Feeds

Microsoft flags Firefox and Chrome for security failings

Guess what it says about IE 9

Combat fraud and increase customer satisfaction

Microsoft has unveiled a website aimed at raising awareness of browser security by comparing the ability of Internet Explorer, Mozilla Firefox, and Google Chrome to withstand attacks from malware, phishing, and other types of threats.

Your Browser Matters gives the latest versions of Firefox and Chrome a paltry 2 and 2.5 points respectively out of a possible score of 4. Visit the site using the IE 9, however, and the browser gets a perfect score. IE 7 gets only 1 point, and IE 6 receives no points at all. The site refused to rate Apple's Safari browser in tests run by The Register.

The page is designed to educate users about the importance of choosing an up-to-date browser that offers industry-standard features. The ability to automatically warn users when they're about to download a malicious file, to contain web content in a security sandbox that has no access to sensitive parts of the computer's operating system, and to automatically install updates are just three of the criteria.

Microsoft's Your Browser Matters gives Firefox 7 running on a Mac 2 out of a possible 4 points

screenshot of internet explorer score

The site gives Internet Explorer 9 a perfect score of 4

The site dings Firefox for a variety of omissions, including its inability to restrict an extension or a plug-in on a per-site basis, its failure to use Windows Protected Mode or a similar mechanism such to prevent the browser from modifying parts of the system it doesn’t have access to, and its lack of a built-in feature to filter out malicious XSS, or cross-site scripting, code. Among other things, Chrome lost points for not using Windows features that protect against structured exception-handling overwrite attacks.

Reg readers still stuck in the rut of critiquing Microsoft security based on products released a decade ago are likely to be unimpressed. The reality is that over the past few years, Redmond has endowed Windows and IE with measures such as ASLR, or address space layout randomization, and DEP, or data execution prevention, that significantly reduce the damage attackers can do when they exploit buffer overflows and other bugs that are inevitable in any large base of code. Apple didn't pull ahead of Microsoft on this score until earlier this year with the release of its Mac OS X Lion.

It didn't take long for Mozilla developers to take issue with the critique.

"Microsoft's site is more notable for the things it fails to include: security technologies like HSTS, privacy tools like Do Not Track, and vendor response time when vulnerabilities are discovered," Johnathan Nightingale, Mozilla's director of Firefox engineering, said in a statement. He said: "Mozilla is fiercely proud of our long track record of leadership on security.

Partners throwing their endorsement behind the new Microsoft page include the Anti-Phishing Working Group, the Online Trust Alliance, and the Identity Theft Counsel. ®

This article was updated to add comment from Mozilla.

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.