JayK
November 22nd, 2003, 10:45 AM
by IGAU
-----------------------------------------------------------
--Browser Security Comparison------------------------------
-----------------------------------------------------------
This is a simple document, showing the results I obtained
from testing some browsers on a Win98 system for known
vulnerabilities. In Win2000 or WinXP, there may be more
potential security risks in addition to the ones I have
tested.
Browsers tested:
Microsoft Internet Explorer 5.5 (Win32)
Microsoft Internet Explorer 6 (Win32)
Mozilla Firebird 0.6.1 (Win32)
--Browsers:------------------------------------------------
IE5.5 IE6 FB0.6.1
--Good Things:---------------------------------------------
Reveals Browser Agent: YES YES YES
Reveals OS: YES YES YES
Reveals Time/Date: YES YES YES
Secure Browsing: YES YES YES
Strong Encryption: YES YES YES
Supports Certificates: YES YES YES
--Bad Things:----------------------------------------------
Allows Popups: YES YES ASKS
Accepts Initial Cookies: YES YES ASKS
Accepts More Cookies: YES YES ASKS
Modifies Cookies: YES YES ASKS
Can expose clipboard: NO YES NO
Reveals History: YES YES NO
Exposes Cookies: NO NO NO
Program Execution: NO NO NO
File Execution: VULNERABLE NO NO
Spoofing Hack: NO NO NO
Security Zone Spoofing: NO NO N/A
Hard Drive Access: VULNERABLE NO NO
Scanit Potential Threats: 10/30 0/30 0/30
--Notes:---------------------------------------------------
1) All browsers were patched to the max possible (IE5/6 via
WindowsUpdate, at the time of writing Mozilla Firebird does
not get patched, it is replaced with later versions.)
2) No further patches are available for IE5, with 10
security holes remaining, 6 of which were classed as
"high risk", 3 "medium risk" and 1 "low risk".
3) Security Zones only apply to IE-based browsers.
4) Scanit tests showed 1 medium-risk vulnerability for
Mozilla Firebird 0.6.1, however this is an incorrect
reading due to it being an Internet Explorer bug. I have
verified this by testing the bug at another source using
Mozilla Firebird, and the browser was not vulnerable.
5) If you wish to verify these tests or repeat them for
yourself (you may have unpatched versions or other
browsers outside the scope of my testing abilities) you
can use the following URLs:
Qualys Browser Checkup: http://browsercheck.qualys.com/
Browser Security Test: http://bcheck.scanit.be/bcheck/
Verisign: http://verisign.netscape.com/advisor/check.html
6) For the Scanit Browser Security Test, I performed all
30 tests on all browsers. However, performing only the
IE5 tests showed that at least half of it's known
vulnerabilities had not been addressed by Microsoft,
leaving it grossly insecure.
--Conclusion:----------------------------------------------
From a security point of view, you are better off using
Mozilla Firebird than IE5 or IE6. Mozilla Firebird contains
all the useful features of IE5/6, with added security,
improvements over IE's user interface and the ability to
customise the browser to your needs (specialist or basic).
Mozilla Firebird will also work on virtually every major
OS, and it's core componants can be used to develop
applications.
Lastly, Microsoft Internet Explorer will cease to be
supported as a standalone browser in the near future.
Microsoft have made it quite clear that their next version
of Internet Explorer will be a part of Windows Longhorn
and will not run on any other system. This means that
companies like AOL will be forced to develop their own
backend browser, or incorporate Mozilla's Gecko technology,
unless they intend to remain with their current IE backend
indefinately.
Windows Longhorn and thus, the next release of Internet
Explorer, will not be released until 2007. That's three
years before a full update, at the very minimum. While
security holes may be plugged occasionally, we are still
three years from the next release of Internet Explorer,
and that means no real development while alternatives push
onwards.
Netscape is a declining browser, and many users are
leaving it for Mozilla or Mozilla Firebird, which are
further developed versions. Both IE and Netscape are going
to fade into obscurity within the next few years, where
neither are properly supported (or supported at all).
With MSIE on the Mac being dropped now, and Win32 MSIE
support being limited and eventually phased out, the only
real way to be sure that you're using an up to date and
secure browser is to make the move to Mozilla Firebird,
the Mozilla Suite, Opera or another major "alternative"
browser.
--Resource Links:------------------------------------------
Links to useful pages, or pages that prove without a
doubt that forcing users to use Internet Explorer is
forcing them to expose themselves to security risks.
Mozilla Foundation:
http://www.mozilla.org/
Mozilla Firebird:
http://www.mozilla.org/products/firebird/
Mozilla Firebird Help:
http://texturizer.net/firebird/
Why You Should Use Mozilla:
http://www.xulplanet.com/ndeakin/arts/reasons.html
Internet Explorer Considered Harmful:
http://ashitaka-san.home.comcast.net/yayrant/ieharmful.html
Internet Explorer Vulnerabilities:
http://afongen.com/blog/archives/000528.php
Clipboard Exploit:
http://www.arstdesign.com/articles/clipboardexploit.html
Qualys Browser Checkup:
http://browsercheck.qualys.com/
Browser Security Test:
http://bcheck.scanit.be/bcheck/
Verisign Security Test:
http://verisign.netscape.com/advisor/check.html
-----------------------------------------------------------
--Browser Security Comparison------------------------------
-----------------------------------------------------------
This is a simple document, showing the results I obtained
from testing some browsers on a Win98 system for known
vulnerabilities. In Win2000 or WinXP, there may be more
potential security risks in addition to the ones I have
tested.
Browsers tested:
Microsoft Internet Explorer 5.5 (Win32)
Microsoft Internet Explorer 6 (Win32)
Mozilla Firebird 0.6.1 (Win32)
--Browsers:------------------------------------------------
IE5.5 IE6 FB0.6.1
--Good Things:---------------------------------------------
Reveals Browser Agent: YES YES YES
Reveals OS: YES YES YES
Reveals Time/Date: YES YES YES
Secure Browsing: YES YES YES
Strong Encryption: YES YES YES
Supports Certificates: YES YES YES
--Bad Things:----------------------------------------------
Allows Popups: YES YES ASKS
Accepts Initial Cookies: YES YES ASKS
Accepts More Cookies: YES YES ASKS
Modifies Cookies: YES YES ASKS
Can expose clipboard: NO YES NO
Reveals History: YES YES NO
Exposes Cookies: NO NO NO
Program Execution: NO NO NO
File Execution: VULNERABLE NO NO
Spoofing Hack: NO NO NO
Security Zone Spoofing: NO NO N/A
Hard Drive Access: VULNERABLE NO NO
Scanit Potential Threats: 10/30 0/30 0/30
--Notes:---------------------------------------------------
1) All browsers were patched to the max possible (IE5/6 via
WindowsUpdate, at the time of writing Mozilla Firebird does
not get patched, it is replaced with later versions.)
2) No further patches are available for IE5, with 10
security holes remaining, 6 of which were classed as
"high risk", 3 "medium risk" and 1 "low risk".
3) Security Zones only apply to IE-based browsers.
4) Scanit tests showed 1 medium-risk vulnerability for
Mozilla Firebird 0.6.1, however this is an incorrect
reading due to it being an Internet Explorer bug. I have
verified this by testing the bug at another source using
Mozilla Firebird, and the browser was not vulnerable.
5) If you wish to verify these tests or repeat them for
yourself (you may have unpatched versions or other
browsers outside the scope of my testing abilities) you
can use the following URLs:
Qualys Browser Checkup: http://browsercheck.qualys.com/
Browser Security Test: http://bcheck.scanit.be/bcheck/
Verisign: http://verisign.netscape.com/advisor/check.html
6) For the Scanit Browser Security Test, I performed all
30 tests on all browsers. However, performing only the
IE5 tests showed that at least half of it's known
vulnerabilities had not been addressed by Microsoft,
leaving it grossly insecure.
--Conclusion:----------------------------------------------
From a security point of view, you are better off using
Mozilla Firebird than IE5 or IE6. Mozilla Firebird contains
all the useful features of IE5/6, with added security,
improvements over IE's user interface and the ability to
customise the browser to your needs (specialist or basic).
Mozilla Firebird will also work on virtually every major
OS, and it's core componants can be used to develop
applications.
Lastly, Microsoft Internet Explorer will cease to be
supported as a standalone browser in the near future.
Microsoft have made it quite clear that their next version
of Internet Explorer will be a part of Windows Longhorn
and will not run on any other system. This means that
companies like AOL will be forced to develop their own
backend browser, or incorporate Mozilla's Gecko technology,
unless they intend to remain with their current IE backend
indefinately.
Windows Longhorn and thus, the next release of Internet
Explorer, will not be released until 2007. That's three
years before a full update, at the very minimum. While
security holes may be plugged occasionally, we are still
three years from the next release of Internet Explorer,
and that means no real development while alternatives push
onwards.
Netscape is a declining browser, and many users are
leaving it for Mozilla or Mozilla Firebird, which are
further developed versions. Both IE and Netscape are going
to fade into obscurity within the next few years, where
neither are properly supported (or supported at all).
With MSIE on the Mac being dropped now, and Win32 MSIE
support being limited and eventually phased out, the only
real way to be sure that you're using an up to date and
secure browser is to make the move to Mozilla Firebird,
the Mozilla Suite, Opera or another major "alternative"
browser.
--Resource Links:------------------------------------------
Links to useful pages, or pages that prove without a
doubt that forcing users to use Internet Explorer is
forcing them to expose themselves to security risks.
Mozilla Foundation:
http://www.mozilla.org/
Mozilla Firebird:
http://www.mozilla.org/products/firebird/
Mozilla Firebird Help:
http://texturizer.net/firebird/
Why You Should Use Mozilla:
http://www.xulplanet.com/ndeakin/arts/reasons.html
Internet Explorer Considered Harmful:
http://ashitaka-san.home.comcast.net/yayrant/ieharmful.html
Internet Explorer Vulnerabilities:
http://afongen.com/blog/archives/000528.php
Clipboard Exploit:
http://www.arstdesign.com/articles/clipboardexploit.html
Qualys Browser Checkup:
http://browsercheck.qualys.com/
Browser Security Test:
http://bcheck.scanit.be/bcheck/
Verisign Security Test:
http://verisign.netscape.com/advisor/check.html