Iron vs Firefox vs IE: Security

Discussion in 'other security issues & news' started by wearetheborg, Aug 15, 2010.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    How do the three browsers compare in terms of security?
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Do you have any idea what you've started? Lol. I know this topic won't end up staying this simple, but really a browser is as secure as you make it. IE has shortcomings that can be made up by tweaking the Internet/Restricted Zones, Iron has its sandbox, Firefox has numerous extensions to cover various security issues. The big browser issues are allowing PDF files and such to automatically open and run inside the browser, which is easily taken care of by disabling such functions.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  4. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    the one you run in sandboxie :D
     
  5. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I'm going to have to agree with culla on this one, though I'll elaborate a bit.

    I don't think any browser is more or less secure than any other, but that it's all dependent upon how you configure that browser. I'd argue that any of the big name browsers will be very vulnerable to attack if you leave javascript, java, or flash always on by default. Taking steps to secure the browser by limiting / whitelisting those features can bring a very high degree of protection to any browser.

    And running the browser in a sandbox / VM is even better!
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    IE9! (maybe)
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I don't give this topic much of my time usually, because most often it comes down to each systems settings.

    But, if you were to look at mechanisms that exist outside of user settings, IE might be considered because of how it is 'protected' now with different schemes. Chrome might also be considered because of how it works.

    I should imagine that any testable exploit could be evaded by someone using any browser, so in some respects, they all could be considered.

    Sul.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Chrome by far. I don't want to sound cocky but since I understand how Chrome is designed it is way safer than any other browser except Lynx

    Chrome's excellence in a nut shell
    First it compiles JavaScript into machine code and generates hidden classes for fast access and security. Other webbrowsers use libraries in which malware can try to access classes used by other processes in the library by illegal addressing. In Chrome Javascript running in a tab can only see and access object classes assigned. Illegal addressing result in a forced die of rendering process.

    Secondly it sandboxes the tabs in total isolation by Using the CreateRestrictedtoken API and AdjustTokenPrivileges to lock down the token the rendering process is running with. Next it creates a Job object to place more limitations on that rendering process (e.g. no access to user handles in outside its own job, prevent desktop switching, prevent shutdown, die on unhandled exception, etc.). Then it runs the rendering process on a separate desktop to prevent for instance window message abuse. ==> total isolation

    Comparison
    Chrome (I prefer Iron)
    First instance runs medium right, all tabs run with low rights, due to the above measures they have accomplished that one low right process can infect another low rights process. Javascript can not access data/objects because Chrome does not use libraries but hidden objects.

    IE8
    IE runs Medium rights with most of the rendering running in low rights. IE8 with UAC protecs higher rights objects from lower rights. Low rights objects can still infect each other (side by side intrusion). Uses libraries, so more prone to manipulation of memory exceptions. On the other IE8 can be locked down completely with group policy (threats and countermeasures guideline of Microsoft).

    Firefox runs with medium rights
    There are ways to run FF with low rights. SInce 3.6 a lot of security enhancements are made to FF. Due to its open character there are extentions available which reduce javascript based attacks.

    On the other side
    When you run any browser with DefenseWall or Sandboxie the security of the browser itself becomes a non-issue
     
    Last edited: Aug 15, 2010
  9. Dundertaker

    Dundertaker Registered Member

    Joined:
    Oct 17, 2009
    Posts:
    385
    Location:
    Land of the Mer Lion
    What about Firefox/IE in GesWall freeware default set-up? Kinda sandboxed also right?

    Well, Iron can't function well in GesWall(last tme I tried it...)but Chrome does function good in GesWall.
     
  10. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    I use Opera for me is the safest browser, combining it with Prevx SafeOnline spends a lot of security. It's a pity he did not have the WOT extension, but the Prevx help end this deficiency.
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, same idea
     
  12. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Could you elaborate on that? Can a similar thing not be done to FF?
     
  13. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    UGH ! Not yet another browser fracas ?

    These threads make very interesting reading, but they all end up with no result. Except perhaps a free-for-all, no holds barred bun fight.

    Don`t get me wrong, I mean what I said. Posts from experienced users are far better than any other references. Unfortunately, Browser`s are akin to religion with many people and a word in the wrong place, means the feathers fly thick and fast.

    Oh before I go, the thread is a waste of time anyway - Firefox beats the lot by light years ! :D

    John B
     
  14. Rompin Raider

    Rompin Raider Registered Member

    Joined:
    May 6, 2010
    Posts:
    1,228
    Location:
    North Texas
    I'll drink to that!
     
  15. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Windows 7?
    An admin user account with UAC enabled?

    Set the third-party browsers integrity level to LOW with icacls.exe and you've just helped to level the default IE8 playing field. ;)
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, but none of them match Chrome's approach of total isolation.
     
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    But doesn't it just sandbox its processes? From the things I keep reading, it's not that much more different than what Firefox does now with plugins. I'm not seeing where it has, say, a "Sandboxie-like" ability. If what I'm reading is correct (and it may very well be false), then it's mostly crash protection, and isn't doing a lot more than eating up resources with separate processes.
     
  18. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Process separation and sandboxing are two different things. Firefox does the former, without the latter.
     
  19. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Okay, so Chrome actually "sandboxes" then, meaning keeping malware isolated?
     
  20. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Totally unrelated to my post.
     
  21. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Yes, on Windows Vista/7 it uses pretty much the same technique as IE in protected mode (Integrity Levels). If you look at Chrome in "process explorer" you will see that Chrome runs at a low integrity level by default while Firefox does not.

    On versions prior to Vista, the sandbox still works but in a slightly different way. The nice thing about it is that it doesn't need the kernel or system calls to function -- the sandbox works totally in userspace and completely stops potential browser flaws from allowing the installation of malware. It even prohibits such vulns from reading or writing to the disk at all.

    From the Sandbox FAQ:

     
Loading...
Thread Status:
Not open for further replies.