Chrome Continues To Be The Most Secure Browser, Confirms New Research

Over the past few years, Pwn2Own browser hacking competitions have shown that Chrome has remained the least exploited and therefore most secure of all the major browsers. German security firm X41 D-Sec confirmed this once again by testing various attacks against Chrome, Edge, and Internet Explorer.

One thing to note, though, is that Google paid for the time the researchers spent on the testing. However, the researchers said in their published paper that because they knew this would look like their research is biased, they chose their research criteria carefully to make the testing methodology as fair as possible for all the browsers involved.

Sandboxing Techniques

As browsers have become more complex by adding more and more features and support for new HTML specifications, the surface attack has grown to match that. However, the good news is that browser makers have also increased their focus on security over the past few years.

Both Chrome and Edge have particularly focused on sandboxing various components of the browser and adopting modern exploit mitigation techniques to become more resilient against attacks.

However, these features are not all equal to each other, and X41 found that Chrome enforces its security restrictions better than Edge. Chrome also has a higher level of compartmentalization. As the Qubes OS has shown us, that tends to be the most effective way to stop attacks.

Edge’s biggest weakness seems to be Microsoft’s continuing reliance on Internet Explorer as a legacy browser. Edge keeps a list of websites, that when accessed, the user is encouraged to switch to Internet Explorer, thus bypassing any modern protections the Edge browser might have compared to Internet Explorer.

One way for malicious actors to bypass Edge’s protections and then take over the system is to infect one of those websites with their malware and then deliver their payloads through Internet Explorer. X41 proved this by purchasing one of the expired domains that continues to appear in Edge’s legacy website list, and then downgrading the target’s browser from Edge to Internet Explorer.

X41 also found that although the AppContainer sandboxing technology used by Edge could provide good isolation, Microsoft has given these AppContainers partial access to resources such as the network, file system, and Windows registry. In contrast, Chrome uses a different set of techniques to completely isolate untrusted content from accessing those same resources.

According to the researchers, Microsoft employs the most operating system and compile-time security features to sandbox content processes against exploitation, but they still feel that Microsoft has given content processes too many capabilities, as well.

The X41 researchers also noted that more important than the number of sandboxing features is how those features are used to isolate websites and other types of content such as settings and extensions. Chrome’s isolation is more complete than Edge’s own isolation, but the researchers still found a loophole in one of Chrome’s experimental sandboxing features.

The researchers also warned that Chrome’s adoption of novel HTML features such as Service Workers, WebUSB, and Web Bluetooth could expose Chrome to new types of attacks, too. One Chrome security engineer warned about the same dangers not too long ago.

Protection Against Phishing

The X41 security researchers believe that phishing is an important attack vector, so they tested all three browsers against this type of attack. They discovered that Edge and Internet Explorer are the most vulnerable of the three against phishing, due mainly to their support for legacy functionality. However, they also found that an attacker could almost completely take over the Chrome browser via a malicious extension. The X41 D-Sec group was able to bypass Chrome Web Store’s security checks to do just that.

The researchers also discovered that Google’s Safe Browsing service is more accurate than Microsoft’s SmartScreen, but they noted that it's unlikely either of them would help against targeted spearphishing attacks.

The security firm’s results also showed that Google’s engineers are faster to fix reported bugs, and they also deliver unscheduled patches to Chrome to fix dangerous bugs faster, while Microsoft will usually wait for the monthly patch bundle to deploy its browser patches.

In summary, X41’s research showed that although Edge also seems to keep up with modern security features, its security is significantly compromised because of its fallback to the legacy Internet Explorer browser. In comparison to Edge, Chrome also employs stricter security defaults and has a higher level of compartmentalization, thus allowing it to evade more attacks.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Myrmidonas
    Chrome Continues To Be The Most Secure Browser, but its weakness is its extensions. We recently learned that cryptocurency mining is executed through an extension and other similar vulnerabilities have seen the light. Who knows what else is going to happen.
    Reply
  • jacksmith21006
    Edge was hacked at will at Pawned 2017. Penentrate over and over again and should be avoided. Chrome unhackable in the time allotted.
    Reply
  • shrapnel_indie
    In a Google backed event, Google Chrome still proves to be the most secure because it is the least exploited. Correlation <> Causation. ESPECIALLY when the "best" is a product of the one paying the bills.

    I'm not saying that Chrome isn't the most secure, but such info as who's paying for the testing or whatever, can signal massaging of data, or less than full effort to fail or pass a product. (Sometimes with intentional passes or fails, regardless of data.)
    Reply
  • dextermat
    I repair computers for a living and maybe in a controlled environment chrome is more secure, but it is the worse at pick up random junk and pup. Every time a computer is slow, 80% of the time it is chrome related (fake chrome browser, PUP addons, secret add on search and toolbar, infected registry keys.) The fact that flash is embedded in the browser and that it is compromised every few days is a malware magnet.
    Reply