Google’s Project Zero
According to a new report from Google’s Project Zero Apple’s Safari has more security vulnerabilities than Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer combined.
Using an automated testing tool Domato, Project Zero’s Ivan Fratric analyzed the most popular desktop browsers and discovered two security vulnerabilities in Chrome, four in Firefox and Internet Explorer, six in Edge and 17 in Safari.
The bugs discovered by subjecting the browsers to about 100,000,000 iterations using Domato. Fratric notes that it requires fuzzing at scale, but it still well within the pay range of a determined attacker. The cost would around $1,000 using the Google Compute Engine, when keeping the necessary resources in check.
SKEL, a new Apple security feature added in macOS High Sierra 10.13
However, the test setup for the five browsers is not identical. Fratric does not say whether this influences the results, but he mentions Safari not tested on Apple hardware. Although the bugs verified against a nightly build of ASAN WebKit on a Mac. All the browsers available on Windows, which would have proved to be an equal testing ground. But, instead a combination of operating systems and tools chosen, like Linux, Windows Server 2012 R2, WebKitGTK+ and ClusterFuzz.
Fratric says, Apple Safari a clear outlier in the experiment with significantly higher number of bugs found. Especially worrying attackers interest in the platform as evidenced by the exploit prices and recent targeted attacks. It also interesting to compare Safari’s results to Chrome’s, as until a couple of years ago, they use the same DOM engine. It appears that after the Blink/Webkit split either the number of bugs in Blink got significantly reduced or a significant number of bugs got introduced in the new WebKit code.
This test focuses on a single component of the browsers, namely their DOM engine does not reflect how secure they. According to Fratric, DOM engines one of the largest sources of web browser bugs.
More information: [Project Zero]