IE 9 Beats Other Browsers at Blocking Malicious Content

← Back to Stories (view on slashdot.org)

IE 9 Beats Other Browsers at Blocking Malicious Content

Posted by Unknown on Tuesday August 16, 2011 @08:33AM from the slid-into-the-wrong-universe dept.

Orome1 writes with an article in Net Security. From the article: "Microsoft's Internet Explorer 9 has proved once again to be the best choice when it comes to catching attacks aimed at making the user download Web-based malware. This claim was made by NSS Labs in the recently released results (PDF) of a test conducted globally from May 27 through June 10 of the current year, which saw five of the most popular Web browsers pitted against each other. Windows Internet Explorer 9, Google Chrome 12, Mozilla Firefox 4, Apple Safari 5, and Opera 11 were tested with 1,188 malicious URLs — links that lead to a download that delivers a malicious payload or to a website hosting malware links."

12 of 235 comments (clear)

Min score:

Reason:

Sort:

Who paid? by benjymouse · 2011-08-16 08:39 · Score: 4, Interesting

This report was produced as part of NSS Labs’ independent testing information services.
Leading vendors were invited to participate fully at no cost, and NSS Labs received no
vendor funding to produce this report.
Firefox still does not have a sandbox in place. That right there is a severe problem. Especially as Firefox is *the* browser with most vulnerabilities. The only thing Mozilla has going for Firefox security is that they are really fast to patch once a vulnerability has become known.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
1. Re:Who paid? by Jeremiah+Cornelius · 2011-08-16 09:02 · Score: 5, Interesting
  
  You have a valid point about the sandbox - but the study doesn't really do security a justice, when comparing the browsers.
  Malware is seldom a browser injection issue, but is instead vectored through plug-ins (I'm looking at YOU, Adobe!) which are privileged at a higher-level than the "sandboxed" container application.
  Flash has been a real horrorshow. It was never designed - rather acquiring tacked-on and retro-fitted capability for dynamic content updating, video playback and scripting with user interactivity, etc.
  I could deliver extended anecdotes about the 0-day flash and pdf exploits that I've witnessed, unfolding right in front of me... Suffice it to say, fully patched systems with browser sandboxes are not immune. :-)
  The combination of security and privacy extensions that are developed for Firefox are, still, unmatched. Ghostery, AdBlock+ and BetterPrivacy will together prevent the opportunity to ever render many of the malicious, content delivered exploits. They also serve to screen and scrub the most pernicious of web-threats: covert bugging and monitoring of the browser by a third party.
  
  --
  "Flyin' in just a sweet place,
  Never been known to fail..."
2. Re:Who paid? by benjymouse · 2011-08-16 09:17 · Score: 5, Informative
  
  Citation please? Actually don't bother, because the statement is impossible to support with any amount of evidence.
  2008: http://www.favbrowser.com/firefox-browser-with-the-most-disclosed-vulnerabilities/
  2009: http://tech.blorge.com/Structure:%20/2009/11/09/firefox-leads-in-browser-vulnerabilities/
  2009: http://www.computerworld.com/s/article/9140582/Firefox_flaws_account_for_44_of_all_browser_bugs
  You can also query Secunia for vulnerabilities. With the new version number scheme and ultra-fast previous versions retirement (where you are left vulnerable if you don't upgrade immediately), you'll have to grok the numbers somewhat. Basically count the *unique* CVEs affecting all FF versions since -say FF3.5. Do the same for IE8&9. You will not like the result.
  
  Firefox is the only major browser that openly reports vulnerabilities so of course it is going to have the highest publicly countable number.
  BS. All the major vendors are obligated to report vulnerabilities through Mitre. All browser vulnerabilities are assigned unique CVEs.
  
  And even if you had an accurate count of known vulnerabilities from the other vendors, known vulnerabilities hardly equates to total vulnerabilities, even less so when every vulnerability is counted as equal to every other one.
  If you consider a set of browsers which must be assumes to receive an equal amount of scrutiny (IE,FF,Chrome), if one browser year after year comes out with most vulnerabilities, surely that does say something about code quality.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
3. Re:Who paid? by benjymouse · 2011-08-16 09:28 · Score: 4, Interesting
  
  You have a valid point about the sandbox - but the study doesn't really do security a justice, when comparing the browsers.
  Malware is seldom a browser injection issue, but is instead vectored through plug-ins (I'm looking at YOU, Adobe!) which are privileged at a higher-level than the "sandboxed" container application.
  No. These days some 85% of infections derive from social engineering. Malware comes in through the user. Vulnerability exploits seems to be a lot less effective these days. Social engineering is precisely what the tested security (reputation) mechanisms are aimed at.
  Having said that, yes, Flash is really, really bad. So is Java. And both are rather prolific, regrettably.
  
  I could deliver extended anecdotes about the 0-day flash and pdf exploits that I've witnessed, unfolding right in front of me... Suffice it to say, fully patched systems with browser sandboxes are not immune. :-)
  That piques my interest. When was this? AFAIK there has not been a *single* in-the-wild sandbox breach of neither Chrome nor IE (yes, pwn2own demonstrated a combination of 3 techniques which escaped the IE sandbox - but this has not been reported in the wild). Up until some (fast) versions ago, Chrome did not sandbox Flash. IE did that since IE7.
  
  The combination of security and privacy extensions that are developed for Firefox are, still, unmatched. Ghostery, AdBlock+ and BetterPrivacy will together prevent the opportunity to ever render many of the malicious, content delivered exploits. They also serve to screen and scrub the most pernicious of web-threats: covert bugging and monitoring of the browser by a third party.
  Whether they are unmatched is a matter of opinion. Firefox requires addons and will block more broadly (which is desirable to some). To me, the fact that FF code quality seems to lack (they have had most vulns reported for the last 5 years going) combined with their nonsensical refusal to implement a sandbox makes it a no-go for me. (I'm, using Chrome, btw).
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
4. Re:Who paid? by bunratty · 2011-08-16 11:41 · Score: 3, Informative
  
  Secunia specifically states "The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products."
  Some companies, especially those with closed-source browsers, may not disclose all vulnerabilities they fix. The number of vulnerabilities fixed also doesn't take into account how severe the vulnerabilities are, or how long it took the vendor to patch them. Which would you rather use, a browser that has ten small vulnerabilities, all patched within days of being discovered, or a browser that has one severe vulnerability that has not been patched in months?
  
  --
  What a fool believes, he sees, no wise man has the power to reason away.
If you block everything, your score is 100% by Anonymous Coward · 2011-08-16 08:44 · Score: 5, Insightful

MSIE got the highest "malware detection rate" because they used it in a mode where nearly every page is marked as "dangerous". It had the highest detection rate but also the highest false positive rate.
If I sit at the airport saying "that plane is going to crash" for every plane that takes off, and eventually get it right, that doesn't mean I'm able to predict which planes are going to crash (even though I got "100% of the crashes" right)...
Kind of correct. by khasim · 2011-08-16 08:47 · Score: 5, Insightful

The results are favorable to Microsoft, so there will be a ton of skepticism, investigation, and outright dismissal.
Yep. Mostly because Microsoft has a history of purchasing favourable "findings" from "independent" "research" firms.

However, when studies favorable to this particular community's ideologies are announced, none of that occurs, even though the same kinds of skepticism can and should be applied.
Kind of. The process and parameters should always be checked. But the other browsers do not have a history of their parent companies purchasing favourable "findings".
It's called "learning from experience".
There is no reason to forget every past instance when evaluating a new instance. Quite the opposite, in fact.
NSS Labs: The best studies money can buy by thoromyr · 2011-08-16 08:49 · Score: 4, Insightful

Of course, when your methodology is that only the bare browser configuration is allowed (e.g., no AdBlockPlus, no NoScript) and you carefully select the malware URLs (obtained from "honey pot" email addresses and then filtered, and then "prune out non-conforming URLs" -- without fully specifying what made them non-conforming) *and* require the malware URLs to be live for at least 6 consecutive hours it gets a lot easier to massage the results. To further exaggerate results not only does a "hit" increase the score but a "miss" decreases it to magnify the difference.
This is the same song as they sang about IE8 with the same, predictable, results. Microsoft didn't pay them a wad of money for this study for nothing.
1. Re:NSS Labs: The best studies money can buy by cobrausn · 2011-08-16 08:54 · Score: 3, Interesting
  
  What is wrong with testing the bare browser configuration? Aren't we trying to protect those who are most likely to download malware by accident, i.e., those who are also unlikely to install AdBlockPlus and NoScript?
  
  --
  How does it feel to be a liar with pants constantly on fire?
Re:And who paid for this study? by bioster · 2011-08-16 08:50 · Score: 5, Informative

Frankly, the page itself screams bias with the line "has proved once again". I don't recall this being proved in the past, but hey, I try to be open minded. So I threw NSS labs into google, and immediately turned up:
http://www.thetechherald.com/article.php/200912/3268/Can-you-trust-the-NSS-Labs-report-touting-the-benefits-of-IE8

So apparently they tested IE8 and thought it was awesomesauce. Uhm, ok... I thought IE8 wasn't completely terrible but I wouldn't say it was good. That link seems to think NSS might be a microsoft shill. But ok, I like to be open minded. Let's keep looking. Going down the first page of my google search:
Firewall Vendors Challenge Findings of NSS Labs Report | PCWorld
Haavard - Malware report from NSS Labs manipulates statistics?
Google Responds to NSS Labs Browser Security Report | News
A recent test by NSS Labs gave a near-perfect score to Internet Explorer 9 beta and very poor marks to Chrome and other browsers.

So uhm... yeah... at first glance, I'd say treating them with some skepticism seems more than warranted here.
Re:Nice try by mckinnsb · 2011-08-16 08:59 · Score: 4, Insightful

If by "pulled out of someone's ass" you mean "they engineered the test to perform best with Internet Explorer 9", then completely.
The main center-point of this test was evaluating a "cloud based trust ranking algorithm". But the study provides no evidence that these algorithmns exist in any of the browsers; its a simple assumption which is likely false (especially when you look at the graphs). What the graphs are really showing is the performance of each browser's black list versus a set of URLs they selected, and not randomly.
If you look at the graphs themselves, they actually don't show the action of any algorithm (which would likely linearly increase or show volatility); in fact, IE9 (With App Rep) is simply a straight line. It's pretty clear that the URLs they used were already in the black list before hand, and that straight line is a continual rejection of them.
Testing a browsers ability to 'blacklist' websites is fine, I guess, but my first problem with this study is that's not the only way to measure 'security'. My second problem is that there's no evidence that the browsers themselves actually perform this activity, making the tests in the study feel like "studying the maximum (flying) climb speed of humans, rats, horses, and bats". My third - and the most troubling - problem is that they don't provide any information as to how these lists were obtained. They only say they tried to "mix URLs so as to make sure that certain domains were not overemphasized", and "NSS Labs operates its own network of spam traps and honeypots.", in addition to "In addition, NSS Labs maintains relationships with other independent security researchers, networks, and security companies,".You can assume without being overly bold that this list could have been a list of URLs that they knew IE would block. Conversely, you could probably easily design a similar test that would have Chrome at 100% block rate, and IE 9 at 10% - it's merely a measure of "what sites were in our test pool that are also in the browser's black list"
Pffft.
FF4 - How unfair! by pseudorand · 2011-08-16 09:03 · Score: 3, Insightful

Yet again another M$ sponsored study makes IE look better by using an ancient version of Firefox. FF4 is like way out of date. How dare they make such claims.