Iron vs Firefox vs IE: Security

How do the three browsers compare in terms of security?

 

Do you have any idea what you've started? Lol. I know this topic won't end up staying this simple, but really a browser is as secure as you make it. IE has shortcomings that can be made up by tweaking the Internet/Restricted Zones, Iron has its sandbox, Firefox has numerous extensions to cover various security issues. The big browser issues are allowing PDF files and such to automatically open and run inside the browser, which is easily taken care of by disabling such functions.

 

Related threads:
Most secure browser
Best Browsers for Security, Privacy, & Malware Prevention : Comparisons

 

the one you run in sandboxie

 

I'm going to have to agree with culla on this one, though I'll elaborate a bit.

I don't think any browser is more or less secure than any other, but that it's all dependent upon how you configure that browser. I'd argue that any of the big name browsers will be very vulnerable to attack if you leave javascript, java, or flash always on by default. Taking steps to secure the browser by limiting / whitelisting those features can bring a very high degree of protection to any browser.

And running the browser in a sandbox / VM is even better!

 

IE9! (maybe)

 

I don't give this topic much of my time usually, because most often it comes down to each systems settings.

But, if you were to look at mechanisms that exist outside of user settings, IE might be considered because of how it is 'protected' now with different schemes. Chrome might also be considered because of how it works.

I should imagine that any testable exploit could be evaded by someone using any browser, so in some respects, they all could be considered.

Sul.

 

Chrome by far. I don't want to sound cocky but since I understand how Chrome is designed it is way safer than any other browser except Lynx

Chrome's excellence in a nut shell
First it compiles JavaScript into machine code and generates hidden classes for fast access and security. Other webbrowsers use libraries in which malware can try to access classes used by other processes in the library by illegal addressing. In Chrome Javascript running in a tab can only see and access object classes assigned. Illegal addressing result in a forced die of rendering process.

Secondly it sandboxes the tabs in total isolation by Using the CreateRestrictedtoken API and AdjustTokenPrivileges to lock down the token the rendering process is running with. Next it creates a Job object to place more limitations on that rendering process (e.g. no access to user handles in outside its own job, prevent desktop switching, prevent shutdown, die on unhandled exception, etc.). Then it runs the rendering process on a separate desktop to prevent for instance window message abuse. ==> total isolation

Comparison
Chrome (I prefer Iron)
First instance runs medium right, all tabs run with low rights, due to the above measures they have accomplished that one low right process can infect another low rights process. Javascript can not access data/objects because Chrome does not use libraries but hidden objects.

IE8
IE runs Medium rights with most of the rendering running in low rights. IE8 with UAC protecs higher rights objects from lower rights. Low rights objects can still infect each other (side by side intrusion). Uses libraries, so more prone to manipulation of memory exceptions. On the other IE8 can be locked down completely with group policy (threats and countermeasures guideline of Microsoft).

Firefox runs with medium rights
There are ways to run FF with low rights. SInce 3.6 a lot of security enhancements are made to FF. Due to its open character there are extentions available which reduce javascript based attacks.

On the other side
When you run any browser with DefenseWall or Sandboxie the security of the browser itself becomes a non-issue

 

What about Firefox/IE in GesWall freeware default set-up? Kinda sandboxed also right?

Well, Iron can't function well in GesWall(last tme I tried it...)but Chrome does function good in GesWall.

 

I use Opera for me is the safest browser, combining it with Prevx SafeOnline spends a lot of security. It's a pity he did not have the WOT extension, but the Prevx help end this deficiency.

 

Yep, same idea

 

Could you elaborate on that? Can a similar thing not be done to FF?

 

UGH ! Not yet another browser fracas ?

These threads make very interesting reading, but they all end up with no result. Except perhaps a free-for-all, no holds barred bun fight.

Don`t get me wrong, I mean what I said. Posts from experienced users are far better than any other references. Unfortunately, Browser`s are akin to religion with many people and a word in the wrong place, means the feathers fly thick and fast.

Oh before I go, the thread is a waste of time anyway - Firefox beats the lot by light years !

John B

 

I'll drink to that!

 

Windows 7?
An admin user account with UAC enabled?

Set the third-party browsers integrity level to LOW with icacls.exe and you've just helped to level the default IE8 playing field.

 

Yep, but none of them match Chrome's approach of total isolation.

 

But doesn't it just sandbox its processes? From the things I keep reading, it's not that much more different than what Firefox does now with plugins. I'm not seeing where it has, say, a "Sandboxie-like" ability. If what I'm reading is correct (and it may very well be false), then it's mostly crash protection, and isn't doing a lot more than eating up resources with separate processes.

 

Process separation and sandboxing are two different things. Firefox does the former, without the latter.

 

Okay, so Chrome actually "sandboxes" then, meaning keeping malware isolated?

 

Totally unrelated to my post.

 

Yes, on Windows Vista/7 it uses pretty much the same technique as IE in protected mode (Integrity Levels). If you look at Chrome in "process explorer" you will see that Chrome runs at a low integrity level by default while Firefox does not.

On versions prior to Vista, the sandbox still works but in a slightly different way. The nice thing about it is that it doesn't need the kernel or system calls to function -- the sandbox works totally in userspace and completely stops potential browser flaws from allowing the installation of malware. It even prohibits such vulns from reading or writing to the disk at all.

From the Sandbox FAQ: