Google 'rigs' browser security test to make Firefox fail
- 15 December, 2011 08:37
A testing lab has slammed a recent Google-sponsored test which found that Firefox was the least secure of the top three browsers and has warned it was likely rigged in an attempt to kill-off its rival.
"Do not draw conclusions on overall browser security (or lack thereof) based upon this one report," NSS Labs warned its clients Wednesday.
Accuvant Labs, the company behind the test, put Chrome and Internet Explorer ahead of Firefox because Mozilla's browser lacked or had poorly implemented sandboxing, plug-in security, hardening and URL blacklisting.
"While some good work was performed on anti-exploitation features, the methodology and test execution was considerably flawed," wrote Phatek.
Accuvant's report excluded "important security technologies" within Firefox, which suggested "a larger strategic move by Google to eliminate the competition".
The key evidence NSS Labs cites to make its claim Google rigged the test was the performance of Google's SafeBrowsing product in the rival browsers which use it -- Firefox 7 and Safari 5.
While NSS figures showed malware protection in Chrome 15's SafeBrowsing improved from 8 per cent to 40 per cent between November 22 and December 2, Safari and Firefox remained relatively stagnant.
This was due to a “new reputation-based” protection in Chrome that was not offered as part of its SafeBrowsing API to third party browsers, according to NSS.
The security analyst firm notes Chrome’s improvements appeared around the same time Mozilla's financially vital Firefox-search contract with Google expired. That contract accounts for over 85 per cent of Mozilla’s revenues.
"It appears Google has purposefully withheld important malware protection from its SafeBrowsing feed coinciding with its break from Firefox and release of the Google-funded report by Accuvant. This episode could indicate a more aggressive direction for Google," said NSS Labs.
Some elements of the report were however valuable and, according to NSS, the well-known Accuvant researchers behind it did an "excellent job" covering browser security technologies such as sandboxing and hardening techniques.
Amongst those researchers was Black Hat regular Charlie Miller who was recently exiled from Apple's iOS developer program for exploiting a hole in its application code signing process and earlier this year discovered a firmware weakness in Apple laptops that could allow an attacker to overheat its batteries.