Two new white papers examine enterprise web browser security

Online security has never been more critical to businesses, and the tools used to access the web are a major factor to evaluate. Choosing an enterprise-grade web browser that offers the right security features keeps businesses’ data protected while enabling employees to take advantage of the open web. But knowing which browser to choose often requires a deep  understanding of security design and implementation tradeoffs that enterprise IT decision makers don’t have the time or resources to fully identify and investigate. Furthermore, well-researched, independently-verifiable data on enterprise browser security is in short supply. And in its absence, many IT administrators resort to guesswork and experimentation in their decision-making.

This complex landscape of enterprise browser security is the topic of two white papers recently published from security engineering firms X41 D-Sec GmbH and Cure53. Both firms have extensive industry experience and expertise in information security, application security, web application security and vulnerability discovery. These two papers leverage that expertise to examine the relative security strengths of the three most popular enterprise browsers: Google Chrome, Microsoft Edge, and Microsoft Internet Explorer (IE).

• X41’s Browser Security White Paper

• Cure53’s Browser Security White Paper (mirror link)

We sponsored this research, which was conducted independently by the research firms, to help enterprise IT administrators evaluate which browser best fits their security and functionality needs. To be most useful for enterprises and the public, Cure53 and X41 performed their research and testing using only publicly available information, and clearly documented their comparison methodologies. This enables anyone to recreate their tests, validate their methodologies, and verify their conclusions.

Although Cure53 and X41 produced these white papers in isolation from each other, both came to similar conclusions when it came to enterprise browser security. Here are their findings in a few key areas:

Phishing and malware protection is critical to staying safe on the web.

The prevalence of phishing to steal credentials and deliver malicious payloads makes protection more critical than ever. X41 found that Safe Browsing on Chrome and SmartScreen on Edge and IE offered similar protection, with Safe Browsing performing more accurately than SmartScreen in some test results.

Isolating application components through sandboxing reduces risk.

Sandboxing isolated application components from one another, and from the rest of the system, limits the potential impact of vulnerabilities. Cure53 and X41 both found that Chrome renderers have significantly less access to the operating system than Edge or IE, including revoking access to win32k system calls in Chrome renderers and plug-in processes. Cure53 and X41 also found that Chrome has more types of sandboxed processes, for finer-grained privilege separation. Edge uses out-of-process JavaScript compilation, enabling Edge content processes to drop the privilege to create executable memory.

Modern browsers that eliminate legacy functionality are more secure.

Browser Helper Objects (BHOs) and plug-ins like ActiveX have been a go-to choice for client-side attacks. Cure53 and X41 found that Chrome and Edge do not support these vulnerable technologies. IE supports both, making it more susceptible to attack than either Edge or Chrome. Additionally, Cure53 and X41 found that IE is still vulnerable to attacks via signed Java Applets, and more susceptible to malicious Flash content. While Chrome and Edge can both be configured to fall back to IE to support legacy compatibility, administrators can exert more control over Chrome’s fallback mechanism.

Web security is one of Google’s primary concerns, and has been a guiding principle for Chrome since day one. We’re pleased that these papers independently confirm significant improvements in the enterprise browser security landscape overall. We think strong security safeguards, regardless of which browser you choose, make the web better, and safer, for everyone. We hope these white papers can help you find the right solution for your business.

Take a read through the white papers linked above to learn more about their findings. If you’d like to take a deeper look at the security controls available in Chrome or download the Chrome enterprise bundle, visit the Chrome enterprise website.