Accuvant, a security services and software firm based in Denver, has published an exhaustive study funded by Google that compares the security features in the three most popular browsers.
Other than previous studies by the firm, which often focused on quantitative comparisons such as the number of vulnerabilities affecting a browser, Accuvant took a different approach and investigated the "anti-exploitation" features included in a browser. The result? Chrome is the most secure browser, followed by IE and then Firefox. Also noteworthy is the conclusion that frequently praised URL blacklisting isn't working effectively.
According to the study, which stretches itself over more than 100 pages, with 25 pages of explanation why traditional methods of security evaluations of browser may not be useful, Chrome wins because of its most comprehensive support of address space layout randomization (ASLR), data execution prevention (DEP), stack cookies, sandboxing, and JIT hardening. Chrome largely wins the comparison because of its sandboxing features, which are only partially in IE and Firefox. IE has the best implementation of JIT hardening, followed closely by Chrome. Firefox lacked all tested JIT hardening features.
While Accuvant did not compare the browsers' security based on the number of vulnerabilities, the researchers said that, during the timeframe of the study, Mozilla patched 449 vulnerabilities, Google 321 and Microsoft 168. Microsoft requires, on average, 214 days to patch a vulnerability, Mozilla 158 and Google 53. Accuvant stated that it would be speculation to draw any security conclusions from those numbers.
However, the company spent quite some time on evaluating URL blacklisting services, which is called Smartscreen Filter in IE, Safe Browsing List in Chrome. Between July 23, 2011 through July 30, 2011, Accuvant tested the browsers against an average of 5960 URLs containing malware per day and concluded, "no URL blacklisting service is fully comprehensive, and that any antipattern-based defensive measure is, by definition, imperfect." As a result, the firm advices that "blacklisting services should be considered a part of the overall browser defense model, rather than the only perimeter an attacker must traverse."
This result contradicts a previous survey by NSS Labs, which found that IE's Smartscreen Filter helps to capture nearly all socially engineered malware attacks. Accuvant found that "neither Google’s Safe Browsing service nor Microsoft’s URS appears to provide a fully comprehensive snapshot of all malware in the wild at any given point in time."