If you ask Jeremiah Grossman, no Internet browser application is
truly safe.
Grossman, CTO of Whitehat Security, described a series of browser
design flaws in a presentation here last week. Internet Explorer 6
and 7, Safari, Firefox, and Google Chrome all showed some
exploitable weaknesses, he said.
"These are not just application vulnerabilities that can be patched
on the next rev," Grossman said. "These are basic design
flaws."
In several cases, Grossman demonstrated how attackers can use the
"auto-fill" and "auto-complete" features in several browsers to
trick the browser into giving up personal information and password
data from the user.
In other cases, he showed how cross-site scripting flaws can be
used to gain access to the password manager features in Chrome and
Firefox. A final demo described a method for swiftly evicting
cookies from Firefox, making it easier to attack.
After so much browser research, does Grossman recommend one over
the others? "IE 8 is technically secure, but it's targeted because
it's so widespread," he said. "Firefox is not bad, but I outlined
some design flaws in my talk. Chrome is also pretty good, but it
comes with what amounts to Google spyware, and there's no
sandbox."
Depending on what they're doing, some users may benefit from using
more than one browser, taking advantage of the relative security
capabilities of each, Grossman said. "One of my key points was just
to get people away from using IE 6 and 7," he said. "There are
still a lot of users of those out there."
Some users may want to think twice before using password manager
features, too, Grossman says. "It's a pain to write them all down,
but if your password manager is compromised, that can be a big
problem," he said