Do browsers riding on IE base improve security?

Discussion in 'other security issues & news' started by dionisiog, May 10, 2010.

Thread Status:
Not open for further replies.
  1. dionisiog

    dionisiog Registered Member

    Joined:
    Oct 30, 2003
    Posts:
    57
    Ok. By now I am a fairly avid Mozilla Firefox user. I rarely open Internet Explorer (to visit WIndows Update perhaps) and my only big beef against Mozilla is it's slow startup which seems to swallow all available resources. Oh well.

    I have always wondered if using any of those browsers which ride on the Internet Explorer architecture might actually improve the security of the basic browser.

    Does anyone know anything in regards to this question? If this might be true, say, how far might one go back with Internet Explorer (IE5, IE6, IE7 and still experience some security improvement using a browser clone add on?

    It's just a matter of curisoity. I think by now I'm pretty stuck on Mozilla.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Alas, no security advantage from using it within Mozilla. Quite the contrary as it opens any vulnerabilities in the other browser. IE8 in default setting is more secure browser over lesser IE versions and can be made as secure as any other browser
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    By default IE7 and IE8 are far more secure than Firefox.

    For example, if you have Windows Vista or 7 and run with UAC on, then the browser will start with Protected Mode, which will force IE to run in a sort of sandboxing, which will restrict the interaction with the system, if memory serves me.

    It will also check sites with SmartScreen, and if I'm not wrong Windows Defender will also interact with IE.

    Firefox only got popular for two main reasons, IMHO:

    - Versions before IE7/IE8 weren't secure and people started moving to Firefox, which also made IE become more secure, for part of the attacks targeted at IE users went for the Firefox users. Funny how things work.

    - Extentions. I know a lot of people that say they use Firefox for the useful extensions.

    You could use IE with Spyware Blaster and Spybot - Search and Destroy to immunize it (Don't use TeaTimer) along side AVG LinkScanner.
     
  4. guest

    guest Guest

    Generally speaking, the more features you add to a software, the bigger gets the total attack surface.

    That said, these browsers you are talking about (at least the 2 most famous) don't rely on the complete "Internet Explorer" browser, making the first sentence somewhat inappropriate for their case.

    After all, these browsers aren't IE addons (like IE7Pro). They only use IE's layout engine, called Trident, adding completely new features and GUI from their own code.

    So, some security features from IE might not be present in these browsers, specially the new ones from version 8 (SmartScreen filter, Protected Mode and others).

    However...

    > Maxthon developers claim that Maxthon has a feature called "Maxthon Security Updates" that reduces the risk of certain unpatched Internet Explorer vulnerabilities while browsing. Source: http://www.maxthon.com/overview.htm

    > Avant Browser developers claim that Avant Browser is just as secure as IE. Source: http://www.avantbrowser.com/support.html#security

    > According to Secunia:
    Maxthon v2: http://secunia.com/advisories/product/14876/
    Avant Browser v11: http://secunia.com/advisories/product/14872/
    IE v8: http://secunia.com/advisories/product/21625/

    You may need to research more about these browsers, get details about what they are in fact using on their latest versions, what are all the security features they support right now (from IE and from their own code), before drawing conclusions.

    BTW: I'm a Firefox user.
     
    Last edited by a moderator: May 10, 2010
  5. ratwing

    ratwing Guest


    Thanks m00nbl00d.

    You mention IE with Vista or 7.
    Do you feel the security advantage of IE over Firefox extends to those of us still with some avatar of Windows XP?

    respect,Rat
     
  6. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    What are those browsers? o_O :-*
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I truly can't tell you if, alone, in a limited user account in XP, IE7/IE8 provides great security, because I've never used Windows XP.

    But, I can tell you that using Windows XP with a LUA (limited user account), will by itself decrease the attack surface. IE7/IE8 makes use of SmartScreen, independently of being XP, Vista or 7, for example. It also applies DEP.

    If you tigten up IE settings a bit further and make use of the security applications I mentioned to immunize it and verify the sites real-time for active malicious content, then the attack surface will reduce further.

    To be honest, it depends a bit on the user himself/herself. The use of common sense is the start point to a more secure system.
     
  8. dionisiog

    dionisiog Registered Member

    Joined:
    Oct 30, 2003
    Posts:
    57
    :p This clearly shows me how much browsers have changed.

    I was so suprised by these responses that I took a quick trip to major geeks looking for a lot of independent browsers which used to be available on that website. I was familiar with many that had required various versions of Internet Explorer and in this regards I referred to IE as the 'base' browser engine utilized inside of these varying designs for browsers. Suddenly... many of them seem to have disappeared.
    Even more surprising was increasing precense of Mozilla-related browsers and related optional add-ons.
    Lastly, it is very surprising to me that at this moment so many readers here actually consider an IE browser more secure than a Mozilla browser.

    UAC (I have WIndows 7 and never touched Vista, I despised it) I am thinking it is aproximately the same in Windows 7? In my Win7 I ended up turning it off as Windows uses it to turn software unaffiliated with Microsoft into nag-ware. The actions of UAC were different and much more reasonable in the beta version of Win 7. But this is off the track of the browser subject at hand.
     
  9. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    .
    When you turn off UAC in Vista/7 you lose protected mode in IE7/8.
     
  10. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    .
    IE7/8 protected mode is not supported in Windows XP, so the short answer to your question is NO. Of course there are other ways to make XP more secure though. If you don't want to use a LUA then using something like DropMyRights with internet facing apps is a good way to go.

    By the way, when I used the immunize feature of Spybot S&D with IE8 the browser slowed down badly. Apparently IE8 does not like having thousands of entries in the Restricted Sites Zone. It's more problematic on some systems then others, but in every case where I've emptied the restricted sites zone performance has noticeably improved. FYI, there's a little file called Deldomains.inf that makes it easy to clear the security zones.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    When did that behavior occured with immunizations slowing down IE? Was it at the time of its release? Because it was a known issue. One that has been solved long ago.

    Does it happen when you open it, or when you search the web?
     
  12. ratwing

    ratwing Guest

    Thanks, m00nbl00d,and Victek123.

    grateful,

    rat
     
  13. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    No it doesn't extend to XP for two reasons:

    1) XP does not have the Vista/7 mandatory integrity control mechanism (AKA "Protected Mode"). This is essentially a sandbox.

    2) XP does not have ASLR which further protects applications from certain memory corruption and buffer overflow vulns. Windows 7 automatically turns DEP/ASLR on for IE.

    It should be said that Firefox can be made to run with DEP/ASLR as well as in Protected Mode (the latter requires some registry tweaks). The Mozilla team is working on making Firefox use Protected Mode by default. When that happens, I think FF gains the security advantage again.
     
  14. ratwing

    ratwing Guest

    Thank you chronomatic!!
    rat
     
Loading...
Thread Status:
Not open for further replies.