and make sure "Automatically download and install the update" is selected.

You can also have Firefox warn you if an update will cause one of your add-ons to stop working. Other options let you set the browser to update your add-ons and "search engines" automatically. For a comparison of three free services that offer to keep all your software up-to-date, see my post from last May, "Free scanners spot outdated, insecure software."