A Quantitative Approach

Accuvant LABS built criteria and comparatively analyzed the security of Google Chrome, Microsoft Internet Explorer, and Mozilla FireFox. While similar comparisons have been performed in the past, previous studies compared browser security by considering metrics such as vulnerability report counts and URL blacklists. This paper takes a fundamentally different approach, examining which security metrics are most effective in protecting end users and evaluating those criteria using publicly available data and independently verifiable techniques. Most attempts to compare the security of different vendors within a software class rely on statistical analysis of vulnerability data. The section entitled Historical Vulnerability Statistics and its subsections examine publicly available vulnerability data and discuss why such an approach is limited in its usefulness for comparatively assessing security. In contrast, we believe an analysis of anti-exploitation techniques is the most effective way to compare security between browser vendors. This requires a greater depth of technical expertise than statistical analysis of CVEs, but it provides a more accurate window into the vulnerabilities of each browser. Accuvant LABS' analysis is based on the premise that all software of sufficient complexity and an evolving code base will always have vulnerabilities. Anti-exploitation technology can reduce or eliminate the severity of a single vulnerability or an entire class of exploits. Thus, the software with the best anti-exploitation technologies is likely to be the most resistant to attack and is the most crucial consideration in browser security. An important difference between this paper and previous studies is that we've made our data and the tools used to derive the data available for scrutiny. Previous attempts have been made to compare Historical Vulnerability Statistics and URL Blacklist Services; however, those studies' conclusions have differed wildly from this paper's results, and the difference in outcomes arises largely from the choice of data sources. We believe our own data is correctly representative of the population and have made it, along with our tools and methodologies, available to test this belief. Finally, we invite others to examine the tools for issues, or to extend and improve on them to encompass more criteria. We hope this paper presents readers with a definitive statement as to which browser is currently the most secure against common attacks, and provides criterion that vendors may use to measure and improve the security posture of their browsers. Finally, it is our hope that this is helpful to others who work to evaluate …