A new Google-funded study of browser security by security research firm Accuvant Labs crowned Chrome the champion of security features, and ranked Firefox below Internet Explorer in terms of protection available from web-borne threats. Predictably, Microsoft and Mozilla have different opinions on what makes a browser secure, and why Accuvant's findings are off base. All of this got us thinking about which browser is the most secure, and whether the security features listed in studies like this even matter to the rest of us. More »
Trustware's BufferZone was an early entrant into the desktop sandboxing arena. Sandboxing, of course, is the security-by-isolation system which has since been built into apps like Google Chrome and Adobe Reader X. Recently, Trustware launched a promotion and gave away BufferZone Pro for free -- and now the company is making the discount permanent. From now on, BufferZone Pro will be freeware.
But, wait -- BufferZone still doesn't support x64, and maybe you're thinking that there will be a paid version once a 64-bit Windows version arrives. Not so, Trustware's Efrat Schneider told me in an email: "The product will continue to be free," he replied.
If you're looking for a free way to tighten up security on your Windows system, BufferZone is an excellent app for the job. We'll let you know when the 64-bit version becomes available.
Adobe Flash remains a popular attack vector for malware authors. In addition to a seemingly never-ending supply of security flaws, bad guys know that people who use Flash often ignore the updater's prompts. That leaves users in an even more tenuous position, since they're still vulnerable to attacks Adobe has already patched.
That's one big advantage to Google Chrome's internal Flash plug-in. Since updates are delivered silently in the background to users, the internal plug-in is always up-to-date. This keeps everyone as safe as possible, but Chrome offers one more way to protect its users: sandboxing. By running unfamiliar Web code in its isolated sandbox, Chrome can execute that code in a safe environment -- where it can't harm your operating system.
Back when Google first announced internal Flash, one of their stated goals was "to further protect users by extending Chrome's 'sandbox' to web pages with Flash content." According to revision 66022, Google is making good on their promise. Sandboxed Flash is now supported in the Chromium source code, and should be available to Windows users of Canary and Chrome Dev very soon. A quick look through the source code seems to indicate that Chrome can sandbox not only its own internal Flash plug-in, but also the traditional Adobe version -- as long as it's version 10.1.103.19 or better.
This is great news for Chrome users. It was already an incredibly difficult browser to exploit, and sandboxing Flash will add another layer of armor to its defenses.
WebKit, the rendering engine used by both Chrome and Safari, is currently undergoing major redevelopment in order to support per-tab processes and out-of-process plug-ins by default. In one smooth move, Apple will be able to bring Chrome-like speed and security to its Safari browser.
Don't be fooled by its rather grand-sounding name of "WebKit2," however. This is more of an update than an upgrade. Basically, WebKit is being split into UI Processes and Web Processes. Each tab will become a UI Process, and presumably, so will add-ons and extensions. This change will bring the usual benefits of stability, security, and speed-ups from multi-core processors. WebKit2 will also implement a non-blocking API that is "mostly platform agnostic," resulting in a more flexible browser and better cross-platform extension compatibility.
The new WebKit2 will operate a lot like Chrome does today, only in theory, faster. With the split-process logic injected at a much lower level, it wouldn't be a surprise to see Safari out-perform Chrome. It will be quite interesting to see whether Google moves to support WebKit2, or indeed builds it into their browser.
I can't help wonder why Google implemented the split-process logic in Chrome, rather than being the major exponent of WebKit2, though. A competitive edge doesn't make much sense when it's all open-source anyway.
The WebKit2 patches are due to hit at any moment now, but I don't know when we'll see a version of Safari -- or indeed, Chrome -- running the new layout engine.