A new study by security vendor Accuvant Labs concludes that Google Chrome is more secure than rivals Firefox and Internet Explorer, largely because of Chrome's sandboxing and plug-in security.

The research was funded by Google, which might make any reasonable person suspicious of its conclusions. Accuvant insists that Google gave it "a clear directive to provide readers with an objective understanding of relative browser security" and that the conclusions in the paper "are those of Accuvant Labs, based on our independent data collection." Accuvant also made the supporting data available as a separate download so that it can be scrutinized by other researchers.

Accuvant focused only on Chrome, IE and Firefox, leaving out Safari and others for the sake of time. It also tested the browsers only on Windows 7, 32-bit edition. Despite concluding research in July, the paper was just released today. As a result, the report excludes newer versions of Chrome and Firefox, which have more rapid release cycles than Internet Explorer.

But the 102-page report otherwise seems fairly thorough, and Accuvant says it will update the report as the security of each browser evolves, and claims that it already provides a better look at browser security than metrics such as vulnerability report counts and URL blacklists. "We believe an analysis of anti-exploitation techniques is the most effective way to compare security between browser vendors," the report states. "This requires a greater depth of technical expertise than statistical analysis of CVEs, but it provides a more accurate window into the vulnerabilities of each browser."

A chart summarizing Accuvant's conclusions shows the vendor believes Google's sandboxing and plug-in security exceeds that of Internet Explorer, and that Google at least matches Firefox and IE in other types of security. In this chart, DEP refers to data execution prevention, GS is a compiler switch used to prevent buffer overflows, ASLR stands for Address Space Layout Randomization, and JIT stands for "just in time" compilation, which is used to improve runtime performance.

"The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected," Accuvant states. "Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art anti-exploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack."

Microsoft might point to a report from NSS Labs, which has found that Internet Explorer far exceeds its rivals in blocking malware. However, some of NSS Labs' research has been funded by Microsoft.

The Accuvant report says Chrome's sandboxing "uses a medium integrity broker process that manages the UI, creates low integrity processes and further restricts capabilities by using a limited token for a more comprehensive sandbox than the standard Windows low integrity mechanism... The extensive use of sandboxing limits both the available attack surface and potential severity of exploitation."

Internet Explorer, by contrast, has processes that allow compromised tabs some ability to infect other tabs, Accuvant says. "In the event of a crash, the tab [in Internet Explorer] is automatically reloaded the first time, allowing malicious content multiple attempts to succeed, or have an unsuccessful exploit attempt go unnoticed," Accuvant claims. "A tab compromised by an exploit would have read access to the file system and any low integrity process, including other browser tabs. The compromised process would need a method of privilege escalation from low integrity to persist beyond the browser session."

With Firefox, Accuvant states, simply, that it has no sandboxing and "A compromised browser or plug-in process would not require privilege escalation to persist beyond the browser process."

Google has long touted the robustness of its sandboxing, although security researchers claimed to have subverted Chrome's sandbox earlier this year. Microsoft touts its own security and privacy features, as does Mozilla. The Register notes some anecdotal evidence supports the claim that Chrome is most secure, including the fact that "Chrome has emerged unscathed during the annual Pwn2Own hacker contest for three years in a row, something no other browser entered has done." Ultimately, the question of which browser is safest is still up for debate. What do you think?