IE 9 Beats Other Browsers at Blocking Malicious Content

Orome1 writes with an article in Net Security. From the article: "Microsoft's Internet Explorer 9 has proved once again to be the best choice when it comes to catching attacks aimed at making the user download Web-based malware. This claim was made by NSS Labs in the recently released results (PDF) of a test conducted globally from May 27 through June 10 of the current year, which saw five of the most popular Web browsers pitted against each other. Windows Internet Explorer 9, Google Chrome 12, Mozilla Firefox 4, Apple Safari 5, and Opera 11 were tested with 1,188 malicious URLs — links that lead to a download that delivers a malicious payload or to a website hosting malware links."

If you block everything, your score is 100%

MSIE got the highest "malware detection rate" because they used it in a mode where nearly every page is marked as "dangerous". It had the highest detection rate but also the highest false positive rate.

If I sit at the airport saying "that plane is going to crash" for every plane that takes off, and eventually get it right, that doesn't mean I'm able to predict which planes are going to crash (even though I got "100% of the crashes" right)...

Kind of correct.

[khasim]

The results are favorable to Microsoft, so there will be a ton of skepticism, investigation, and outright dismissal.

Yep. Mostly because Microsoft has a history of purchasing favourable "findings" from "independent" "research" firms.

However, when studies favorable to this particular community's ideologies are announced, none of that occurs, even though the same kinds of skepticism can and should be applied.

Kind of. The process and parameters should always be checked. But the other browsers do not have a history of their parent companies purchasing favourable "findings".

It's called "learning from experience".
There is no reason to forget every past instance when evaluating a new instance. Quite the opposite, in fact.

Re:And who paid for this study?

[bioster]

Frankly, the page itself screams bias with the line "has proved once again". I don't recall this being proved in the past, but hey, I try to be open minded. So I threw NSS labs into google, and immediately turned up:
http://www.thetechherald.com/article.php/200912/3268/Can-you-trust-the-NSS-Labs-report-touting-the-benefits-of-IE8

So apparently they tested IE8 and thought it was awesomesauce. Uhm, ok... I thought IE8 wasn't completely terrible but I wouldn't say it was good. That link seems to think NSS might be a microsoft shill. But ok, I like to be open minded. Let's keep looking. Going down the first page of my google search:
Firewall Vendors Challenge Findings of NSS Labs Report | PCWorld
Haavard - Malware report from NSS Labs manipulates statistics?
Google Responds to NSS Labs Browser Security Report | News
A recent test by NSS Labs gave a near-perfect score to Internet Explorer 9 beta and very poor marks to Chrome and other browsers.


So uhm... yeah... at first glance, I'd say treating them with some skepticism seems more than warranted here.

Re:Who paid?

[Jeremiah+Cornelius]

You have a valid point about the sandbox - but the study doesn't really do security a justice, when comparing the browsers.

Malware is seldom a browser injection issue, but is instead vectored through plug-ins (I'm looking at YOU, Adobe!) which are privileged at a higher-level than the "sandboxed" container application.

Flash has been a real horrorshow. It was never designed - rather acquiring tacked-on and retro-fitted capability for dynamic content updating, video playback and scripting with user interactivity, etc.

I could deliver extended anecdotes about the 0-day flash and pdf exploits that I've witnessed, unfolding right in front of me... Suffice it to say, fully patched systems with browser sandboxes are not immune. :-)

The combination of security and privacy extensions that are developed for Firefox are, still, unmatched. Ghostery, AdBlock+ and BetterPrivacy will together prevent the opportunity to ever render many of the malicious, content delivered exploits. They also serve to screen and scrub the most pernicious of web-threats: covert bugging and monitoring of the browser by a third party.

Re:Who paid?

[benjymouse]

Citation please? Actually don't bother, because the statement is impossible to support with any amount of evidence.

2008: http://www.favbrowser.com/firefox-browser-with-the-most-disclosed-vulnerabilities/

2009: http://tech.blorge.com/Structure:%20/2009/11/09/firefox-leads-in-browser-vulnerabilities/

2009: http://www.computerworld.com/s/article/9140582/Firefox_flaws_account_for_44_of_all_browser_bugs

You can also query Secunia for vulnerabilities. With the new version number scheme and ultra-fast previous versions retirement (where you are left vulnerable if you don't upgrade immediately), you'll have to grok the numbers somewhat. Basically count the *unique* CVEs affecting all FF versions since -say FF3.5. Do the same for IE8&9. You will not like the result.

Firefox is the only major browser that openly reports vulnerabilities so of course it is going to have the highest publicly countable number.

BS. All the major vendors are obligated to report vulnerabilities through Mitre. All browser vulnerabilities are assigned unique CVEs.

And even if you had an accurate count of known vulnerabilities from the other vendors, known vulnerabilities hardly equates to total vulnerabilities, even less so when every vulnerability is counted as equal to every other one.

If you consider a set of browsers which must be assumes to receive an equal amount of scrutiny (IE,FF,Chrome), if one browser year after year comes out with most vulnerabilities, surely that does say something about code quality.