• The Big Four Browsers

The Buzz

Security Metrics

Recommendations

Security Tips

• Patches and Updates Roundup

The Big Four Browsers

[Editor's Note: This month we look at the buzz and some measurable security merits of the Big Four browsers: Internet Explorer, Firefox, Chrome, and Safari. Browser Wars are a competition for market share. (1) The fighting is about speed, add-ons, graphics, and the user interface. Every now and then a pronouncement about security gets tacked on to the discussion, as an  afterthought: "It's better, and safer, too." Despite its second billing, your browser is the most likely pathway through which malware will attempt to enter your computer. It's important to use the latest version, keep it patched, and be judicious about the websites you visit.]

Internet Explorer

IE has the distinction of being the most patched browser in history. It's a dubious one perhaps, but any software application that's been around for 15 years and is still in daily use on 60% of all computers worldwide can't be all bad. (1)  IE has many reputations ranging from the stolid "enterprise browser," to a stodgy hodgepodge of stale graphics and ho-hum functionality, to a typical Microsoft product
riddled with security holes and bugs. Is IE's security "inherently flawed?" That's debatable. Certainly arguments about the security of IE's ActiveX vs. the-rest-of-the-world's Java have simmered-and
occasionally flared up-for the last 13 years. But there's no debate that, thanks to IE's huge market share and unequaled longevity, IE users are the biggest target for malware and the Bad Guys.

Firefox

Mozilla products hold a special place in the hearts and minds of users who got to know email using Eudora and the Web using Mosaic or Netscape. For some, Firefox, Netscape's successor, is the  non-profit, open-source, cross-platform, righteous opponent of Microsoft's corporate, monopolistic, propriety, Windows-only Internet Explorer. When Microsoft abandoned Internet Explorer for Macintosh in 2003, Mac users were disenfranchised in one fell swoop; Firefox 1.1 and Safari came to their rescue. More urban legends surround Firefox than any other browser; there's a whole website dedicated to debunking Firefox "myths" (2). Firefox's market share grew rapidly in 2009-10 as it became the "other browser" of choice among Windows users (3).

Chrome

Chrome entered the browser competition in late 2008, ushered in by Google's trademark air of confidence and uniqueness, like a third party presidential candidate touching down in a traditionally Blue-Red state. Originally a Windows-only product, Google adopted an open-source strategy that made it possible (and legal) to incorporate components of Firefox and Safari into a stable Mac version which was released in May 2010. Chrome's market share, flat for the preceding eight months, began an upward trend at the same time that the Mac version was released (3). If Firefox is the "other browser," Chrome is the "other other browser," set apart by its spare, uncluttered user interface, and the promise of a different kind of user experience. Chrome's superior security has been touted, but owing to its newness and relatively small market share, Chrome has not participated in the trench warfare of the Web yet on the same scale as the veteran IE and Firefox.

Safari

Safari is the only browser that began as a Mac-only product (in 2003). Today Safari is included in every version of OS X. The Windows version was not released until mid-June 2007 and has never been included in any version of Windows. Safari for Windows' market share remains at less than 1%, making it the least popular of the browsers mentioned here. This may explain why Apple's security support for Safari for Windows has been so dismal. Safari 5.0 for Mac, on the other hand, is the most familiar and popular browser among Mac users. As with Internet Explorer and Windows, Firefox is the "other browser" among OS X users. Apple security support for Safari has improved since the release of Mac version 5.

Security Metrics

According to Symantec's April 2010 Internet Security Report (4), in 2009 IE garnered 45 reported security flaws, on par with the 41 flaws reported for Chrome, considerably out in front of Safari and its 94 flaws, and way ahead of Firefox's 169 flaws. Contrasting stats are available from US-CERT's National Vulnerability Database (5) which for a recent three-month period tallies 17 reported vulnerabilities for IE, followed by Firefox with 20, Chrome with 40, and Safari with 51. The appearance or emergence of browser flaws and vulnerabilities is inevitable. From a practical standpoint, what matters as much, if not more, is how quickly they get patched; that is, how long what the Symantec Report calls a "window of vulnerability" remains open. For 2009, that was on average less than 1 day for IE and Firefox, 2 days for Chrome, and 13 days for Safari.

Recommendations

Kudos to Microsoft and Mozilla for responding quickly to vulnerabilities as they are discovered in Internet Explorer and Firefox, and for developing fast and effective ways to deliver patches to your  computer automatically. Their makers have demonstrated consistent concern for your security and have a proven record of standing behind their products.

Browser Security Tips

• The security of any browser can be undermined if you tinker with or turn off its security features, or browse the Web indiscriminately.
• Keep your browser version up-to-date. New versions are free for the downloading. (6)
• Security patches and updates are no substitute for installing and maintaining good-quality anti-virus or a multi-component security suite on your computer.
• Keep your software firewall turned on.
• If you are not sure about your firewall, or think your browser is acting funny, take a cautious approach and have it checked out promptly by IT at the office or by your computer consultant.

Notes

(1) Netmarket Share
(2) Comcast
(3) Netmarket Share
(4) Symantec
(5) National Vulnerability Database
(6) IE, Firefox, Chrome, Safari

Operating Systems & Applications

Security Suites