Over the past few days, the polemic over which browser is the “most secure” has reignited, largely due to the recent zero-day vulnerability in Microsoft’s Internet Explorer. The extent of the vulnerability has led to an overwhelming chorus of well-meaning advice to switch to an alternative browser. This has been repeated by security experts, CEOs and even the German government (again), but just how realistic, and more importantly how helpful, is it?
Security is not based on knee-jerk reactions to individual events; security is dependent on building a strategy that lowers exposure and risk over a period of time. It should also avoid change for change’s sake as the unfamiliarity that adoption of any new technology engenders brings with it its own set of very human vulnerabilities.
The two most popular alternatives to Internet Explorer (and the ones getting most of the current recommendations) are Google’s Chrome and Mozilla Firefox; neither of these is immune to vulnerabilities or zero-days. In fact if you consider the available evidence regarding the rate of occurrence of vulnerabilities, you could certainly justify your continued use of Internet Explorer.
According to this blog post, in 2011 Google’s Chrome had an all time high of 275 new vulnerabilities reported, the current peak of an upward trend since its day of release. Mozilla Firefox, while currently trending down from its 2009 high, still had a reported 97 vulnerabilities. Microsoft’s Internet Explorer has been trending gradually down for the past five years and 2011 saw only 45 new vulnerabilities, less than any other browser except Apple’s Safari, which also had 45. Of course raw numbers of vulnerabilities are almost meaningless unless we consider the respective severity, but there again, of the “big three” the statistics favour Internet Explorer. If zero-day vulnerabilities have to be taken into consideration too, they don’t really do much to change the balance, Google Chrome 6, Microsoft Internet Explorer 6 and Mozilla Firefox 4. Of course different sources offer completely different statistics, and simple vulnerability counts are no measure of relative (in)security of browsers, particularly in isolation. However, it cannot be ignored that vulnerabilities exist in every browser.
The simple truth is that we pay undue attention to zero-day vulnerabilities such as this one, the very name strike fear even into the hearts of people who aren’t really sure what the phrase means. Enterprises, but also individuals have a hard time keeping their browsers up to date with just the patchable vulnerabilities that far outnumber the occasional zero-days that we see. In any case attacks are increasingly aimed not at browsers but at application plug-ins like QuickTime, Flash or Acrobat that can be used in multiple different flavours of browser on multiple Operating Systems. Either that or they are simply attacks aimed at the individual using the browser (like phishing, pretexting or other social engineering attacks).
Face facts, your browser will not keep you safe, whoever made it. You need to take steps to keep yourself safe, whichever browser you choose.
Every browser has its flaws, vulnerabilities and patches (or lack of them). It’s different strokes for different folks and various security tools or techniques require varying degrees of familiarity with the browser, with technology or with threats in general in order to effectively protect you without ruining your Internet experience beyond redemption.
In most cases the best advice is to stick with the browser with which you are most familiar but to take steps to secure it, including applying security patches as soon as they become available (MS12-063 that fixes this particular zero-day is available here). If you suddenly switch to using a browser with which you are unfamiliar, your lack of familiarity may leave you less secure than you were before.
Ultimately security software is as necessary for a PC as a seatbelt is for a car and it should be doing a much better job at protecting you from these kinds of vulnerability and exploit, whether or not a patch is available. If you want to get an idea of how that is working out, then this report might be a good starting point.