Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE 9 Beats Other Browsers at Blocking Malicious Content

Posted by Unknown on from the slid-into-the-wrong-universe dept.

Orome1 writes with an article in Net Security. From the article: "Microsoft's Internet Explorer 9 has proved once again to be the best choice when it comes to catching attacks aimed at making the user download Web-based malware. This claim was made by NSS Labs in the recently released results (PDF) of a test conducted globally from May 27 through June 10 of the current year, which saw five of the most popular Web browsers pitted against each other. Windows Internet Explorer 9, Google Chrome 12, Mozilla Firefox 4, Apple Safari 5, and Opera 11 were tested with 1,188 malicious URLs — links that lead to a download that delivers a malicious payload or to a website hosting malware links."

4 of 235 comments (clear)

  1. Who paid? by benjymouse · · Score: 4, Interesting

    This report was produced as part of NSS Labs’ independent testing information services.
    Leading vendors were invited to participate fully at no cost, and NSS Labs received no
    vendor funding to produce this report.

    Firefox still does not have a sandbox in place. That right there is a severe problem. Especially as Firefox is *the* browser with most vulnerabilities. The only thing Mozilla has going for Firefox security is that they are really fast to patch once a vulnerability has become known.

    --
    Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
    1. Re:Who paid? by Jeremiah+Cornelius · · Score: 5, Interesting

      You have a valid point about the sandbox - but the study doesn't really do security a justice, when comparing the browsers.

      Malware is seldom a browser injection issue, but is instead vectored through plug-ins (I'm looking at YOU, Adobe!) which are privileged at a higher-level than the "sandboxed" container application.

      Flash has been a real horrorshow. It was never designed - rather acquiring tacked-on and retro-fitted capability for dynamic content updating, video playback and scripting with user interactivity, etc.

      I could deliver extended anecdotes about the 0-day flash and pdf exploits that I've witnessed, unfolding right in front of me... Suffice it to say, fully patched systems with browser sandboxes are not immune. :-)

      The combination of security and privacy extensions that are developed for Firefox are, still, unmatched. Ghostery, AdBlock+ and BetterPrivacy will together prevent the opportunity to ever render many of the malicious, content delivered exploits. They also serve to screen and scrub the most pernicious of web-threats: covert bugging and monitoring of the browser by a third party.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    2. Re:Who paid? by benjymouse · · Score: 4, Interesting

      You have a valid point about the sandbox - but the study doesn't really do security a justice, when comparing the browsers.

      Malware is seldom a browser injection issue, but is instead vectored through plug-ins (I'm looking at YOU, Adobe!) which are privileged at a higher-level than the "sandboxed" container application.

      No. These days some 85% of infections derive from social engineering. Malware comes in through the user. Vulnerability exploits seems to be a lot less effective these days. Social engineering is precisely what the tested security (reputation) mechanisms are aimed at.

      Having said that, yes, Flash is really, really bad. So is Java. And both are rather prolific, regrettably.

      I could deliver extended anecdotes about the 0-day flash and pdf exploits that I've witnessed, unfolding right in front of me... Suffice it to say, fully patched systems with browser sandboxes are not immune. :-)

      That piques my interest. When was this? AFAIK there has not been a *single* in-the-wild sandbox breach of neither Chrome nor IE (yes, pwn2own demonstrated a combination of 3 techniques which escaped the IE sandbox - but this has not been reported in the wild). Up until some (fast) versions ago, Chrome did not sandbox Flash. IE did that since IE7.

      The combination of security and privacy extensions that are developed for Firefox are, still, unmatched. Ghostery, AdBlock+ and BetterPrivacy will together prevent the opportunity to ever render many of the malicious, content delivered exploits. They also serve to screen and scrub the most pernicious of web-threats: covert bugging and monitoring of the browser by a third party.

      Whether they are unmatched is a matter of opinion. Firefox requires addons and will block more broadly (which is desirable to some). To me, the fact that FF code quality seems to lack (they have had most vulns reported for the last 5 years going) combined with their nonsensical refusal to implement a sandbox makes it a no-go for me. (I'm, using Chrome, btw).

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  2. Re:NSS Labs: The best studies money can buy by cobrausn · · Score: 3, Interesting

    What is wrong with testing the bare browser configuration? Aren't we trying to protect those who are most likely to download malware by accident, i.e., those who are also unlikely to install AdBlockPlus and NoScript?

    --
    How does it feel to be a liar with pants constantly on fire?