For Mozilla, sandboxing isn’t everything. A precision made following the release of Accuvant Labs study.
Accuvant Labs published the results of a security study which stated that Firefox wasn’t up to date for anti-exploitation functions when compared to those present in Google Chrome and Internet Explorer. The study was financed by Google; with the results declaring their browser the best (see our news).
Mozilla’s reaction was of course expected, with Johnathan Nightingale, manager of Firefox at Mozilla. He won’t enter into the controversy with a response that criticizes the angle that the study adopted, although he is under no illusions about Google’s financing.
Johnathan Nightingale declares "Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform-level features like address space randomization to internal systems like our layout frame poisoning system. […] Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet. We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge".
He also states that he is proud of Mozilla’s reputation for security – a field which has been made central to the development of Firefox.
Since Accuvant Labs study had a heavy emphasis on sandbox protection to effectively protect vulnerabilities being exploited, Firefox started with a serious handicap in the end results.
Accuvant Labs considers that the number of vulnerabilities divulged or the time required to correct these are not good indicators, as Internet Explorer and Firefox’s source code heavily integrates other products. The study did note Google Chrome is the fastest to release corrective patches, while Firefox is slightly less effective. Internet Explorer is the least effective in this regard.
There is one point (among the others) where the study ranks Google Chrome, Firefox and Internet Explorer equally and that is in the entirely satisfactory way they block malicious URL’s (blacklisting services).