Several media organizations have recently reported that Chrome has bypassed Internet Explorer in worldwide browser market share.
Here at Sophos, we don’t keep track of that sort of thing, but we have seen a major change in browser marketing over the last 24 months. The browser makers are selling security.
Microsoft has been promoting Internet Explorer 10’s security chops, which will ship later this year with Windows 8 and will reportedly be made available to Windows 7 users as well.
The new version of IE will be a full 64 bit application on 64 bit Windows, increasing the difficulty of bypassing exploit mitigation techniques like ASLR. IE 10 also introduces a new setting called Enhanced Protected Mode (EPM). EPM adds several new sandbox-like technologies and introduces the concept of plug-in-free browsing.
Mozilla is preparing to launch Firefox 14 any day now with its own set of security-enhancing features. Firefox will now default to using HTTPS for search queries submitted to Google. This is a great improvement for privacy and it appears that the Firefox developers are exploring similar features for other search engines.
My favorite new Firefox feature is the “Click to Play” plugin preference. If you enable this feature (plugins.click_to_play under about:config), websites containing content such as Flash or Quicktime will be blocked by default, to prevent drive-by exploitation. If you wish to see the video, you simply click on the box to enable the plugin.
Chrome 20 was released last month, and attempts to get a grip on malicious extensions being distributed on Facebook and other sites. The latest version of Chrome will no longer allow extensions to be loaded from any web page other than the Chrome Web Store.
Additionally, Google has begun screening applications submitted to the official Web Store. It is a bit shocking that Google wasn’t doing any screening before – but better late than never.
The Google Chrome team are now bragging about Chrome 21 including a fully-sandboxed version of Adobe Flash for all versions of Windows.
(Adobe released a sandboxed version of Flash for Firefox in June. The differences between the Firefox and Chrome sandboxes is unclear.)
With the browser developers trying to gain market share and using security as a competitive advantage, we all win.
Security doesn’t need to be annoying or difficult and when implemented elegantly is an advantage. Hopefully the developers of Java are listening and will try to catch up with Adobe, Microsoft, Mozilla and Google.