Researchers have analyzed Google Chrome, Microsoft Edge, and Internet Explorer, and found Chrome to be the most resilient against attacks.
“Modern web browsers such as Chrome or Edge improved security in recent years. Exploitation of vulnerabilities is certainly more complex today and requires a higher skill than in the past. However, the attack surface of modern web browsers is increasing due to new technologies and the increasing complexity of web browsers themselves,” noted Markus Vervier, Managing Director of German IT security outfit X41 D-Sec (and one of the researchers involved in the analysis).
The researchers’ aim was to determine which browser provides the highest level of security in common enterprise usage scenarios.
Since all non-trivial software have bugs and security vulnerabilities, X41 believes security barriers that prevent hackers of taking advantage of these vulnerabilities are most important. The researchers assessed these barriers, and concluded that:
- Chrome is the most resilient against attacks due to a tight lockdown of components, separation of duties, and greater identifiable vendor efforts for automated vulnerability discovery.
- The security level of Internet Explorer is decreased due to a weakened sandbox (Protected Mode).
- Microsoft Edge is more hardened against exploitation than Internet Explorer due to the stronger sandboxing and the absence of dangerous legacy technologies.
- Chrome supports more modern web technologies that might increase attack surface such as WebAssembly and HTML5 features.
- Reaching dangerous legacy functionality from Microsoft Edge is easier than in Chrome. For example a fallback to Internet Explorer is suggested by the Edge UI on certain websites by default.
The researchers analyzed the browsers’ enterprise features, sandboxes, implementations of process isolation, hardening features and exploit mitigation techniques, how they protect against client-side attack vectors and attacks using hardware defects, the security aspects related to usability, cryptography support, and more. They released the results of their analysis in an extensive whitepaper.
Researchers and funding
“The senior security experts of X41 have the necessary experience and track record to analyze complex applications such as modern web browsers,” the company noted.
The team consisted of:
- X41 D-Sec CEO and offensive IT security expert Markus Vervier
- Security consultant Michele Orrù (who, among other things, is also the lead core developer of the Browser Exploitation Framework Project, aka BeEF)
- Penetration testing and source code auditing expert Eric Sesterhenn, and
- Berend-Jan Wever, a security researcher at X41 D-Sec and former member of the Google Chrome Security Team, as well as of the Microsoft Secure Windows Initiative Attack Team.
Finally, the company made sure to note that while Google sponsored the “time resources” required for X41 to conduct this research, the agreement was that they would not interfere with their testing methodology or control the content of their paper.
“We are aware that we could unconsciously be biased to produce results favorable to our sponsor, and have attempted to eliminate this by being as transparent as possible about our decision-making processes and testing methodologies,” they added.
But even if you end up not agreeing with the researchers’ conclusions, the paper provides a great overview technical overview of the three browsers. It’s too bad that other popular browsers (Firefox, Safari, Opera) weren’t included in the assessment.