Browser Security Comparison A Quantitative Approach Document Profile Version 0.0 Published 12/6/2011 Revision History Version Date Description 0.0 12/26/2011 Document published. Browser Security Comparison – A Quantitative Approach Page| i of v Version 0.0 Revision Date: 12/6/2011 Contents Authors .......................................................................................................................................................... v Executive Summary ....................................................................................................................................... 1 Methodology Delta ................................................................................................................................... 1 Results ....................................................................................................................................................... 2 Conclusion ................................................................................................................................................. 2 Introduction .................................................................................................................................................. 3 Analysis Targets ........................................................................................................................................ 4 Analysis Environment................................................................................................................................ 4 Analysis Goals ........................................................................................................................................... 4 Browser Architecture .................................................................................................................................... 5 Google Chrome ......................................................................................................................................... 5 Internet Explorer ....................................................................................................................................... 5 Mozilla Firefox ........................................................................................................................................... 6 Summary ................................................................................................................................................... 6 Browser Comparison ................................................................................................................................. 8 Historical Vulnerability Statistics .................................................................................................................. 8 Browser Comparison ................................................................................................................................. 8 Issues with Counting Vulnerabilities ......................................................................................................... 9 Issues Surrounding Timeline Data .......................................................................................................... 10 Issues Surrounding Severity .................................................................................................................... 11 Issues Unique to Particular Vendors ....................................................................................................... 11 Data Gathering Methodology ................................................................................................................. 13 Update Frequencies ................................................................................................................................ 13 Publicly Known Vulnerabilities ................................................................................................................ 16 Vulnerabilities by Severity ...................................................................................................................... 17 Time to Patch .......................................................................................................................................... 18 URL Blacklist Services .................................................................................................................................. 20 Comparing Blacklists ............................................................................................................................... 20 “Antivirus-via-HTTP” ............................................................................................................................... 20 Multi-Browser Defense ........................................................................................................................... 20 Comparing Blacklist Services ................................................................................................................... 21 Browser Security Comparison – A Quantitative Approach Page| ii of v Version 0.0 Revision Date: 12/6/2011 Comparison Methodology ...................................................................................................................... 21 Results Analysis ....................................................................................................................................... 21 Conclusions ............................................................................................................................................. 25 Anti-exploitation Technologies ................................................................................................................... 26 Address Space Layout Randomization (ASLR) ......................................................................................... 26 Data Execution Prevention (DEP) ............................................................................................................ 26 Stack Cookies (/GS) ................................................................................................................................. 26 SafeSEH/SEHOP ....................................................................................................................................... 26 Sandboxing .............................................................................................................................................. 27 JIT Hardening .......................................................................................................................................... 28 Browser Anti-Exploitation Analysis ............................................................................................................. 31 Browser Comparison ............................................................................................................................... 32 Google Chrome ....................................................................................................................................... 34 Microsoft Internet Explorer .................................................................................................................... 45 Mozilla Firefox ......................................................................................................................................... 58 Browser Add-Ons ........................................................................................................................................ 67 Browser Comparison ............................................................................................................................... 68 Google Chrome ....................................................................................................................................... 69 Internet Explorer ..................................................................................................................................... 80 Firefox ..................................................................................................................................................... 89 Add-on summary .................................................................................................................................... 97 Conclusions ................................................................................................................................................. 98 Bibliography .............................................................................................................................................. 100 Appendix A – Chrome Frame ......................................................................................................................... I Overview .................................................................................................................................................... I Decomposition .......................................................................................................................................... II Security Implications ................................................................................................................................ III Risk Mitigation Strategies ......................................................................................................................... V Conclusion ................................................................................................................................................. V Bibliography ............................................................................................................................................
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages140 Page
-
File Size-