X41 D-Sec GmbH releases Browser Security White Paper, assessing Google Chrome, Microsoft Edge, and Internet Explorer

X41 D-Sec GmbH (“X41”) - a research driven IT-Security company - released an in-depth analysis of the three leading enterprise web browsers Google Chrome, Microsoft Edge, and Internet Explorer. The senior security experts of X41 have the necessary experience and track record to analyze complex applications such as modern web browsers.

X41 analyzed the design, attack surface, and resilience of the browsers against possible attacks. In conclusion Google Chrome was found to be the most resilient against attacks due to a tighter lock down of components and more secure design decisions.

The full paper can be downloaded at:

https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf

(SHA256 fb1f3110ee6cef2d0e54b19bd6883b616e3af37ee903470357913b81e7d5ea92)

Markus Vervier, Managing Director of X41 comments:

Modern web browsers such as Chrome or Edge improved security in recent years. Exploitation of vulnerabilities is certainly more complex today and requires a higher skill than in the past. However, the attack surface of modern web browsers is increasing due to new technologies and the increasing complexity of web browsers themselves.
Browsers are among the most hardened applications. Most other software products do not perform security tests and deploy this many mitigations to make abuse harder

comments Eric Sesterhenn of X41, who helps companies to secure their applications and infrastructure.

Since all non-trivial software have bugs and security vulnerabilities, X41 believes security barriers that prevent hackers of taking advantage of these vulnerabilities are most important. X41 assessed these barriers with the following results:

  • Chrome is the most resilient against attacks due to a tight lockdown of components, separation of duties, and greater identifiable vendor efforts for automated vulnerability discovery.
  • The security level of Internet Explorer is decreased due to a weakened sandbox (Protected Mode).
  • Microsoft Edge is more hardened against exploitation than Internet Explorer due to the stronger sandboxing and the absence of dangerous legacy technologies.
  • Chrome supports more modern web technologies that might increase attack surface such as WebAssembly and HTML5 features.
  • Reaching dangerous legacy functionality from Microsoft Edge is easier than in Chrome. For example a fallback to Internet Explorer is suggested by the Edge UI on certain websites by default.

X41 conducted its analysis and conclusions against a background of contractual independence, having no conflict of interests. However, the time resources required for X41 to conduct this comprehensive research were sponsored by Google.

The white paper research was conducted by the following team:

  • Markus Vervier
  • Michele Orrù (AntiSnatch0r)
  • Berend-Jan Wever (Skylined)
  • Eric Sesterhenn

About X41 D-Sec GmbH

X41 D-Sec GmbH is a renowned expert provider for dedicated high quality security research, application security services, penetration tests, and full red teaming. Having extensive industry experience and expertise in the field of IT security, a highly effective security team of world class security experts enables X41 to perform premium security services.

Fields of expertise in the area of application security are code reviews, binary reverse engineering and vulnerability discovery. Custom research and high quality IT security services are core competencies of X41.

Author: Markus Vervier
Date: September 18, 2017