Over the past few years, Pwn2Own browser hacking competitions have shown that Chrome has remained the least exploited and therefore most secure of all the major browsers. German security firm X41 D-Sec confirmed this once again by testing various attacks against Chrome, Edge, and Internet Explorer.
One thing to note, though, is that Google paid for the time the researchers spent on the testing. However, the researchers said in their published paper that because they knew this would look like their research is biased, they chose their research criteria carefully to make the testing methodology as fair as possible for all the browsers involved.
As browsers have become more complex by adding more and more features and support for new HTML specifications, the surface attack has grown to match that. However, the good news is that browser makers have also increased their focus on security over the past few years.
Both Chrome and Edge have particularly focused on sandboxing various components of the browser and adopting modern exploit mitigation techniques to become more resilient against attacks.
However, these features are not all equal to each other, and X41 found that Chrome enforces its security restrictions better than Edge. Chrome also has a higher level of compartmentalization. As the Qubes OS has shown us, that tends to be the most effective way to stop attacks.
Edge’s biggest weakness seems to be Microsoft’s continuing reliance on Internet Explorer as a legacy browser. Edge keeps a list of websites, that when accessed, the user is encouraged to switch to Internet Explorer, thus bypassing any modern protections the Edge browser might have compared to Internet Explorer.
One way for malicious actors to bypass Edge’s protections and then take over the system is to infect one of those websites with their malware and then deliver their payloads through Internet Explorer. X41 proved this by purchasing one of the expired domains that continues to appear in Edge’s legacy website list, and then downgrading the target’s browser from Edge to Internet Explorer.
X41 also found that although the AppContainer sandboxing technology used by Edge could provide good isolation, Microsoft has given these AppContainers partial access to resources such as the network, file system, and Windows registry. In contrast, Chrome uses a different set of techniques to completely isolate untrusted content from accessing those same resources.
According to the researchers, Microsoft employs the most operating system and compile-time security features to sandbox content processes against exploitation, but they still feel that Microsoft has given content processes too many capabilities, as well.
The X41 researchers also noted that more important than the number of sandboxing features is how those features are used to isolate websites and other types of content such as settings and extensions. Chrome’s isolation is more complete than Edge’s own isolation, but the researchers still found a loophole in one of Chrome’s experimental sandboxing features.
The researchers also warned that Chrome’s adoption of novel HTML features such as Service Workers, WebUSB, and Web Bluetooth could expose Chrome to new types of attacks, too. One Chrome security engineer warned about the same dangers not too long ago.
Protection Against Phishing
The X41 security researchers believe that phishing is an important attack vector, so they tested all three browsers against this type of attack. They discovered that Edge and Internet Explorer are the most vulnerable of the three against phishing, due mainly to their support for legacy functionality. However, they also found that an attacker could almost completely take over the Chrome browser via a malicious extension. The X41 D-Sec group was able to bypass Chrome Web Store’s security checks to do just that.
The researchers also discovered that Google’s Safe Browsing service is more accurate than Microsoft’s SmartScreen, but they noted that it's unlikely either of them would help against targeted spearphishing attacks.
The security firm’s results also showed that Google’s engineers are faster to fix reported bugs, and they also deliver unscheduled patches to Chrome to fix dangerous bugs faster, while Microsoft will usually wait for the monthly patch bundle to deploy its browser patches.
In summary, X41’s research showed that although Edge also seems to keep up with modern security features, its security is significantly compromised because of its fallback to the legacy Internet Explorer browser. In comparison to Edge, Chrome also employs stricter security defaults and has a higher level of compartmentalization, thus allowing it to evade more attacks.