Google tested the web browsers for security: Safari has the most vulnerabilities in the DOM engine.

The Google Expert Team on Zero Day Vulnerabilities («Zero Project») analyzed the most popular browsers for vulnerabilities in DOM engines. The worst result Safari showed —17 vulnerabilities. The safest was the native Chrome — only two bugs.

The team used the utility Domato for testing, which Fratrich developed specifically for testing DOM engines. This is a fuzzing tool for security testing, which transmits to the application in question a random data set. Also, it analyzes the anomalies of the output data.

The team chose five browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge and Safari from Apple. The team conducted using Domato about 100 million tests. The results showed that the first three are the safest.

The results showed that Safari has the worst DOM engine with 17 security errors. On the second place from the end is the Edge with six problems.

Browsers results

Google reported the bugs found to the developers of each browser. Also, it provided them with copies of Domato so that everyone can independently perform more extensive tests of their products. The source code for Domato was also published on GitHub so that anyone can use it or adapt it to work with other applications, not just with DOM engines of web browsers.

Fratrich emphasized that this experiment focuses on the security of only one component (DOM engine). So you can not perceive its results as an indicator of the security of browsers in general. Although historically, vulnerabilities in the DOM have been the source of many security problems. «This experiment does not take into account other aspects such as the existence and security of the sandbox. Errors in other components such as script engines, etc. I also can not ignore the possibility that in DOM my fuzzer better finds certain types of problems, which can affect the overall statistics», — wrote the developer.

DOM (Document Object Model) engines are browser components that read HTML and organize it in the Document Object Model, which is then rendered and displayed in a browser window as an image that users see on their screens. According to Fratrich, developers rarely release updates that do not contain fixes for critical problems in DOM engines. So the problem is quite significant. In particular, given the fact that after the final abandonment of Flash technology in 2020, which bears the palm of priority for exploited vulnerabilities, DOM engines will become one of the main targets of attacks by intruders.