Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Google Safari The Internet Chrome Firefox Privacy Security

Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs (bleepingcomputer.com) 105

An anonymous reader writes from a report via Bleeping Computer: The Project Zero team at Google has created a new tool for testing browser DOM engines and has unleashed it on today's top five browsers, finding most bugs in Apple's Safari. Results showed that Safari had by far the worst DOM engine, with 17 new bugs discovered after Fratric's test. Second was Edge with 6, then IE and Firefox with 4, and last was Chrome with only 2 new issues. The tests were carried out with a new fuzzing tool created by Google engineers named Domato, also open-sourced on GitHub. This is the third fuzzing tool Google creates and releases into open-source after OSS-Fuzz and syzkaller. Researchers focused on testing DOM engines for vulnerabilities because they expect them to be the next target for browser exploitation after Flash reaches end-of-life in 2020.
This discussion has been archived. No new comments can be posted.

Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs

Comments Filter:
  • Turn off javascript and related scripting shit.

    • by Anonymous Coward

      Turn off javascript and related scripting shit.

      It's not that simple. Try using Google without JS. There are tons of other sites with the same problem.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        It's not that simple. Try using Google without JS.

        Actually, google search works ok without javascript. Google mail still has a basic lite mode too. The rest of google won't work without javascript.

        There are tons of other sites with the same problem.

        Yes, and they are badly written. Compare to amazon - it works with any browser, with or without javascript, because amazon knows you won't buy if their website won't work in the customer's browser.

        • Comment removed based on user account deletion
        • Also, if they were testing it on the "top five browsers", why was Firefox included in the list? That's barely a blip in the market any more, and will be even less so after November.
      • by Khyber ( 864651 )

        "Try using Google without JS"

        Proof that Google engineers are shit at real coding.

        Hey, Google Engineers, before you do your mass downvote moderation, try explaining why your stuff is so shit in the first place.

  • by Anonymous Coward on Friday September 22, 2017 @07:13PM (#55247995)

    Google finds their own browser is best. News at 11.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Apple's reply was that while Safari was not the first, it was the best-looking one.

    • by Anonymous Coward

      I am shocked!

      Next up google disables other browsers from accessing google.com search results, "for your safety".

    • by K. S. Kyosuke ( 729550 ) on Friday September 22, 2017 @07:32PM (#55248083)
      Maybe the same or similar group of people who wrote the tool also wrote the part of the browser that the tool tests, using similar approaches?
    • by mangastudent ( 718064 ) on Friday September 22, 2017 @07:44PM (#55248133)
      Fuzzers [wikipedia.org] are pretty impartial, and I don't find it hard to believe that the Chromium/Chrome team is the best at security.
      • by swillden ( 191260 ) <shawn-ds@willden.org> on Friday September 22, 2017 @10:09PM (#55248671) Journal

        Fuzzers [wikipedia.org] are pretty impartial, and I don't find it hard to believe that the Chromium/Chrome team is the best at security.

        Also, I know a couple of people on the Project Zero team, and they treat Google absolutely different from anyone else. They attack everything, regardless of origin, with equal gusto and skill and have a strict, no-exceptions-ever 90-day public disclosure policy. I work on Android and Project Zero has even 0day'd us a couple of times, publishing existing vulns in Android that we haven't gotten fixed within the 90 day window.

        It's interesting working with PZ team members directly because even though they're Google employees, they are not subject to the standard employee NDA. More than one time I've had one of them stop me mid-sentence to remind me that they are not allowed to hear non-public information... and that if I tell them anyway they are not obligated to keep it secret.

        Project Zero is employed by Google, but that means nothing to them. And, strangely enough, Google is totally fine with that.

        • they treat Google absolutely no different

          Gah. I reorganized that sentence and in the process lost the most important word.

      • Fuzzers [wikipedia.org] are pretty impartial, and I don't find it hard to believe that the Chromium/Chrome team is the best at security.

        Does the test actually test Browser "Security" (Whatever that means)? I thought it was testing how well the Browser-Under-Test was implementing the Document Object Model (or, at least, Google's interpretation of same)?

    • What would Mandy Rice-Davies say??

    • by fibonacci8 ( 260615 ) on Friday September 22, 2017 @07:26PM (#55248053)
      It's a system where a SUB is required to create a "safe word" 6 to 14 characters long containing at least one capital letter, at least on numeric digit, and at least one punctuation mark.
    • by hord ( 5016115 ) <jhord@carbon.cc> on Friday September 22, 2017 @08:01PM (#55248205)

      DOM = Document Object Model

      The DOM engine is what is responsible for parsing HTML/CSS, converting it into a tree, and then rendering the tree to the client area in the browser. It's essentially the core of the browser and presents a programmatic API along with JavaScript. It may also be used to render UI elements. For example, all of Chrome's plugins use HTML/CSS to create the menus you see in the options and menu screens.

      • Well, a DOM parser is an XML parser. HTML is XML.
        • by hord ( 5016115 )

          Yes and no. HTML has a lot of non-XMLisms that require special handling in the engine. I think the common strategy is to use a set of recommendations for transforming HTML errors into valid trees which are equivalent to well-formed XML. In memory there is no difference between the two because they are both trees. Technically JSON, YAML, S-expressions, and various other hierarchical serialization formats are also equivalent. In fact, I'm curious why Google hasn't replaced HTML with JSON at this point.

    • Now you see what the web monkeys feel like when Slashdot posts articles about security or networking.

  • Not suprising (Score:3, Informative)

    by Billly Gates ( 198444 ) on Friday September 22, 2017 @07:20PM (#55248033) Journal

    Safari is Apple's IE 6 of this decade. It hasn't been updated in a long time and they can no longer piggy back both Google and Konqueror for new code since Chrome forked -webkit with -blink.

    I worked for a famous software supporting their cloud software. Safari was the one browser which always had trouble with even drag and dropping files. Something rudimentary in the HTML 5 standard. Even IE 9 from 2011 can easily support this.

    Sometimes Safari would work. Sometimes it would not and the Apple users always get mad at us for some reason never blaming their shitty browser.

    • by Anonymous Coward

      Apple users always get mad at us for some reason never blaming their shitty browser.

      ... They are Apple users for a reason

    • Re: (Score:1, Insightful)

      by Ironman126 ( 2659767 )
      Apple has relied on its brand status for years. They've consistently put out decent, albeit iterative, products, but they've failed to keep pace with the competition in areas that actually matter, like having a usable web browser. At what point does the weight or volume of a laptop or the maximum resolution of a phone's camera take a back seat to actual product improvements? I my college posts warnings on the course webpages: "Does not work correctly on Safari, use Firefox or Chrome." The security failings
    • by Anonymous Coward

      How are any of your posts moderated over zero? Safari was last updated a couple days ago. There was even a Slashdot post last week that discussed how some advertising firms were upset because the latest Safari blocks cookies that track users across multiple sites.

      • How are any of your posts moderated over zero? Safari was last updated a couple days ago. There was even a Slashdot post last week that discussed how some advertising firms were upset because the latest Safari blocks cookies that track users across multiple sites.

        Yep which is why even Microsoft scores higher than safari [html5test.com] and until recently scored on par with IE!

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          Safari in High Siera score 457. Safari loses 11 points as it doesn't support Ogg, WebM. 11 points lost because they don't support something that isn't useful (unless you have a 4k screen and want to watch new 4k youtube vids). WebP and JPEG-XR add in another 2 useless points missing.

          This is the problem with html5test. It includes so many features which are of no interest to the majority of people. WebVR? How the fuck is this relevant to how good a browser is?

          html5test is setup to make Chrome look be

  • by 93 Escort Wagon ( 326346 ) on Friday September 22, 2017 @11:34PM (#55248901)

    I can't believe so many of you are such zealots when it comes to your web browser of choice.

  • Google testers could find no security bugs whatsoever in Chrome. "It's a fucking rock," said one tester.

  • It looks like all of the Safari bugs were fixed earlier this year...

  • by Anonymous Coward

    So, it is interesting that they do not mention versions that they used of any of these browsers, unless I missed that detail. They only mention 'currently released'

    But much more odd "Instead of fuzzing Safari directly, which would require Apple hardware, we instead used WebKitGTK+ which we could run on internal (Linux-based) infrastructure". Google does not have a Mac, anywhere?

    So they did not run this as a user would, or in fact a proper OS X Safari release build at all. Ok, seems legit...

    This from the com

  • ...and Chrysler has the second most. Ford had none.

    Film at eleven.

No spitting on the Bus! Thank you, The Mgt.

Working...