Google’s Project Zero Team has created a new tool for testing web browsers in order to gauge how secure they are.
The team recently conducted an extensive test on the top five web browsers in use today:
• Chrome
• Firefox
• Safari
• Edge
• Internet Explorer
The results weren’t pretty.
The new tool, called “Domato” specifically looks for security flaws in the DOM engine, which is used by all of the major browsers, making it the most logical attack vector for hackers once Flash reaches its end of life in 2020. The goal of the team is to start identifying weaknesses in each browser’s DOM engine now, so that companies can begin addressing those issues before they get used against the public at large.
Their tests revealed that Chrome had two critical DOM Engine security flaws, Firefox and IE both had 4, Edge had six, and Safari took the dubious top honor with seventeen.
The tool was created by Ivan Fratric, who contacted all the companies responsible for the browsers and shared his results with them. He also made Domato’s source code available on GitHub to encourage researchers from those companies to test and experiment for themselves.
So far, none of the companies responsible for maintaining those different browsers have formally responded, but you can bet plans are already being drawn up to begin addressing the security flaws found before new lines of attack can be drawn up using them.
Perhaps the biggest surprise coming out of the recent test was how poorly Apple’s Safari browser fared. Apple has long been known for having a relatively more secure operating environment, which is a point of pride among the company’s loyal user base, but as this latest test shows, that’s no longer something the company can take for granted.
In any case, this is a sign of things to come. Once Flash goes away forever, you can bet hackers will begin gleefully exploiting any weaknesses in a web browser’s DOM engine code that haven’t been shored up.