In fact, is there any such animal as a “most secure browser”. This is the question Skybox Security set to out to answer – as they ask in their opening statement, “What defines the degree of security of software? How can one evaluate the security of a web browser when lacking clear definition?
So, the Skybox researchers set up a number of their own metrics to try and answer the all important question.
Assessing Browsers by Volume of Exposed Vulnerabilities
This metric looked at the total number of vulnerabilities published on each browser during the preceding 18 months (since January 2013):
Based on these results one would naturally assume that Chrome was the least secure browser and Opera the most secure. However, these statistics do not take market penetration and subsequent desirability of the target browser into account. Given that Internet Explorer and Chrome dominate market share while Opera’s is only around 1%, naturally there would be a lot more interest and value in finding vulnerabilities in the two most popular browsers.
Skybox recognized the correlation between market penetration and numbers of published vulnerabilities and concluded… “number of published vulnerabilities per browser is probably not the best measurement of a browser’s security.”
More Exposed Vulnerabilities = More Fixed Vulnerabilities
Skybox then turned the numbers from metric #1 around, basing their assessment on the premise that higher numbers of exposed vulnerabilities equates to more vulnerabilities fixed, thereby leaving fewer attack vectors for hackers to exploit.
Chrome and Internet Explorer come out pretty much on par for this one. However, the fact that there are still vulnerabilities being discovered in Internet Explorer 6 more than 14 years after its release tends to skew these statistics too. So, again, Skybox concluded… “This is probably not a good metric either.”
Shortest Time Between Discovery and Patches Issued
Lastly, Skybox assessed how quickly browser developers issued security patches following the discovery of vulnerabilities. Chrome is the most responsive to security vulnerabilities and the obvious winner in this area. On average, Chrome releases a new version with security fixes every fifteen days while Internet Explorer and Firefox release security updates about once a month.
This is possibly the most definitive guide to assessing which browser is most secure because the shorter the time between vulnerability publication and fix availability the shorter the length of risk exposure.
While Skybox’s assessment of overall browser security didn’t unveil any startling revelations or come up with much in the way of definitive conclusions, it’s still an interesting exercise. Based on the statistics, specifically length of known vulnerability exposure, one would have to lean toward Chrome as being the most secure browser. As Skybox summarized:
The attack surface grows with every new vulnerability, and is intensified by the number of systems affected by that vulnerability. If exposed vulnerabilities linger unresolved for weeks and months, the likelihood of exploitation is exponentially growing.
Of course, as always, one of the primary defining factors behind browser security is you, the user.
<images: credit Skybox Security> <source: Skybox Security>