MOUNTAIN VIEW, Calif. — A new study suggests that Chrome’s sandboxing and plug-in security features make it more secure than rival browsers Firefox and Internet Explorer.
The study was conducted by security vendor Accuvant Labs and funded by Google. However, the firm said that it reached its conclusions in the study “based on our independent data collections” and that Google gave the researchers “a clear directive to provide readers an objective understanding of relative browser security.”
Accuvant concluded its research in July and looked only at Chrome, IE and Firefox. The firm tested the browsers only on Windows 7 so the report excludes newer versions of Chrome and Firefox, ArsTechnica.com reported.
"We believe an analysis of anti-exploitation techniques is the most effective way to compare security between browser vendors," the report states. "This requires a greater depth of technical expertise than statistical analysis of CVEs, but it provides a more accurate window into the vulnerabilities of each browser."
The conclusions show that Google's sandboxing and plug-in security exceeds that of Internet Explorer, and that Google at least matches Firefox and IE in other types of security.
"The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected," Accuvant reported.
"Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening.”
The paper said that while both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner.
“Therefore, we believe Google Chrome is the browser that is most secured against attack," the report said.
The Accuvant report also said Chrome's sandboxing "uses a medium integrity broker process that manages the UI, creates low integrity processes and further restricts capabilities by using a limited token for a more comprehensive sandbox than the standard Windows low integrity mechanism. The extensive use of sandboxing limits both the available attack surface and potential severity of exploitation."
With Firefox, Accuvant said that it has no sandboxing and "A compromised browser or plug-in process would not require privilege escalation to persist beyond the browser process."