Google has released two white papers from independent security engineering firms it commissioned to compare Chrome’s security features with security features in Internet Explorer 11 and Windows 10 Edge.
Chrome might be the world’s most popular browser by far, but in the enterprise Chrome and Microsoft Edge are overshadowed by Internet Explorer 11, thanks in part to IE’s built-in support for legacy line-of-business applications.
Presumably to boost Chrome adoption at the expense of IE 11 and stem Edge’s potential adoption, Google has released two dense and lengthy reports detailing core security features relevant to enterprises and how Chrome measures up against IE 11 and Edge.
The papers, from German firms X41 D-Sec and Cure 53, run 196 pages and 329 pages, respectively, comparing everything from Google’s Safe Browsing and Microsoft’s equivalent SmartFilter, to each browser’s encryption support, how frequently they’re patched, support for web standards, sandboxing implementation, and how much exploits for each browser are worth to zero-day exploit brokers.
They're not light reading and come at an important juncture for Microsoft’s browsers in the enterprise. Microsoft has stopped adding new features to IE 11, but is still patching it. IE 11 is also the only version of IE supported on Windows 10 through to Windows 7, with the latter remaining the most used version of Windows in the enterprise.
Microsoft has also built a number of new exploit mitigation features into Edge to match Chrome, however Edge's take-up is tied to Windows 10 adoption, making it less of an obstacle to Chrome’s growth with consumers and the enterprise.
To support legacy business applications, Microsoft offers a system for Edge to fallback to IE 11 in accordance with a whitelist that admins can create. Chrome similarly offers a fallback option, but one of the two reports highlights that Chrome does it better.
Google, meanwhile, has launched new programs to boost Chrome’s presence in businesses, such as the Chrome enterprise bundle of management tools, Citrix XenApp support to help Chrome work with legacy business applications, and Chrome Enterprise, a version of Chrome OS that supports Microsoft Active Directory and enables Chromebooks to run virtual Windows. Just as Microsoft’s locked-down Windows 10 S only permits Edge, Chrome OS only permits the Chrome browser to run on it.
Google claimed in May, when it announced the Chrome enterprise bundle, that enterprise adoption of the Chrome browser had doubled in the past year and it naturally wants this trend to continue. X41 says its first paper on the subject was created in April 2017 while Cure 53 describes its paper as a “write-up project in 2017”.
Google says it released the two papers because “well-researched, independently verifiable data on enterprise browser security is in short supply” and it didn't want IT admins relying on “guesswork and experimentation” to determine which browser is best suited to their organization.
“To be most useful for enterprises and the public, Cure53 and X41 performed their research and testing using only publicly available information, and clearly documented their comparison methodologies. This enables anyone to recreate their tests, validate their methodologies, and verify their conclusions,” explained Chrome security’s Chris Palmer and Chrome enterprise’s Andrew Fife on Google’s blog.
The pair highlighted a few key areas where both firms concurred on findings favorable to Chrome’s performance security-wise. Safe Browsing on Chrome, for example, performed more accurately than SmartScreen for IE and Edge in some test results.
Chrome’s sandboxing is a second high point. “Cure53 and X41 both found that Chrome renderers have significantly less access to the operating system than Edge or IE, including revoking access to win32k system calls in Chrome renderers and plug-in processes. Cure53 and X41 also found that Chrome has more types of sandboxed processes, for finer-grained privilege separation. Edge uses out-of-process JavaScript compilation, enabling Edge content processes to drop the privilege to create executable memory.”
Admins can also exert more control over the fallback to IE 11 in Chrome than Edge, according to the two Googlers.
While IE 11 supports ActiveX plug-ins, which have historically been targeted by malware, neither Chrome nor Edge supports it. According to X41, the way Chrome allows enterprise to fallback to IE when needed is “secure”, while Microsoft allows Edge’s admin-defined whitelist — known as Enterprise Mode Site List — to be stored in locations which it deems not secure enough to store such sensitive information.
“Network shares might be compromised by an attacker looking to move from one machine onto another inside a compromised network by adding sites to the list and enticing users to open links to websites on this list that the attacker controls,” the company wrote.
Both reports take a superficial look at the value of exploits for each browser too. X41’s report highlights that Zerodium, a firm that will pay over $1m for zero-day affecting iOS, offers up to $150,000 a Chrome exploit, compared to an $80,000 cap on Edge exploits. It also cites the Pwn2Own hacking contest, which this year offered $80,000 for exploits against Chrome and Edge, but nothing for IE.
Cure 53 takes a deep dive into the the impact of restrictions on Win32k system calls, and found that Chrome performed marginally better than Edge, and much better than IE.
Notably, if you use Google to search “pwn2own edge”, one of the top results returned is a Slashdot article referencing a story that says Edge was the “least secure browser” at the Pwn2Own security 2017 hacking contest, thanks to a bug in Edge’s Chakra JavaScript engine.