Feeds

Microsoft flags Firefox and Chrome for security failings

Guess what it says about IE 9

SANS - Survey on application security programs

Microsoft has unveiled a website aimed at raising awareness of browser security by comparing the ability of Internet Explorer, Mozilla Firefox, and Google Chrome to withstand attacks from malware, phishing, and other types of threats.

Your Browser Matters gives the latest versions of Firefox and Chrome a paltry 2 and 2.5 points respectively out of a possible score of 4. Visit the site using the IE 9, however, and the browser gets a perfect score. IE 7 gets only 1 point, and IE 6 receives no points at all. The site refused to rate Apple's Safari browser in tests run by The Register.

The page is designed to educate users about the importance of choosing an up-to-date browser that offers industry-standard features. The ability to automatically warn users when they're about to download a malicious file, to contain web content in a security sandbox that has no access to sensitive parts of the computer's operating system, and to automatically install updates are just three of the criteria.

Microsoft's Your Browser Matters gives Firefox 7 running on a Mac 2 out of a possible 4 points

screenshot of internet explorer score

The site gives Internet Explorer 9 a perfect score of 4

The site dings Firefox for a variety of omissions, including its inability to restrict an extension or a plug-in on a per-site basis, its failure to use Windows Protected Mode or a similar mechanism such to prevent the browser from modifying parts of the system it doesn’t have access to, and its lack of a built-in feature to filter out malicious XSS, or cross-site scripting, code. Among other things, Chrome lost points for not using Windows features that protect against structured exception-handling overwrite attacks.

Reg readers still stuck in the rut of critiquing Microsoft security based on products released a decade ago are likely to be unimpressed. The reality is that over the past few years, Redmond has endowed Windows and IE with measures such as ASLR, or address space layout randomization, and DEP, or data execution prevention, that significantly reduce the damage attackers can do when they exploit buffer overflows and other bugs that are inevitable in any large base of code. Apple didn't pull ahead of Microsoft on this score until earlier this year with the release of its Mac OS X Lion.

It didn't take long for Mozilla developers to take issue with the critique.

"Microsoft's site is more notable for the things it fails to include: security technologies like HSTS, privacy tools like Do Not Track, and vendor response time when vulnerabilities are discovered," Johnathan Nightingale, Mozilla's director of Firefox engineering, said in a statement. He said: "Mozilla is fiercely proud of our long track record of leadership on security.

Partners throwing their endorsement behind the new Microsoft page include the Anti-Phishing Working Group, the Online Trust Alliance, and the Identity Theft Counsel. ®

This article was updated to add comment from Mozilla.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.