Microsoft Says IE9 Blocks More Malware Than Chrome

CSHARP123 writes "In a move that's sure to raise some eyebrows, Microsoft today debuted a new web site designed to raise awareness of security issues in web browsers. When you visit the site, called Your Browser Matters, it allows you to see a score for the browser you're using. Only IE, Chrome, or Firefox are included — other browsers are excluded. Not surprisingly, Microsoft's latest release, Internet Explorer 9, gets a perfect 4 out of 4. Chrome or Firefox do not even come close to the score of 4. Even though the web site makes it easy for users to upgrade to the latest version of their choice of browser, Roger Capriotti hopes people will choose IE9, as it blocks more malware compared to Chrome or Firefox." Of note in the Windows Team post is that the latest Microsoft Security Intelligence Report discovered that 0-day exploits account for a mere tenth of a percent of all intrusions. Holes in outdated software and social engineering account for the majority of successful attacks.

NoScript

[Hatta]

NoScript blocks more malware than either.

Re:NoScript

[North+Korea]

Yes, and is pain in the ass to use and something that no normal person will ever do. Hell, even I don't want to use it while being a geek and fully understand it's potential.. but it's just so pain in the ass.

Re:NoScript

[recoiledsnake]

NoInternet blocks everything except those from local storage.

Expecting novice users to understand and use NoScript is not tenable.

Re:NoScript

NoScript blocks more malware than either.

And abstinence provides better protection than condoms.

Re:NoScript

[Hatta]

If my artist girlfriend can use it with no instruction from me, complaints about complexity ring hollow.

Personally, I find that javascript on average detracts more from the browsing experience than it adds. Slashdot is a perfect example, it's simply not usable with javascript enabled. So even if there was no security benefit at all, it would still be less of a pain in the ass to use NoScript than it would be to browse without it.

Re:NoScript

[Hazel+Bergeron]

To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

Re:NoScript

[TechLA]

No one talked about complexity, but just being pain in the ass to use. You always have to keep reloading sites, allowing scripts and so on when you go new sites. And if you just allow most, then there's no point anyway. Most of the internet now relies on JavaScript and it really does make things easier, allows AJAX and so on. You break a lot of functionality without JavaScript. Yes, most good sites allow non-javascript fallback, but it's not as nice as with JavaScript enabled.

Re:NoScript

[TechLA]

NoScript blocks more malware than either.

And abstinence provides better protection than condoms.

Yet, abstinence probably leads to much more serious things than possibility of some minor STD, including depression, anti-social behavior and stress. It's good to let go every once in a while.

Of course, there is a good middle ground too. Serious STD's like HIV/AIDS generally do not spread orally. If you're on the receiving end of a blowjob, you have almost 0% change of catching HIV. Even with prostitutes. I learned this thing and have had sex with many ladyboys and never had any STD. Of course, while having intercourse it's a good idea to use condom, but as a receiving end of a blowjob, you cannot get AIDS.

Re:NoScript

[93+Escort+Wagon]

To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

For a typical user, a better analogy would be: Enjoying the web without Javascript is like having sex while wearing a condom made of inch-thick rubber.

Re:NoScript

NoScript can block all those things since it has configurable plugin blocking, configurable with the same site rule system used for js. This is great, not because of malware, but because I personally would rather just click on the few cases where I want to use flash (even on whitelisted sites).

So your snark attempt has pretty much failed.

Re:NoScript

[amicusNYCL]

Slashdot is a perfect example, it's simply not usable with javascript enabled.

So how do you explain all of the people, like myself, who use Slashdot with Javascript enabled? Your credibility is starting to ring a bit hollow. A lack of Javascript is not a security panacea, not by a long shot. Plugins are the problem, not scripting. Scripting only matters if you're defending against a script injection attack. It doesn't do squat if the server was hacked and the page has an iframe pointing to a PDF, Java applet, or Flash movie, and it does even less against a site that is simply malicious.

Re:NoScript

[Baloroth]

So does Lynx. Your point?

Re:NoScript

[Nadaka]

Sure it does, noscript blocks PDFs, applets and flash by default. This means that they can't sneak a hidden plugin attack in. The only way for those plugin attacks to work is if you intentionally approve the content.

Re:NoScript

[errandum]

I also use Slashdot with javascript enabled, but noscript, by default, also blocks the loading of those plugins in untrusted sites.

Re:NoScript

To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

For a typical user, a better analogy would be: Enjoying the web without Javascript is like having sex while wearing a condom made of inch-thick rubber.

and while also wearing a blindfold...

Re:NoScript

[amicusNYCL]

Why not just set the browser to only load plugins on-demand? Is that possible with vanilla Firefox?

Re:NoScript

[causality]

Slashdot is a perfect example, it's simply not usable with javascript enabled.

So how do you explain all of the people, like myself, who use Slashdot with Javascript enabled? Your credibility is starting to ring a bit hollow. A lack of Javascript is not a security panacea, not by a long shot. Plugins are the problem, not scripting. Scripting only matters if you're defending against a script injection attack. It doesn't do squat if the server was hacked and the page has an iframe pointing to a PDF, Java applet, or Flash movie, and it does even less against a site that is simply malicious.

Did you know: NoScript blocks plugins, movies, and applets too? You would have known that, if you were actually in a good position to form an opinion about it. There's a reason it is "NoScript" not "NoJavaScript". Basically NoScript means you get just the basic page layout with nothing "active" like movies or scripts unless you explicitly choose to enable them on a case-by-case basis. To reiterate, you should really understand the most basic functions of NoScript if you're going to comment on it.

Also, I don't recall anyone saying anything was a panacea. Since no one made this claim, what purpose does it serve to refute it? There is no security panacea anywhere. Therefore, to say "X is not a security panacea" is a statement of the obvious. There are no 90-foot purple newts either, by the way. Just like your parroting someone else who used the phrase "ring hollow", apparently as a sort of mockery, this is a sign of a content-free post based on emotion.

They do still teach lawyers how to construct an argument, right?

Re:NoScript

[amicusNYCL]

Flash requires JavaScript to launch.

No it doesn't.

It seems to me that loading plugins on-demand is really all you need. I don't see a reason to stop Javascript as a security precaution, I don't know of any plain Javascript attacks that lead to malware being installed. There are too many PDF readers that work better than Acrobat to justify using Acrobat, and I haven't seen Java in use in years. I don't know if an extension is required in Firefox in order to load plugins on-demand, but if you block those 3 then you block at least 85% of attacks. I just don't see any additional security benefit in blocking Javascript.

Re:NoScript

[Vokkyt]

That's inappropriate hyperbole. It takes a click or two on non-trusted sites to configure, and that's about it for most NoScript users, and given that severe infections can necessitate a reinstall, the minor inconvenience far outweighs the potential risk.

I do find the comment on "broken mess" a bit funny, cause for a lot of sites, the ads that are getting blocked make it look like a mess anyways.

Re:NoScript

[amicusNYCL]

Did you know: NoScript blocks plugins, movies, and applets too?

Obviously not. I try to avoid Firefox, and I don't need the functionality of NoScript in my browser of choice because most of it is built-in.

There's a reason it is "NoScript" not "NoJavaScript".

Since plugin blocking was added after the initial release, the initial intention (and name) was in fact blocking Javascript. From the changelog, it appears that plugin blocking was added in 1.1.

They do still teach lawyers how to construct an argument, right?

I wouldn't know, I'm not a lawyer, I just appreciate the work of some of them.

Re:NoScript

[Cryacin]

It's amazing how many people prevent having accidents in their car by removing the fuel in the first place. Do you no longer live in a house to prevent dying in a fire as well?

Re:NoScript

[causality]

NoInternet blocks everything except those from local storage.

Expecting novice users to understand and use NoScript is not tenable.

To expect them to automatically understand it "out of the box" as though their spirit guide slipped the knowledge into their minds while they slept, no that is not tenable. The expectation is that there will be a short period of adjustment that any literate adult of below-average or higher intelligence should be able to handle.

What's REALLY not tenable and is accumulating untold amounts of cost and damage, is this un-negotiated, unwritten, often unspoken default assumption that "novice" should be a permanent state and not one that is soon outgrown with acquired experience. Naturally the implication is that someone who was paying attention, who maybe read a FAQ or a manual once in a while, should bear both his own burdens and those of a permanent novice. How nice to be so entitled to another's efforts, to scream and cry whenever same is denied. Heaven forbid the novice ever be told to do anything different. That would make you a big meanie.

I suppose the "right" to never be challenged by anything is taking its place next to the "right" to never be offended by anyone.

Re:NoScript

[causality]

Obviously not. I try to avoid Firefox, and I don't need the functionality of NoScript in my browser of choice because most of it is built-in.

Fair enough, but can you see why that wouldn't put you in a good position to form opinions about it?

Since plugin blocking was added after the initial release, the initial intention (and name) was in fact blocking Javascript. From the changelog, it appears that plugin blocking was added in 1.1.

The initial release of Microsoft Windows was a graphical shell that ran on top of DOS. So that means Windows 7 is still based on 16-bit code, right? Because we all know, nothing ever grows or expands or evolves beyond its initial origins.

I wouldn't know, I'm not a lawyer, I just appreciate the work of some of them.

See there I did make an assumption and you rightly called me on it. I don't mind. Goose, gander, and all of that. Of course I could try to weasel out of that and say something like "could you appreciate the way they construct and deconstruct lines of reasoning too?" but that'd be less honest.

Re:NoScript

[MBoffin]

I'm not talking about savvy users. I'm talking about average users. Ones who visit a site and get confused why things aren't working and get frustrated before, finally, after a couple minutes, realizing they might be running into a NoScript problem, and then do those one or two clicks to get it working. And then repeat the cycle again when they're off to the next site.

I bring up average users because the malware blocking features in Chrome and IE9 are targeted at average users.

Re:NoScript

[amicusNYCL]

Fair enough, but can you see why that wouldn't put you in a good position to form opinions about it?

I can form an opinion about whatever I want, but I acknowledge that it's unwise to comment on features without knowing them. I haven't used NoScript in years.

The initial release of Microsoft Windows was a graphical shell that ran on top of DOS. So that means Windows 7 is still based on 16-bit code, right? Because we all know, nothing ever grows or expands or evolves beyond its initial origins.

You're still talking about the origin of the name "NoScript", right?

Re:NoScript

[amicusNYCL]

What kind of a stretch is that? I use Opera, I set it to load plugins on-demand. When I get to a page that has Flash content worth watching, I click on it to load the Flash movie. I'm protected against anything I haven't clicked to load. What's so difficult to understand?

It's a fact that Acrobat is crap software, it's a fact that I haven't used a website that requires Java in many years, and it's a fact that the only Flash content I see are things that I explicitly load.

Re:NoScript

[amicusNYCL]

I'm pretty sure that malicious authors try any number of ways to load Flash. Instead of trying to block all possible ways of loading Flash, how about just block Flash? Where is the threat with Javascript?

Re:NoScript

No, a while ago, he was challenged to mention ladyboys in every one of his future posts. He has met that challenge.

Re:NoScript

[YenTheFirst]

For a typical user, a better analogy would be: Enjoying the web without Javascript is like having sex while wearing a condom made of inch-thick rubber.

It prevents errors from being propagated?

Re:NoScript

[AK+Marc]

Opera fills in the empty spots with a big "play" arrow, and you click it to play the content. Nobody gets "confused" over that, except twats who decided they want to be obtuse and complain about everything not their preferred way and start eating their mouse and complain that the browser didn't interpret their instructions correctly.

Re:NoScript

Isn't it more like substituting your sexual partners with realdolls?

Re:NoScript

[Billly+Gates]

Mod parent up

Very factual comment.

NoScript is simply not an option outside of Firefox. It is a pain to support for grandmas and others getting dialog boxes at every single site asking to block or open such and such. It is a pain like UAC for me personally.

Re:NoScript

[Runaway1956]

"WE CAN'T GIVE YOU A SCORE FOR YOUR BROWSER."

"WHAT DOES THIS SCORE MEAN?"

I guess that means that my browser is more secure than they expected, and they don't want to admit it? Or, they can't exploit a vulnerability that they expected to find in my browser? WTF?

Chromium, with Ghostery, AdBlock Plus, Flashblock, and NoScript. Go figure . . .

Let's see what it looks like in Firefox:

"How well is your browser protecting you?

We do not have any data for your browser, so we can’t give your browser a score.
See how other browsers scored > "

The site like my Firefox setup better than it liked my Chromium setup - I can at least advance through the menus. But, they can't rank my browser. Phht. Same old tired FUD, if you ask me. What a waste of bandwidth!

Re:NoScript

[Runaway1956]

On Adobe software, we can agree. I haven't looked in weeks, but the last time I looked, Adobe was the number one vector for malware. As I recall, the first time I read that, authors were expressing amazement that Adobe had replaced Microsoft at the head of the list. There's little need to search for citations - real geeks know that already, and the posers will deny it in order to advance their own agendas.

Re:NoScript

[Runaway1956]

"The amount of time I've seen NoScript users deal with reconfiguring NoScript just so they can have a reasonably decent browsing experience far exceeds the amount of time they would have to spend dealing with malware."

That is complete and utter nonsense. It only takes ONE malware to totally bork your system. SpyAxe, which went by several different names through several different incarnations was pure hell to remove. Then, there was a specially hideous toolbar that installed itself as a driveby thing. Rootkits and keyloggers in general, no matter how sophisticated, justify the extra time required to set up a secure browser. The alternative is to nuke from orbit, and reinstall your OS again.

Everyone has their own opinion - but the people with worthless opinions are those who are compromised, their identities stolen, their credit cards and/or debit cards compromised, and their bank accounts cleaned out.

Re:NoScript

[moonbender]

I've got to hand it to you two, that's almost textbook material for petty internet bickering. :)

Re:NoScript

[Runaway1956]

Uhhhh - Chromium does indeed warn me before downloading files. Words to the effect, "PDF files may contain malicious contenc, do you really want to download this file?" I'm not real sure, maybe Chromium assumes that I'll be opening the PDF document with an Adobe product, so they warn me of the potential vector. Whatever - on Linux, Chromium is set up pretty securely. I can't address the security of Chrome on Windows. I haven't even started up a Windows VM in the past few weeks.

Re:NoScript

[HermMunster]

We all know Microsoft's response is total bullshit. What this is in response to is that a recent report indicating that IE is the primary vector for infection in Windows environments, which is nearly all of them as the infection rate for other OSes isn't even measurable.

This is a deflection tactic. It is mean to push notice on the competition that is suffering now in the press at various stages. It has no merit, none at all. It is a weak tactic and one we all should despise.

Instead of Microsoft actually fixing their problems, or exiting the market, they have to make others look bad to make themselves look better. I'm sure few of us will take the bait, but when addressing the unwashed masses it has it's intended affect.

Everyone here should be a correction mechanism for this for their family and friends. Microsoft can reach more people with a single utterance than any of us can, but together we can work to ensure we offset that with the real causes of infections (Microsoft's shoddy work), and we can shed light on our family and friends to make it clear that they understand these are shameful tactics.

Re:NoScript

[Tasha26]

Look at the title, "Microsoft says..." and about their own product. It must be true... right... umm?

Re:NoScript

[jcfandino]

To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

For a typical user, a better analogy would be: Enjoying the web without Javascript is like having sex while wearing a condom made of inch-thick rubber.

Well, it depends if you are the one wearing the condom or the other one.

Re:NoScript

[hairyfeet]

I hate to break the news to ya friend, but as much as I think IE is shit (haven't let my users run it since the whole ActiveX mess) infected computers are something I have to deal with at the shop constantly and I can tell you its almost always the users fault and no amount of software can keep stupid people from being dumbasses.

Here are how I'd say a good 90%+ of Windows bugs get in: 1.- "ZOMG U got teh viruz! Run "Iz not viruz iz cleanerz!.exe" to kill teh bug ZOMG!" 2.-"want teh hot lezboz? U 2 can have teh hot lezboz! Just run "Iz not bug iz codecz.exe" and U can be watching teh hot lezboz right now!" 3.-"Want teh latest (insert Hollywood movie or song) for free? U 2 can have teh (insert Hollywood movie or song) for free! Just run "Iz not bug iz new limewirez" and U can have (insert Hollywood movie or song) right now!"

Notice how NONE of the above counted on the browser? hell noticed how none of the above even counted on the OS they were running? Good old social engineering friend, you scare them, offer them sex or something free, and their PC is yours. Hell one of my teachers used to love to tell this story about how he was taking a class on a tour of some security firm and just got tired of listening to the BOFH bullshit by the guy leading the tour. Finally he said "If you think your security is THAT hot, tell you what: you let me loose in this place for TEN MINUTES and I'll be in your system, no problem. If I fail I'll give you a $100 and buy you a steak dinner" and the guy took the bet. 8 minutes later the teacher walked up and handed him over a dozen usernames and passwords, including a couple that had full access to everything. When the guy asked "How could you do that? We make them change their passwords and use complex and blah blah blah" he just started flipping over keyboards and all over the place were sticky notes with usernames and passwords.

In the end the user is always the weakest link and is a hell of a lot easier to crack than any software or OS, so its no wonder why social engineering has gone through the roof. Hell I had an admin friend that ended up being drug before the regional head as the PHB immediately above him wanted him fired because, and I quote: "You have NO RIGHT to tell me whom I can speak to! You will let my emails from Melissa through right this minute or YOU'RE FIRED!". That's right folks, this genius was fighting for the right to infect the system and THAT is the kind of stupid you are up against. MSFT could make the most secure OS in the world but as long as the user has ANY control? Its fucked.

Re:NoScript

[Mindflux0]

Everyone has their own opinion - but the people with worthless opinions are those who are compromised, their identities stolen, their credit cards and/or debit cards compromised, and their bank accounts cleaned out.

My computer is compromised. Probably severely compromised. I take bare minimum precautions (as in no IE and knowing what sites are fishy). I've gotten 2 viruses that I've noticed. One removed safemade and did other fun things. Got rid of it in about 30m. The other I'm not sure what it's doing, I think it's a key-logger. I'm pretty sure I have some sort of bot that likes using my internet when I'm idle too. Probably a host of other bs that's not noticeable as well.

I also pretty sure my opinion is worthwhile. You see, I just don't do anything involving money on this machine. Setting up a machine to be secure enough to trust banking and credit cards is time consuming, annoying, and all around makes using the internet a trying experience.

So I just have a cheap old desktop to buy things and do banking on (or, actually not do banking on since I don't need to, but if I did...). It does nothing on the internet but update software and buy things from trusted sites.

The only significant risk I'm taking is email. Someone might compromise my account. I accept that risk for the ability to use the internet without having to deal with all the trouble of securing my machine.

Re:NoScript

[bryan1945]

Cute, half of the "Zero" scores comes from things like-
"Does the browser process utilize Windows Protected Mode?"
Well, no, I'm running a Mac!

If you trying to pull a fast one, and least be clever about it.

Re:NoScript

[elashish14]

Not only that, but blocking js also makes your computer run much faster. Not sure how that fits in with the analogy but Use Your Imagination

Re:NoScript

[orange47]

yeah, right. so does Lynx.

Re:NoScript

[spongman]

FlashBlock (for Firefox and Chrome) is a pretty good alternative. it doesn't block xss or clickjacking, but it does prevent malicious plugin exploits while leaving most of the rest of the web fully functional.

Re:NoScript

[Chrisq]

NoScript blocks more malware than either.

And not browsing the web blocks more malware still

Re:NoScript

[dredwerker]

I've got to hand it to you two, that's almost textbook material for petty internet bickering. :)

No it's not. oblig xkcd http://xkcd.com/386/

Re:NoScript

[gmack]

NoScript blocks more malware than either.

And abstinence provides better protection than condoms.

Yet, abstinence probably leads to much more serious things than possibility of some minor STD, including depression, anti-social behavior and stress. It's good to let go every once in a while.

Of course, there is a good middle ground too. Serious STD's like HIV/AIDS generally do not spread orally. If you're on the receiving end of a blowjob, you have almost 0% change of catching HIV. Even with prostitutes. I learned this thing and have had sex with many ladyboys and never had any STD. Of course, while having intercourse it's a good idea to use condom, but as a receiving end of a blowjob, you cannot get AIDS.

This is dangerously wrong. The CDC reports that the risk is lower but still a risk with known infections.

Re:NoScript

[gtall]

Yes, users are the weakest link. But how many passwords can anyone remember? And if they keep changing, you then have to remember which one is the current one...among the list of systems for which the password keeps changing. And the passwords have to be complex. So we take 5 computer systems and change their passwords every month. At the end of 6 months we need to have generated...wait for it...30 complex passwords. No wonder users say "screw off" to security.

So users don't give a rat's ass about passwords because in their eyes sys. admins. are asking for the impossible. How about those popups? How many popups does a user need to get before he/she gives up and says screw it? How many are coded in cryptic computerese that users have no way of understanding? So they look at sys. admins. with pity when then they tell them not to click on the Ok button, the pity is they think the sys. admins. are on a fools errand and couldn't they just shut the f--k up and leave them alone?

Here we IAVAs. Every damn week we get another security update for Flash. If it isn't that, it's a security update for our browser, more if we use more than one. Then there is the MS Malware updates for Office (I'm on Mac, thanks MS for installing a new security hole on my machine). And there is the Mac OS security updates. At this point I'm willing to shoot the sys. admin. Not because he's doing anything wrong, just because he's the one constantly sending me those damn security update emails.

This, pal, is why users tell sys. admins. to go blow it out their ass. Yes it isn't entirely rational, but the current security mess is not rational either. Users are merely irrationally reacting to the irrationality they are being presented with. And worse, at this point users don't mind the sys. admin. having to deworm their systems, they merely see it as payback for all the crap they see the sys. admins. as being part of.

Re:NoScript

[gtall]

"with nothing "active" like movies or scripts " Yep, that's the best part of noScript. I very much dislike things jumping around on the pages. NoScript keeps them in check.

Re:NoScript

[tbannist]

Yes, I find it vastly amusing that I've been marked down because I'm using Firefox on Linux:

Security Problem: You're not using Windows.

Oh really? I wonder if I also have a money problem, in that I have too much that I haven't been spent on Microsoft products.

Re:NoScript

[arisvega]

Microsoft Says IE9 Blocks More Malware Than Chrome

Microsoft says many things

Re:NoScript

[atisss]

I've tried the explain page which contains flash.. hell I won't enable flash in order to view that, I prefer some security :)

Re:NoScript

[gurps_npc]

It's only a pain in the ass when going to new web sites.

I have been using it for a long time now, and it is no longer a pain to use, at all.

Re:NoScript

[Runaway1956]

Well, see - you do things quite differently than I do - but you're smart enough to realize that you can't commit important stuff to an unsecured device. And, I've seen that idea before. Several people have suggested having a LiveCD from which to boot, when doing online finances. You don't say what you are booting to, but the concept is close. ;^)

Re:NoScript

[esocid]

It's such a pain in the ass to use. All I do is click the pyramid and authorize locations....
MS shill is back.

Re:NoScript

[AngryDeuce]

Yes, and is pain in the ass to use

Either you're doing something really wrong, or are one of those people that doesn't have the infinitesimal amount of patience required to whitelist the 2 or 3 scripts on a page that are actually necessary.

It's not difficult to identify which scripts are likely important to site functionality and which ones aren't. Even trial and error takes all of a second, and it will remember so you don't have to do it next time.

Re:NoScript

[AngryDeuce]

It boggles the mind how so many people have this impossible time using noscript. I'm NOT a computer person at all and I picked it up in about 3 seconds. I mean, really, how hard is it to allow "google.com" when you're on google.com? How hard is it to understand that the script "akkdfjdskfgdfgkdjf123kjdf.net" probably does nothing good for YOU? How hard is it understand that Google Analytics should always be blocked? Or Akai.net?

After a couple days, you should have everything relevant whitelisted and you don't even need to touch it most of the time. I don't understand why people over-complicate this. Have you seen how much faster some of these websites load and react when they don't have their 27 background scripts running as well? It makes a difference, believe me.

Re:NoScript

[AngryDeuce]

Every .exe file I have ever downloaded on Chrome comes up with a warning that it could be malicious and am I sure I want to download it.

Re:NoScript

[amicusNYCL]

Java is the "most vulnerable" application, IE is actually in 4th after Acrobat and Flash.

http://net-security.org/malware_news.php?id=1863

Re:NoScript

[jjbenz]

I taught my wife how to use it in about 2 minutes, much better than taking hours to clean the malware from her laptop which had happened twice prior to using noscript.

Re:NoScript

[Robert+Zenz]

So, you consider JavaScript an STD? Oh boy, I sure hope you never learn what ActiveX is...well, hopefully was.

Re:NoScript

[crutchy]

information is your best weapon. be informed yourself and allow your users to also be informed. in my experience users don't mind listening to security concerns and are content to adhere to security protocols if they know their importance. your example about flipping keyboards is fine for showing off, but in reality what is the risk imposed by it? physical security is more easily achieved than electronic security (such as video surveillance, patrols, locked doors, etc). you can't simply "hack" the lock of a real door, and there aren't that many with james bond's subtle lockpicking skills in the world (most just use crowbars which leave rather obvious signs of forced entry).

the biggest problem with IT security is the attitude of IT security admins, who think they are superior beings and the users that operate the accounts administered by them are all subhuman retards.

hackers can take advantage of that because they know users will do the opposite of what the admin tells them to do (not because its more secure, but because the admin is a jerk)... that's social engineering for you

Seen the same data elsewhere, re: Exploits

[Tridus]

I've seen the same data from Mcafee, and it was really something. For every computer exploited using a Windows flaw, 100 are exploited using Flash. Acrobat Reader and Java are the other major culprits.

In a lot of ways, browser security itself has never been better. There's several highly capable ones out there in this area. The weak link is some truly terrible plugins.

Re:Seen the same data elsewhere, re: Exploits

[recoiledsnake]

I think Windows Defender or whatever they have by default on all machines should detect and warn about out of date Java, Flash and Reader at the minimum. Also, they should be made to auto update Chrome style by default unless turned off.

Re:Seen the same data elsewhere, re: Exploits

[clarkn0va]

Translation: We exported all of those problems and their related functionality to some third-party modules.

Re:Seen the same data elsewhere, re: Exploits

[Anthony+Mouse]

Except that isn't what happened at all. There is plenty of stuff in a browser -- javascript to name one -- that would be blatantly insecure if the browser makers wrote code of the same quality as Adobe.

The problem is actually a lack of competition: You can visit the same web page in Firefox as in Chrome, so the browser makers get their shit together or they lose users. But if you want to play a flash movie, you have to use Adobe's flash plugin. There is no viable alternative from the user's perspective, so Adobe has no real incentive to spend money fixing their security.

What would need to happen is for web developers to start using HTML5 instead of Flash. Which is starting to happen. But since Adobe is more concerned about selling authoring tools than getting people to install Flash Player, they might just start selling authoring tools that produce HTML5 output and let Flash die the death it deserves rather than trying to fix it.

Re:Seen the same data elsewhere, re: Exploits

[tepples]

What would need to happen is for web developers to start using HTML5 instead of Flash. Which is starting to happen.

But you're still not going to get existing animated films such as Weebl and Bob or Homestar Runner or 99% of the stuff on Newgrounds converted from Flash vector animation to HTML5 right away.

Re:Seen the same data elsewhere, re: Exploits

[Cryacin]

As an RIA and web developer, let me tell you what would need to happen for me to start developing in HTML5.

1. Every browser would need to implement the W3C standards as laid out. It's madness to go back to the days where you had to write the same code block in several different flavours, not only to support different browsers, but different VERSIONS of browsers. Wake up kiddies, a lot of corporates are still on IE6.
2. When we have the full IDE toolset for HTML5 that we have for flash, and the frameworks to support fast development. If you do not produce value to the business through leveraging tools, you are working for sweatshop wages at the same cost to the business. Who uses a hammer to commerically build a wooden fence when you have nail guns?
3. When HTML5 *really* has the same feature set and grunt that AS3/MXML has. And I don't mean fantasy proof of concept, but only under these conditions, if you install the latest browser version, stand on one hand and wiggle your ears feature sets. Furthermore, the grunt has to be there. All HTML5 exmples I've seen have taken longer to develop than their AS3 counterparts, and run like a dog in comparison.

Please, if I'm wrong, and all this stuff is here, give me the links, and I'm gone baby. I'm now a HTML5 developer, or whatever language you want to throw in its stead. The fact of the matter is that Flash/Flex is the fastest enterprise RIA development tool that can consume any endpoint you can possibly imagine to throw at it, whilst providing a snappy front end that's lightning fast to develop.

I agree, Adobe would benefit by plugging security holes, but if you're actually serious about getting us devs to switch over, address these issues, and we're gone.

Re:Seen the same data elsewhere, re: Exploits

[Anthony+Mouse]

You don't have to convert everything. You just have to give Adobe a swift kick in the tail so they do something to fix the problem -- like open source Flash Player or publish RFCs sufficient for someone else to make one.

Re:Seen the same data elsewhere, re: Exploits

[kiddygrinder]

homestar runner is gone, tbh i think most flash animations are encoded as movies so they can go on youtube nowadays as well, it's just too easy not to do. it really is getting close to the end of flash, give it a couple of years.

Re:Seen the same data elsewhere, re: Exploits

[sgt+scrub]

"When we have the full IDE toolset for HTML5"

vi index.html

Re:Seen the same data elsewhere, re: Exploits

[sgt+scrub]

"When we have the full IDE toolset for HTML5"

vi index.html

emacs index.html

Re:Seen the same data elsewhere, re: Exploits

[sgt+scrub]

vi!

Re:Seen the same data elsewhere, re: Exploits

[sgt+scrub]

emacs!

Re:Seen the same data elsewhere, re: Exploits

[sgt+scrub]

I'm so conflicted.

If only it werent for the inaccuracies...

[LordLimecat]

It might have been informative. Seriously, when you accuse Chrome of not meeting the requirement,
"Does the browser help protect you from websites that are known to distribute socially engineered malware?"
when google's anti-malware service is the basis for at least two browsers, and predates IE's effort by at least a year (probably more like 2), it sort of hampers your credibility.

Re:If only it werent for the inaccuracies...

[LordLimecat]

It apparently gets better. They ding chrome for these as well:
Does the browser automatically block insecure content from secure (HTTPs) pages?
(Even though Chrome does in fact warn you of this. Props to MS, though, they HAVE warned about this since IE6-- though Im pretty sure IE9 does NOT block it automatically).

And this...
Does the browser have the ability to restrict an extension or a plugin on a per site basis?
Even though I am unaware of IE havign that capability, while chrome has had it for a very long while now-- you can do JS, plugins, images, whatever you want, on a per-site basis.

And this
Does the browser benefit from Windows Operating System features that protect against structured exception handling overwrite attacks?
Ok, now youre not even TRYING to hide your bias. How about this:
Is your browser now, or has it ever been, among the first two browsers owned at the yearly Pwn2Own?
I think that should be -10 points, and would put Firefox, Chrome, and Opera squarely on top. Can we get a nice "X" graphic next to IE9 for that one?

Re:If only it werent for the inaccuracies...

[PickyH3D]

Although I realize it's not very cool to mention, reports would suggest otherwise: block rate.

Of course, the report uses Chrome 12, so it's about a week old.

Re:If only it werent for the inaccuracies...

[Barsteward]

I went there with Opera 11.51 and it couldn't give me a score - is that good? :o)

Re:If only it werent for the inaccuracies...

[tepples]

Does the browser automatically block insecure content from secure (HTTPs) pages?
(Even though Chrome does in fact warn you of this. Props to MS, though, they HAVE warned about this since IE6-- though Im pretty sure IE9 does NOT block it automatically).

Even if Chrome warns the user, I guess what they're saying is after the page has loaded, it's too late. Any passive eavesdropper can see which included resources you've downloaded over an unencrypted connection.

Re:If only it werent for the inaccuracies...

[LordLimecat]

Even if we were simply to pretend that those stats mean that IE9's blocking is 9x as effective as Chrome's (which is one heck of an allowance), that has nothing to do with Microsoft's claim. Chrome DOES provide a mechanism for filtering malware URLs, in direct contradiction to their claim.

Im not saying IE9 sucks or that chrome is superior or any of that, Im simply marveling at their gall in making completely false statements with no compunctions.

Re:If only it werent for the inaccuracies...

[swillden]

Does the browser automatically block insecure content from secure (HTTPs) pages? (Even though Chrome does in fact warn you of this. Props to MS, though, they HAVE warned about this since IE6-- though Im pretty sure IE9 does NOT block it automatically).

Even if Chrome warns the user, I guess what they're saying is after the page has loaded, it's too late. Any passive eavesdropper can see which included resources you've downloaded over an unencrypted connection.

Chrome doesn't download the unencrypted resources unless you tell it to. The warning pops up and asks you if you want to download the insecure pieces or not.

Re:If only it werent for the inaccuracies...

[elashish14]

This is the same NSS that's funded by Microsoft. Also the same company that once tried to publish a study where they compared a development version of IE against a version of Chrome that was twice outdated.

http://www.google.com/search?q=nss+microsoft

Hard to trust a company with that kind of history....

Re:If only it werent for the inaccuracies...

[tbannist]

The first thing I thought upon seeing the results was "So they chose 100 malicious URLs from the IE9 black list and it managed to block 93% of them". Good to see Microsoft is working on their Kwality Engneerng. The results are so lopsided that you just know there's shenanigans going on.

This just in...

[GoNINzo]

Actually, their site doesn't even work with Chrome 15.x on Linux. So I think my browser is securing me pretty darn well.

This just in, all our competition sucks, news at 11.

Re:This just in...

[c++0xFF]

This just in, all our competition sucks, news at 11.

On the other hand, what surprised me was the download links for Chrome, and Firefox on the browser comparison page.

The only thing that would have surprised me more would have been links to the Chrome and Firefox security features.

Metro UI?

[black3d]

Goddamn that site hurts my eyes. Looks very similar to the Metro UI.

Re:Metro UI?

[Sperbels]

Actually...it does kind of hurt. Weird.

Re:Metro UI?

[Toonol]

It doesn't scroll right, either. If your window doesn't hold it all vertically, no scroll bars appear. At least in Firefox. You have to increase your browser size to see it all.

i i got was...

[johnsnails]

We do not have any data for your browser, so we can’t give your browser a score. SEE HOW OTHER BROWSERS SCORED >

A billion versus a few million?

[angel'o'sphere]

If a billion IE users browse the web and 100 million Chrome users do the same, sure ... it is not unlikely that IE blocks more malware.

Admitted, that was a lame joke ...

However, if MS had not slept and ignored security the last 25 years, we had not that much malware, or had we?

Of course they do

[king_grumpy]

I'd be more inclined to read a story entitled "CompanyX says their new product is crappier than the competition and far worse than the previous release".

What Does That Even Mean?

[EXTomar]

What these guys are touting is IE9's "SmartScreen" protection which claims to "block 99% of phishing" so I am pondering what that even means. I wonder how many of those "phishing" exploits actually work if a user activates them on Firefox, Chrome, etc. It also doesn't appear to take into account platforms where activating the page on something like a non-Windows platform Android device with Chrome breaks because it can't handle or support what the attack wants.

I am for a more intelligent IE9 so I'm happy for SmartScreen but I also wouldn't oversell it. There is value in blocking a questionable web page. There is value in simply not allowing what the questionable web page wants to activate as well.

Re:What Does That Even Mean?

[tepples]

What these guys are touting is IE9's "SmartScreen" protection which claims to "block 99% of phishing" so I am pondering what that even means.

It uses heuristics to determine whether a site is hosting a phishing attempt. However, like all heuristics, it does have some false positives, and Microsoft's page about SmartScreen for web site owners makes a few recommendations that the smallest web sites might not be able to handle properly:

If you ask users for personal information, use Secure Sockets Layer (SSL) certification with a current server certificate issued by a trusted certification authority.

True, StartSSL offers free certificates, but a certificate isn't the most expensive part of deploying TLS (formerly SSL). One needs a dedicated IP for each TLS site. Ordinarily, budget web hosts load upwards of a thousand domains onto a single IP address using name-based virtual hosting. There is an extension called SNI to allow TLS to work with name-based virtual hosting, but IE for Windows XP and Android Browser for Android 2.x don't have SNI. This, combined with the scarcity of IPv4 addresses, makes it significantly more expensive to deploy HTTPS on sites that aren't yet popular enough to need a dedicated server.

Re:What Does That Even Mean?

[WuphonsReach]

One needs a dedicated IP for each TLS site.

If all of the different websites are for the same corporation, you can buy a unified type certificate (UC or "multi-domain) with multiple company domain names listed. It's not ideal, but it does at least let you put all of your corporate domains on the same IP address and have it protected via SSL.

Tends to work better then a wildcard certificate, and a lot less expensive.

Well, maybe DNSSEC certificates will get rid of the SSL vendors.

Re:What Does That Even Mean?

[mmmbeer]

SmartScreen is awesome because it blocks things like jquery being loaded from CDN sites such as google because it sees multiple pages reference that so therefore it must be out to get you, right? /sarcasm

Nothing like having a web app that slowly stops working across the enterprise as browsers start blocking the javascript includes. That's what you get for hosting your app in the cloud!

severely damaging to test credibility

[v1]

when you don't allow users to run your test on some of your competition's offerings, such as Safari.

All they're trying to do is say "We're the best (in this carefully chosen group)" Of course they're going to win that argument. Even a catbox smells nice if you're only allowed to compare it with a hog shed.

Now I'm not out to smear the other offerings they did include, but even leaving out one significant competitor from your test is more than enough to raise reasonable doubt as to how your product really stacks up against all your competition.

Re:severely damaging to test credibility

[Dhalka226]

Is Safari a significant competitor?

I'm not trolling; I'm writing this comment on a Macbook Pro, so I'm not some rabid anti-Apple-ite nor am I a huge Microsoft supporter. But the first thing I did when I got this computer was to install Firefox, and later moved on to installing Chrome. Safari was opened once or twice, mostly to facilitate downloading the other browser.

In fact, while I admit that it is anecdotal and a small sample size, nobody I know of who uses a Mac uses Safari as their browser. That ranges from the highly computer literate (web developers and other programmers who are great with computers) to the semi-computer-literate (enthusiasts who enjoy them but often need help) to old-school salesmen at my dad's business (they can type, anything else they call somebody over for). If even Mac users don't seem to be using Safari, I doubt significant numbers of Windows users are.

Now admittedly, Safari probably gets a boost from use on iPhones, iPads, etc -- but those are different enough mediums that not including them in "who blocks more malware" tests is probably appropriate.

Don't get me wrong: I would have tested Safari, and I would have tested Opera for that matter, but I honestly don't see their exclusion as a huge deal. There are other things I would bring up as issues with the test before that.

Re:severely damaging to test credibility

[ShadowCat8]

"severely damaging to test credibility... when you don't allow users to run your test on some of your competition's offerings, such as Safari.
All they're trying to do is say "We're the best (in this carefully chosen group)" Of course they're going to win that argument..."

And, it's the *same* argument that Microsoft's marketing makes over and over again.
Does anyone remember these?

"Windows XP is the most secure operating system Microsoft has ever shipped." (Author's Note: Other than MS-DOS, perhaps... Remember: No networking, no network attacks! hehe)
"Vista is the most secure OS ever."
"One World, One Web, One Program." (Author's Note: An advert for Internet Explorer from 1998 (? 2001?))

When it comes down to it, if you are actually capable of believing *any* of the trash that Microsoft's marketing puts out, well then I have a bridge for sale for you. Needs a bit of clean-up from the bird-droppings, but I can give you a great deal on it! Let me know!

Rephrased: "Should I buy Windows 7?"

[tepples]

Please allow me to rephrase it in a slightly less retarded manner: "I run Windows XP, whose latest available version of IE (that is, IE 8) has problems X, Y, and Z. I am considering IE 9, but if I were to try it for myself, I would first have to buy a copy of Windows 7. Is IE 9 worth the price of Windows 7?"

Re:Rephrased: "Should I buy Windows 7?"

[Billly+Gates]

I remember you discussing this before when you asked a similar question before here on slashdot. ... in regards to the assh*le who insulted you, I would not reply as he was a troll. I hope moderators reading this mod the AC down. :-) His Mommy forget his meds today to bring to the school nurse. Doh

Anyway if you develop internet sites for a living then yes upgrade. Or buy a new PC with Windows 7.

Did you know you can get a complete system for $399 that doesn't suck?

An AMD a8 llamo (integrated ATI 6800x HD inside the CPU),8 gigs of ram, 500 gig HD, is like $275 at Tiger Direct or your local PC shop! The costs will go up to $375 after Windows 7. $15 for 4 gigs of ram, $65 for a 500 gig drive, and $129 for a nice Llamo APU is a steal. The video performance is really much better due to the GPU sharing the ram controller with the CPU on the same chip. You can even play games in low to medium settings. You get Windows 7 and IE 9 and can see the video acceleration in action. When you are done your old box becomes a nice Unix server you can ssh to play with for web development. USB 3 support sounds nice too for a just a little more if you do video work and you get that benefit too from upgrading. It is cheap to do.

IE 8 use will decline and the newer IE's are totally different and you will need to support them.

IE 9 has 15% of the US market already and IE 10 will be out in a few months. Windows 8 that will also include it next summer. Worse, Microsoft is also switching to a more rapid release schedule. Nothing insane like Mozilla, but annual updates every March. By 2013 IE 11 will be out and by 2014, IE 12 will be out, etc.

Guess which OS wont be supported? I will let you take a guess.

Corporations who are not upgrading almost all universally plan to do so next year. IE 9 & IE 10 are about to become much more popular in the short term future.

If all you do is browse the web and not develop sites nor do I.T. support I would not bother to upgrading an older PC just for IE. Seriously. On my very old laptop I will say Windows 7 is certainly usable but not worth the cost if you just type papers. Windows XP is not necessarily lighter on quadcore CPUs with 2 or more gigs of ram. I assume that is why you still use it? Windows 7 has nice benefits and the search when you hit the Windows key and type the document or program you want are really nice. I could not live without it today. If you have a quadcore, 2 gigs of ram, and are hurting on cash I would download the Windows 7 enterprise evaluation and see if it works well and upgrade that way. Anything more than 3 years old I would buy or build a new pc instead.

I recommend build so you wont have crapware installed and can pick the components and quality etc.

Re:Rephrased: "Should I buy Windows 7?"

[tepples]

I recommend build so you wont have crapware installed

How many people know how to build a laptop out of a barebook kit?

Re:Rephrased: "Should I buy Windows 7?"

[Billly+Gates]

Get an Asus. They have a netbook that can be a tablet also that Hairyfeet was mentioning for $499 with the AMD processor with a detachable keyboard. If you are on slashdot I assume you can do it yourself with a kit.

Download Windows 7 from the Pirate Bay to find out at least temporary. Windows 7 is a nice OS if you are not hurting on money. My hexcore system is slower under XP and most modern software with graphics is.

Not even accurate with the 4 it does claim to test

[iridium213]

"Does your browser provide a distinct warning when you download an application that is of higher risk but not yet confirmed as malware?" - X

Chrome does in fact ask me when I try to download potentially unsafe file formats (in my case, DMG files =) ), prompting me whether to keep or discard. Smoke and mirrors, and the same old FUD..

Re:If only IE worked in Linux.

[monkyyy]

XD WIN!!!!!

Unsafe files vs. unsafe file types

[tepples]

Chrome does in fact ask me when I try to download potentially unsafe file formats (in my case, DMG files =) ), prompting me whether to keep or discard.

Chrome decides based on the file format. IE's filter is more fine-grained, deciding based on the reputation of a particular downloaded executable file (identified by its hash value?) or, in the case of a digitally signed executable, the reputation of its publisher. Microsoft's advice for building an application's reputation (source 1; source 2) involves buying into the Authenticode CA racket, which can prove expensive for an individual student or hobbyist developer.

Re:Big deal!

[jonbryce]

IE9 is much better than previous browsers. It gets 100% in the acid 3 test, but it still ignores <q>tags</q>.

Because...

[Zuriel]

...malware is written to standards, so IE won't run it properly.

Re:Easiest way to score 4/4...

[Psicopatico]

Correct.

Masked Opera's user agent as IE under Windows (and I'm under linux!) and.... tah-dah:

Your browser's
security score is:
4 out of 4

LOL

IE 9 in Windows 7 in VirtualBox in Ubuntu

[tepples]

First you set up VirtualBox, despite that it's tainted crap according to a Linux developer. Then you buy a copy of Windows 7 and install it into VirtualBox. Voila: IE 9 for Ubuntu.

Can't trust this site

[Artifex]

Says my Firefox 7 only rates a 2, and says I should try ie9, and helpfully gives me a link.
But the link is to the Windows version. I'm on a Mac!
Clearly it doesn't actually have the resolution to know, much less tell me, how Firefox 7 for OS X ranks.

Re:Can't trust this site

[angst_ridden_hipster]

Yeah, it tells me my Mac-based Firefox doesn't "benefit from Windows Operating System features that protect against structured exception handling overwrite attacks?"

Oddly, it thinks that I do derive benefit from "Windows Operating System features that protect against arbitrary data execution" and
"Windows Operating System features that randomize the memory layout to make it harder for attackers to find their target."

Whatever, dude.

Re:Can't trust this site

[Artifex]

I didn't even read that far. I applaud your commitment to research :)

Site is fake, not tests are run

[Derling+Whirvish]

The site is fake and does nothing other than tell you to use IE9. It determines your user agent and responds based on the result. It does not run any security tests against your browser. When I go the the site with IE9 I get a score of 4 of 4. When I go to it with Firefox 8 I get a 2 of 4 score. When I switch my user agent in Firefox 8 with the user agent switcher add-on to report I am using IE9 and go to the site using Firefox 8, I get a score of 4 of 4.

So they're using social engineering...

[sten+ben]

So they're using social engineering to do a cross corporate hijacking of your browser choice. Nice one

Pretty dang funny...

[sigmabody]

There's some humor on the page for browser features, if you're using a browser without Flash installed/enabled. The #1 "bad" item is Dangerous Downloads, just to the left of the prompt to download/install Flash. I lol-ed.

Malicious Website Content!

[znerk]

Get Adobe Flash player
This page requires Flash Player version 10.2.0 or higher.

My browser only scored a 2 out of 4, yet was able to keep me from seeing most of the malicious content on the linked page.

NoScript and AdBlockPlus, thank you.

My browser: 1
Microsoft FUD: 0

Moving along, now... so much more internet to see, so little time.

Re:Malicious Website Content!

[orange47]

..so little time.. to allow all the sites you wanna see in noscript.

Re:Malicious Website Content!

[znerk]

Honestly? I just read through the horrible formatting, blame the site authors for not bothering to code their site properly, and take my eyeballs elsewhere. The sites I frequent tend to not be completely buggered up with piss-poor code... and I let the ones with actual knowledge advertise at me.

In other words, if their site works without NoScript and AdBlockPlus, I usually whitelist them out of respect. The sites that have a clue how to display content without using JavaScript get to advertise to me, and the ones that look like shit without their JavaScript functioning don't deserve the hits or the click-throughs.

Yes, but...

[Livius]

Microsoft says a lot of things.

It doesn't rate Opera either, but

[Eadwacer]

When I went there with my Opera browser, it said it couldn't rate it. So I used Opera's site preferences to lie to the site and tell it I was using IE (version unspecified). I then got a rating of 4/4. So even a fake IE is better than none.

This "feature" should be weighted more heavily...

[fostware]

"Does the browser extend the sandbox such that it cannot read data from parts of the system that it doesn’t have access to?"

Umm IE9 fails miserably in this regard.

Oh, and where's the "Does the browser help protect you from websites that are *NOT* known to distribute socially engineered malware?"

At least let me run a test to prove how secure my browser really is, instead of just checking the browser agent.

Re:Big deal!

[Rhodri+Mawr]

The Acid 3 test was revised and now all of the major browsers get 100%. It is no longer relevant.

riiiight

[Gravis+Zero]

Microsoft today debuted a new web site designed to raise awareness of security issues in web browsers.

i'm sure that was exactly it and had nothing to do with trying to push IE9 even if it meant fudging the numbers.

To be fair

[creativeHavoc]

They are offering ".5" scores... if you count the total pass/fails in the detailed description of the scores, IE should only have 3.5/4

Typical Microsoft Site

[dtjohnson]

All show and no go. It doesn't actually test your browser or system, it just attempts to identify the browser and then matches it up with a "score." My firefox 6 got a score of 2 out of 4 based on a list of features that it allegedly had or did not have and, among other things, gave me a check box under 'yes' for "Does the browser benefit from Windows Operating System features that protect against arbitrary data execution?" even though I was running a non-Windows OS. Then I hit it with Netscape 2, Netscape 4, HotJava 3, and Opera 3 and it was unable to identify any of those and just said it couldn't give a score. The best part, though, was where it said 'The flash plugin was needed to display the page' advising me on security.

Cut'em some slack

[FyberOptic]

Why does everyone fall back on attacking Microsoft for press releases like this? Statistically, IE HAS been safer than other browsers in certain respects nowadays. It's silly to dismiss their complete turnaround in taking security seriously just because it's fun to hate on the company.

Of course there's going to be some marketing thrown into it as well. But what company doesn't? Why isn't everyone attacking Apple when they claim Safari is the fastest and safest browser? Or Mozilla, which has made the same claims for years too? It's not true for either of those, and they certainly can't both be right at the same time. Everyone lets that slide, because it's not cool to hate on them, despite their own terrible histories with security/vulnerability problems.

I haven't used IE for years (stopped for security reasons, in fact), but that doesn't change the fact that I can still offer them kudos for helping keep the web a safer place, especially when they still provide the dominant browser. The less infected machines on the internet is beneficial to ALL of us.

Re:Cut'em some slack

[Billly+Gates]

MS fucked up big time and fully admitted to crippling IE 6 in order to create lock in and make proprietary win32 client apps more attractive. They are the reason those terrible intranet apps can be ported. What is odd is the web is supposed to be a full open platform that works on all devices. Instead, people dual booted to browse the web when IE had 90% marketshare. More anger is directed from web developers too. The web is 5 years behind where it should be thanks to IE.

FYI IE 9 is a great browser actually. IE 10 scores 301 in www.html5test.com and beats opera and safari! IE 10 will be very competitive even if most slashdotters want to burn it.

It will take some years but many people are skeptical or still use IE 7 at work and already made an opinion due to that. etc

Kudos though to Microsoft indeed. We have Apple to thank for the Iphone/IPAD for bring HTML 5 and good standards to the forefront. Now MS wants IE to be just as good as Metro could not happen with an IE 7 engine :-)

Re:Cut'em some slack

[joppeknol]

Why does everyone fall back on attacking Microsoft for press releases like this?

If I go to apple.com, I expect Apple to tell me safari is the greatest. If I go to microsoft.com, I expect microsoft to tell me IE explorer is the greatest. If I go to 'www.yourbrowsermatters.org/', I expect an objective site telling me whether my browser is or is not ok. Pretending to be objective when you're not is misleading and ought to be attacked.

Re:Cut'em some slack

[ErikZ]

It's not that I want to burn it. It's that MS can't be trusted.

Imagine what would happen if they gained 90% market share again. Do you think they will have learned their lesson? Or that they'll do the same BS they always do when they have the upper hand?

Same reason I won't touch a smartphone with an MS OS.

How about an actual browser security check

[mrnetops]

Qualys provides a free BrowserCheck tool to look for insecure browser& plugin versions or configuration. While there is a windows plug-in available for deep scanning, basic scanning can be preformed with just javascript. Try it out at: https://browsercheck.qualys.com/

Re:Native HTML5

[Billly+Gates]

Go to www.html5test.com? Chrome currently has the highest features supported, but IE 9 scores ok with HTML 5 canvas, font, and sound support. IE 10 scores 301 and will be competitive to both Firefox and Chrome in a few months.

IE8 Scored a 3

[selex]

Well apparently older version just such too. Selex

Re:IE8 Scored a 3

[mwvdlee]

According to this "test", IE8 is more secure than current Chrome and Firefox.

I guess the only question that remains; is this fear, uncertainty, doubt or a combination thereof?

Application Reputation.

[Deathlizard]

Out of all the browsers I've tested so far virus wise. (ie9, Firefox, Chrome) IE9 is the most secure out of the box when it comes to drive by and rogueware trojans that are not exploiting secrity holes from third party plugins, and it's simply because IE9 uses a file's hash to determine if a downloaded file is commonly downloaded or not.

Since most rogueware sites pad their payload executable on demand to avoid AV signature detection, the downloaded file is never a common download and will fail the hash check.

Once you add security plugins in the mix, Chrome and Firefox get much more secure in that they tend to avoid the drop sites that eventually send you the malicious payload. IE9 using Tracking Protection Lists gives you some similar protection but it's not nearly as good as Adblock Plus or Noscipt at blocking malicious content. Even if you use similar Adblock Plus lists. Adblock plus alone will block 75-90% of drive by downloading simply by blocking ad's, which is the popular method used by scammers to redirect you to a dropper site. Noscript can boost that percentage close to 95-99%, but both of these plugins won't stop anything if a site was whitelisted and then got hacked. In these cases when the other protections fail is where IE9 Application reputation shines.

Now I've heard chrome is adding a similar hash reputation feature in a future chrome build. Hell it might be in it now since the last one I used was 13. When that happens I don't see why chrome couldn't block malicious drive by downloads just as if not more effective as IE9.

Re:Application Reputation.

[LordLimecat]

Discussion about their dishonesty aside (which is ALL I was criticising), I would argue that no, Chrome is more secure-- and not because IE9 doesnt have awesome features; Im sure it does. But Chrome takes the cake because, very simply, they put the security where it matters-- into focusing on plugins, which are the ACTUAL cause of 90+% of malware infections. Its wonderful that IE protects against bad downloads, and that it blocks XSS, and all the rest; what does it do to mitigate PDF and Flash exploits that are what ACTUALLY cause the infections?

Chrome disables known insecure plugins (with a note about them on pages requesting said plugin), and automatically updates the 2 most commonly exploited ones. That fact alone puts chrome above IE, regardless of what memory protections, download protections, internet zones, etc they apply.

Re:Application Reputation.

[Deathlizard]

Plugin wise, there's always been talk that Microsoft was going to add adobe patches to windows update, but it never seems to happen.

And you're right. Right now the browsers are not being targeted, the third party plugins are, and chrome has been focusing on keeping exploit of those plugins to a minimum, but when these rogue sites fail to expolit a plugin hole, they have to resort to exploiting the user, and it seems like the IE team is more focused on protecting the user from themselves rather than protect them from third party plugins. (that is unless you count using the activeX filtering as a plugin blocker a la noscript, which it isn't because its simply not as granular as noscript)

Adobe seems to be at least getting wise to updating their plugins (Acrobat can be set to auto update, and flash prompts you at startup although it's very clunky and has to be done twice) Oracle has no clue with Java. It pops up a tray icon that's easy to overlook and doesn't have an autoupdate option. This is where MS should seriously step in and update these programs if they are installed on the PC, especially since just about every hardware vendor includes at least one of these heavily exploited plugins.

Re:Application Reputation.

[LordLimecat]

None of which works at ALL when youre on a domain and your users dont have admin rights.

Whats that, deploy using MSIs? Yea, right. Thats what my clients want, to pay me every two weeks to undeploy the old version and deploy the new one that just came out-- not to mention all the nonsense you have to do (or, at least, once had to do) to actually get a hold of the Java JRE MSI file.

Yea, Ill take my Google Updater method any day-- updates as admin without ever bugging the users with credentials. Are there potential issues with automatic updating software? Dunno, since I went that route my headaches mysteriously decreased and the users mysteriously stopped getting viruses. Not much of an issue in my eyes.

Re:Application Reputation.

[Deathlizard]

oh. were talking about enterprise environments now, well lets get started then.

The reason Google chrome can update as a user is simple; it installs itself, All 200+MB of Chrome I might add, in your user profile. Now, in many enterprise environments this isn't a problem, simply because there's one computer, one user, but then there's the other enterprise environments.

First problem, Roaming Profiles. Every time someone logs in, the PC will have to download their profile, which includes all 200MB's of chrome, from the server. Since most roaming profiles are cached onto the PC it would only come down once per machine, but If it's a multiple user system the more users that use it, the more downloading it does. also keep in mind that the PC uploads that also back to the server. This of course adds traffic to the network, load on the server and time waiting to login and logout.

Don't use roaming profiles? you still got an issue. first off, in a multiple user environment, you still have profiles to deal with since profiles don't auto delete by default. Each user is taking up at least 200mb for google chrome alone. if you have other programs installed, there's settings and customizations as well, so you can easily expect a 250-300mb profile per user. At 250mb, every 4 users takes 1gb, every 40 - 10GB, and every 400 - 100gb. In a student lab situation, one lab alone can have upwards of 10 classes at up to 50 students each with no defined seating arrangements, so at worse case scenario (which I would hope is planned for if your rolling out an enterprise image BTW) thats 500 login's per machine for a grand total of 125-150gb of hard drive space dedicated solely for profiles (which may only have been used once on that PC BTW). If you enjoy your lab machines grinding to a halt because of a trashing fragmented hard drive or 4+ hour hard drive virus scans, then I guess this scenario is right up your alley.

But you can set profiles to delete at logout right? Yeah, except now your copying a 200-300mb profile every time someone logs in, which is great for watching a student freak out when their on the 2-3 minute of logging in. and the best part? Since Chrome is built into the user profile, once you Sysprep the machine the chrome version is locked to that version until you re-image that machine with a new image, so everytime a user logs in, they download the latest google chrome which could be anywhere from 10-50MB depending on how old the chrome on the machine is. Do that times 50-500 and watch your internet bandwidth disappear, On a periodic predictable curve associated with the class bell I might add.

But you could install chrome in the Program files directory right? yeah, except users can't write in that area by default and auto update will fail, so you'll have to deploy patches using MSI files, so that advantage of chrome updating itself goes right out the window unless you want users to write to the chrome directory, which would be a really stupid idea considering that all users will be using it.

So yeah, If I had a choice of screwing around with MSI's and use Either IE or Firefox vs screwing around with Chrome in an enterprise environment, I'd choose MSI's anyday hands down.

Re:Application Reputation.

[LordLimecat]

The reason Google chrome can update as a user is simple; it installs itself, All 200+MB of Chrome I might add, in your user profile.

If youre doing an enterprise install, you are using the Chrome MSI, which installs to programfiles. The reason it updates automatically is it installs a Google Updater service which is set to start with administrator privileges. Somehow it does it in a way that does not trigger the GPO to redeploy the older version of Chrome (possibly because Chrome keeps older versions laying around after an update?)

Prior to the MSI (which came out early this year) you could use the GooglePack installer to do a machine install, though it was more of a PITA to install.

In case you were not aware, Google also has Chrome GPO templates for managing it. It is significantly better than the situation with Firefox, actually.

Firefox Needs Sandboxing

[rsmith-mac]

Even though the site is the usual mix of MS inaccuracies, one thing it does do a good job pointing out is that Firefox is the odd man out right now when it comes to sandboxing. IE has it, Chrome has it, Safari on the Mac has it. Yet Firefox as the #2/#3 browser in the world lacks it. And while it's of limited use in protecting against attacks on plugins (which are the most common vector), it means it's easier to exploit the browser itself.

The FF devs should be working on getting Firefox appropriately sandboxed, even if it's Windows-only at the start. It would go a long way towards bringing it up to par with Chrome, which is Firefox's real competition.

Re:Microsoft Says...

[Kittenman]

Hear hear - the "Copyright Microsoft" at the bottom is a bit of a give-away. "BMW cars best" says BMW. etc etc ...

But Chrome runs on XP

[Algae_94]

Initial disclaimer - I have XP at work and have no choice in upgrading. That said, IE9 blocks no malware whatsoever on XP, as it is not supported. Chrome runs nicely on XP though. So in that situation it is really Chrome vs. IE8 that is of importance.

Well, I should certainly hope so...

[multimediavt]

Microsoft Says IE9 Blocks More Malware Than Chrome

Well, I should certainly hope so! By now you'd think Microsoft would know how to build a browser to *NOT* compromise their own operating system...YEESH!

Depends on the OS..

[spasm]

If you're silly enough to use windows, maybe it does matter what browser you use..

Re:Big deal!

[mwvdlee]

IE9 is much more standards compliant than IE8.
It's still a lot less standards compliant than Chrome, Safari, Firefox or Opera.

Firefox 3 on Linux

[DerPflanz]

Great! My Firefox on Linux is actually benefiting from the Windows OS:

Does the browser benefit from Windows Operating System features that protect against arbitrary data execution? yes

This is one big marketing website, with actual, provable lies.

The one point that resonates with me

[qxcv]

One of the tests:

Does the browser have the ability to restrict an extension or a plugin on a per site basis?

I recently switched from chromium to FF7, and this is the one feature I miss from chromium. Oh, and the ability to only run plugins when you right click them on the page and select "Run plugin". I shouldn't have to run Flashblock to do something so simple.

Real simple ....

[darkonc]

IE9 protects against 100% of the viruses that IE9 knows about (which were all that MS knew to test for).

The results would probably be quite different against a properly random sampling of malware.

Bloat by a factor of ten

[tepples]

tbh i think most flash animations are encoded as movies so they can go on youtube nowadays as well, it's just too easy not to do.

That and per my tests, an H.264 video is ten times the size of the SWF vector animation from which it was transcoded. That's not so nice for the slow, expensive data connections typical among mobile devices and rural (i.e. satellite) markets.

Re:Bloat by a factor of ten

[kiddygrinder]

yeah, that's why youtube is such a failure

Re:Bloat by a factor of ten

[tepples]

yeah, that's why youtube was around before newgrounds

Re:Bloat by a factor of ten

[kiddygrinder]

that comment doesn't really make any sense, are you saying that because newgrounds was first vector animation is better than non-vector? or are you saying that youtube is just more popular because it arrived on the scene later?
If it means the couple of places that still do vector animation exclusively have to encode to a bigger file in a more popular format in order to kill off flash that's fine with me.

Re:Bloat by a factor of ten

[tepples]

Then why do we even send web pages as a string of characters instead of as a .jpg of the page? That's the difference between vector animation and compressed-pixels video.

Re:Bloat by a factor of ten

[kiddygrinder]

not quite, if html was a shitty, bug ridden 3rd party addon to web browsers that didn't work 90% of the time on your phone, tablet or non windows pc (and even on windows breaks probably 2-5% of the time) then you might be closer.

Open Screen Project

[tepples]

You just have to give Adobe a swift kick in the tail so they do something to fix the problem -- like open source Flash Player or publish RFCs sufficient for someone else to make one.

The SWF spec was published years ago as part of the "Open Screen Project".

Re:Open Screen Project

[Anthony+Mouse]

If that was sufficient to make a fully-functional independent implementation then where is the implementation and why doesn't anybody use it?

A thousand different customers on one IP

[tepples]

If all of the different websites are for the same corporation

...then all the sites are probably hosted on one VPS, and your solution of using subjectAltName certificates will work. But in the case I've described, you still need one IP per hosting customer. My hobby site alone shares an IP address with over a thousand other unrelated domains. Perhaps in 2014, once Microsoft has ended extended support for Windows XP and virtually all Android 2.x customers have upgraded to 4.x (Ice Cream Sandwich), hosting providers can start offering SNI hosting.

Quantity != Quality

[BoneFlower]

Ok, sure, more exploits in Chrome. I suppose that could be the case.

But a very important thing is how big? 15 exploits that let you crash the browser, compared to 1 that lets you root the target... I'd rather take the first option on the user end.

This is what I get

[mla_anderson]

                                                Your Browser Matters (p1 of 12)
   Link: canonical
     * Follow us
     * Like us
     * Windows Live
     * Email
     * Twitter
     * Facebook
     * Share

                             Your browser matters.

     * score
     * home
     * malware
     * browser features
     * prevention

How well is your browser protecting you?

   We do not have any data for your browser, so we can't give your browser a
   score.

   See how other browsers scored >

scnr

[Robert+Zenz]

Nonononono...we all know that Linux is just a cheap rip-off of Windows (like every other Unix) and every single piece of FLOSS is using patented technology innovated by Microsoft.

On the other hand...what did you expect?

Gnash needs cash

[tepples]

If that was sufficient to make a fully-functional independent implementation then where is the implementation and why doesn't anybody use it?

A spec isn't enough. One also has to donate enough time and money to the developer of such an implementation.

Re:Gnash needs cash

[Anthony+Mouse]

Well, that or get someone else to do it and provide a little cooperation.

I find it pretty hard to believe that Mozilla or Google would be unwilling to write code to make Flash supported natively by the browser without a plugin, if Adobe would be willing to answer the occasional question about an ambiguity or incompleteness in the spec, etc.

Shitty vs. more shitty

[tepples]

not quite, if html was a shitty, bug ridden 3rd party addon

So what non-"shitty, bug ridden" delivery mechanism for efficiently delivering vector animation to PCs do you recommend? HTML5 video is bandwidth inefficient, and SVG is even more CPU-intensive than Flash. It's not that Flash is shitty as much as that the alternatives are more shitty.

that didn't work 90% of the time on your phone

HTML5 video doesn't work either for the rest of the month after the user has exceeded his cap.

or non windows pc

Flash works fine on my PC running Ubuntu 11.04.

Re:Shitty vs. more shitty

[kiddygrinder]

i doubt there's even close to enough flash vector animations on the internet that re-encoding would affect any sane cap, i know i look at 1 every week or so... and they've already been re-encoded as movies anyway (blamimations and zero punctuation if you care), that adds probably around 150 meg to my monthly usage. grats on having a working flash player btw, i know i have to reboot my linux media box into windows if i want to use any flash content reliably, and even on my vista box it still fails about 10% of the time. does seem to work ok on my android phone though, guess i'm lucky i didn't get an iphone.

Re:Shitty vs. more shitty

[tepples]

i doubt there's even close to enough flash vector animations on the internet that re-encoding would affect any sane cap, i know i look at 1 every week or so

Unless you end up doing an archive binge on Newgrounds or something.