Only the most recent versions of Microsoft Internet Explorer (9), Google Chrome (12 and 13) and Mozilla Firefox (5) were analyzed. Other browsers, like Opera or Safari, were not included in the research.

The results and areas that have been analyzed in the study are displayed in the table below.

All three browsers have implemented industry standard data execution prevention, address space layout randomization and stack cookies anti-exploitation technologies. The researchers found Firefox’s sandboxing, plug-in security and JIT hardening to be either unimplemented or ineffective. They also concluded that Chrome had the edge over Internet Explorer as the browser’s implementation of sandboxing and plug-in security was industry standard, while Internet Explorer’s was not.

Here is the conclusion of the research paper.

The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies,Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack

Neither the fact that the research was sponsored by Google, nor the missing definition of industry standard disqualifies the research paper immediately. It is however something that needs to be addressed and looked at.

It needs to be noted that core browser security plays just a part in a user’s threat protection. Other factors include the operating system, up-do-date plugins and browser versions, browser extensions or security software.

What’s your take on the research paper?

The proof of concept works in Firefox, but the security researchers state that other browsers are also affected by it. They explicitly mention Microsoft’s Internet Explorer and note that the Google Chrome may be vulnerable as well. They do however mention that an attack may not be as easy to implement for that browser due to the fact that Chrome does not “send keydown/keyup events to JS when the autocomplete drop down menu is focused”.

Here is how the issue can be exploited:

It is possible to get key down / up events via JavaScript when a drop down autocomplete menu is shown. This means that it is possible to lure a user to play a game and steal arbitrary values from browsers autocomplete feature.

The proof of concept page demonstrates how third party websites can steal autocomplete information from Firefox. The page can check if autocomplete information are available for sites such as Twitter, Facebook, Gmail, Microsoft or Yahoo logins as well as three different types of inputs.

According to the security researcher, browser vendors should implement a feature into their browsers that ties the autocomplete input to a particular website. The only way to protect the data from being stolen is to disable the browser’s autocomplete feature for forms and searches.

Firefox users can do that in the preferences under the Privacy tab.

Internet Explorer users can disable autocomplete under Internet Options > Content > AutoComplete > Settings.

Are you using your browser’s autocomplete feature for forms? Let me know what you think of the vulnerability in the comments. (Thanks Venkat)

The best Firefox security add-ons is a guide for Firefox users who want to improve their web browser’s security and protection from attacks on today’s Internet. That does not necessarily mean that you need to install all of the add-ons to protect your browser from malicious attacks, as some may only be useful if you visit specific websites or types of sites regularly.

The list concentrates on security related add-ons, not privacy related. Only extensions that are compatible with at least Firefox 4 have been included in the list.

My Extensions

Those are extensions that I use on my private PC. I thought it would be a great way to start with a selection of add-ons that I personally use all the time, and list the remaining extensions in the second part of the article.

NoScript – Most malware and attacks are script based on the Internet. If a script cannot run, it cannot attack your computer. NoScript does exactly that. It blocks all scripts from running on all pages and websites on the Internet. You can whitelist scripts for a session or permanently if you trust a website.

A must-have extension and one of the main reasons that I’m still using the Firefox web browser and not another browser.

Alternative: YesScript, which allows all scripts and gives you the option to disable select ones.

LastPass Password Manager – LastPass is a password manager which makes the add-on security related. It stores the passwords online which means that you can access them from any PC that LastPass is installed on provided that you have an Internet connection on that PC. It features a secure password generator, form filler and note taking along with the usual options like automatically logging you in on websites or an on screen keyboard.

The company recently created a tool called LastPass Security Challenge which goes through your stored passwords to rate them individually and overall.

Firefox Security Add-Ons

BrowserProtect – Protects your web browser’s settings and preferences from being tampered with. Some programs that you install on your computer change Firefox settings either automatically or if you do not pay attention to the installation dialog. Browser Protect for Firefox shields the browser by monitoring the browser configuration. It is for instance effective against homepage hijacking or search engine provider changes.

HTTPS Finder – It is always safer to use https when available, as it protects the information from network snooping and other possible attack forms. HTTPS Finder informs you if a website supports HTTPS, with an option to automatically switch to the HTTPS protocol. A similar feature is provided by NoScript.

Master Password+ – Passwords stored in Firefox’s default password manager are not secured at all by default. Anyone with access to the computer can access both usernames and passwords for all sites. The Master Password is a way to protect the password list in Firefox. Master Password+ improves that feature, for instance by prompting for the master password on browser startup or locking up the browser window if the master password is not supplied.

Whois Lookup – It sometimes pays to know who owns and administrates a website. This is done with a Whois Lookup, which you can do manually on many whois related sites on the Internet, or semi-automatically with the Firefox extension Whois Lookup.

Host Permissions – Allows you to disable permissions for individual hosts. Permissions include images, redirects, plug-ins, JavaScript and frames).

Alternative: Bookmark Permissions, does the same, only for bookmarks.

FEBE – Firefox Environment Backup Extension allows you to backup Firefox data, including extensions, themes, preferences, passwords and cookies regularly. I personally prefer MozBackup for this, but this extension is a solid alternative.

Perspectives – Aids Firefox users securely identify Internet servers by verifying certificates using a collection of Network Notaries.

NoRedirect – Gives you back the control over HTTP redirects. Many ISPs these days redirect you to their own search page if you mistype a web address in a browser. NoRedirect in addition offers previews for shortened urls and stops the redirection of smart error pages and more.

Dr. Web Anti-Virus Link Checker – Send files that you want to download with an online virus scanner before you do so. This can be done without downloading the file first to your computer.

Alternative: VTZilla (Caution: Not hosted on Mozilla.org) that sends files to Virus Total where they are checked against 40 different antivirus engines.

Web of Trust – Displays rating symbols for websites that you visit. Ratings include trustworthiness, vendor reliability, privacy and child safety.

Alternative: LinkExtend – Uses eight safety services instead of just one to rate links before you visit the web sites.

Search Engine Security – Changes the referrer when visiting web pages from search engines to protect against some forms of malicious redirects.

Closing Words

Firefox users can improve the security of the web browser significantly with add-ons. Many add additional layers of protection to the browser, which can keep you safe, or at least safer, on the Internet.

Did I miss a security add-on that you use all the time? Let me know about it in the comments.

Some browser developers try to tackle the problem. Mozilla for instance checks the installed plugin versions on updates of the web browser, Google implemented native plugins of Flash and a PDF reader, to gain control of the updating process.

Security software, like the Secunia Software Inspector can also detect outdated plugins, but only a minority of users are making use of those programs to test their system’s security.

Browser Check offers to be an alternative to Mozilla’s Plugin Check. The online service is currently compatible with 32-bit versions of Microsoft Internet Explorer, Mozilla Firefox 3, and Google Chrome 4 and 5 running on the Windows OS. This limits the reach of the security check, users with unsupported browsers or operating systems can still use the Plugin Check over at Mozilla.

We have tested Browser Check on the latest Firefox 3.6.7 (we actually tried Google Chrome 6 first, but the program refused that browser). The check needed to install an add-on first, and displayed the test results on the next restart. The result’s page looks very similar to Plugin Check as well.

browser check

Browser Check tests

• Windows OS support expiration
• Browser version (IE 6.0+, Firefox 3.0+, Chrome 4.0+)
• Adobe Flash Player
• Adobe Reader 5.x and above
• Adobe Shockwave Player
• Apple Quicktime
• BEA JRockit
• Microsoft Silverlight
• Microsoft Windows Media Player
• Real Player
• Sun Java
• Windows Presentation Foundation (WPF) plug-in for Mozilla browsers

The results are color coded, green indicating an up to date plugin, orange means that an update is available while red indicates an insecure plugin version or an obsolete one.

A Fix it button is displayed next to orange or red results that points to the developer’s website to download the latest version of the software.

The add-on can be installed after the browser has been checked, there is no need to keep it. Is your browser up to date? Check it out over at Browser Check.

The profile creation takes some time but the individual tests complete very fast so that it becomes difficulty to read the test descriptions on the pages that are automatically loaded.

The profile of the web browser is then displayed next to the top browsers that have been used to complete the test before. Browserscope displays the name of the web browser and its version, the number of tests performed with that web browser on the site and the results for the individual modules that have been tested.

Green modules indicate passed tests while red ones failed tests. The overall score is displayed next to the name of the browser. Google Chrome 5 is for instance leading the security test with 12 out of 13 tests passed. Firefox 3.6 passed nine, Internet Explorer 8 eight and Opera 10.50 seven.

Google Chrome is also leading the rich text category, Opera the selectors category, Firefox the network tests and Google Chrome and Opera the Acid 3 test with a perfect score.

Visit Browserscope to test your web browser and see how it fares against the other browsers.

The Browser Security Handbook is divided into three parts and a download that contains dozens of examples. The three parts are “Basic concepts behind web browsers”, “Standard browser security features” and “Experimental and legacy security mechanisms”.

“The document currently covers several hundred security-relevant characteristics of Microsoft Internet Explorer (versions 6 and 7), Mozilla Firefox (versions 2 and 3), Apple Safari, Opera, Google Chrome, and Android embedded browser. ”

The Opera 9.52 changelog contains information about the security vulnerabilities. Each one of the listed alone would be serious enough to be fixed immediately, all of them make the matter even more pressing. At least one vulnerability is only affecting computers running Windows but most affect all versions of Opera.

The update is deemed a security and stability update. Next to the important security fixes many changes to various aspects of Opera have been made. The changelog lists more than 30 fixes for various problems that could arise while using Opera.

The latest download is available directly on the Opera website.

Most users on the other hand prefer simplicity and no user interaction and that’s where YesScript comes into play. Its approach is the complete opposite of NoScript. YesScript allows all scripts on all websites unless they are blacklisted by the user.

The advantage of this method is that less user interaction is required. It does however undermine the security aspect because scripts will be executed normally as long as the website is not in the blacklist.

It comes down to an evaluation of the advantages and disadvantages of both methods. NoScript provides enhanced security while YesScript less work and vice versa. Installing YesScript from a security standpoint does not make that much sense but it is quite capable of removing scripts from websites that make extensive use of them.

That’s where browser security test comes into play. The test may crash the browser that you are using and I suggest to close and save all important tabs before you continue. The user has the choice of running tests that are browser specific, e.g. only Firefox tests if Firefox is being used, to run all tests or select tests from a list of available tests.

The check is performing a maximum of 14 tests which are listed on a separate page linking to detailed information about each vulnerability. The actual tests are performed in a new window and results are shown at the end of all tests.

If your browser should crash during the test you can use the restore session function of most modern browsers to continue the test. It is alternatively possible to visit the website of the Browser Security Test again to continue with the test.

Update: Browser Security Test has been discontinued, the service is no longer available. Viable alternatives are Browserscope, which runs a series of security tests and shows how your browser compares to others or the Firefox Plug-in Checker which works in all browsers and checks for outdated browser plugins.