Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says IE9 Blocks More Malware Than Chrome

Posted by Unknown on from the i-heard-macs-don't-get-viruses dept.

CSHARP123 writes "In a move that's sure to raise some eyebrows, Microsoft today debuted a new web site designed to raise awareness of security issues in web browsers. When you visit the site, called Your Browser Matters, it allows you to see a score for the browser you're using. Only IE, Chrome, or Firefox are included — other browsers are excluded. Not surprisingly, Microsoft's latest release, Internet Explorer 9, gets a perfect 4 out of 4. Chrome or Firefox do not even come close to the score of 4. Even though the web site makes it easy for users to upgrade to the latest version of their choice of browser, Roger Capriotti hopes people will choose IE9, as it blocks more malware compared to Chrome or Firefox." Of note in the Windows Team post is that the latest Microsoft Security Intelligence Report discovered that 0-day exploits account for a mere tenth of a percent of all intrusions. Holes in outdated software and social engineering account for the majority of successful attacks.

32 of 226 comments (clear)

  1. NoScript by Hatta · · Score: 5, Insightful

    NoScript blocks more malware than either.

    --
    Give me Classic Slashdot or give me death!
    1. Re:NoScript by North+Korea · · Score: 3, Insightful

      Yes, and is pain in the ass to use and something that no normal person will ever do. Hell, even I don't want to use it while being a geek and fully understand it's potential.. but it's just so pain in the ass.

    2. Re:NoScript by Anonymous Coward · · Score: 2, Funny

      NoScript blocks more malware than either.

      And abstinence provides better protection than condoms.

    3. Re:NoScript by Hatta · · Score: 3, Insightful

      If my artist girlfriend can use it with no instruction from me, complaints about complexity ring hollow.

      Personally, I find that javascript on average detracts more from the browsing experience than it adds. Slashdot is a perfect example, it's simply not usable with javascript enabled. So even if there was no security benefit at all, it would still be less of a pain in the ass to use NoScript than it would be to browse without it.

      --
      Give me Classic Slashdot or give me death!
    4. Re:NoScript by Hazel+Bergeron · · Score: 3, Funny

      To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

    5. Re:NoScript by TechLA · · Score: 3, Insightful

      No one talked about complexity, but just being pain in the ass to use. You always have to keep reloading sites, allowing scripts and so on when you go new sites. And if you just allow most, then there's no point anyway. Most of the internet now relies on JavaScript and it really does make things easier, allows AJAX and so on. You break a lot of functionality without JavaScript. Yes, most good sites allow non-javascript fallback, but it's not as nice as with JavaScript enabled.

    6. Re:NoScript by TechLA · · Score: 2

      NoScript blocks more malware than either.

      And abstinence provides better protection than condoms.

      Yet, abstinence probably leads to much more serious things than possibility of some minor STD, including depression, anti-social behavior and stress. It's good to let go every once in a while.

      Of course, there is a good middle ground too. Serious STD's like HIV/AIDS generally do not spread orally. If you're on the receiving end of a blowjob, you have almost 0% change of catching HIV. Even with prostitutes. I learned this thing and have had sex with many ladyboys and never had any STD. Of course, while having intercourse it's a good idea to use condom, but as a receiving end of a blowjob, you cannot get AIDS.

    7. Re:NoScript by 93+Escort+Wagon · · Score: 3, Funny

      To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

      For a typical user, a better analogy would be: Enjoying the web without Javascript is like having sex while wearing a condom made of inch-thick rubber.

      --
      #DeleteChrome
    8. Re:NoScript by Anonymous Coward · · Score: 2, Informative

      NoScript can block all those things since it has configurable plugin blocking, configurable with the same site rule system used for js. This is great, not because of malware, but because I personally would rather just click on the few cases where I want to use flash (even on whitelisted sites).

      So your snark attempt has pretty much failed.

    9. Re:NoScript by Anonymous Coward · · Score: 2, Insightful

      To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

      For a typical user, a better analogy would be: Enjoying the web without Javascript is like having sex while wearing a condom made of inch-thick rubber.

      and while also wearing a blindfold...

    10. Re:NoScript by AK+Marc · · Score: 2

      Opera fills in the empty spots with a big "play" arrow, and you click it to play the content. Nobody gets "confused" over that, except twats who decided they want to be obtuse and complain about everything not their preferred way and start eating their mouse and complain that the browser didn't interpret their instructions correctly.

      --
      Learn to love Alaska
    11. Re:NoScript by Runaway1956 · · Score: 3, Insightful

      "WE CAN'T GIVE YOU A SCORE FOR YOUR BROWSER."

      "WHAT DOES THIS SCORE MEAN?"

      I guess that means that my browser is more secure than they expected, and they don't want to admit it? Or, they can't exploit a vulnerability that they expected to find in my browser? WTF?

      Chromium, with Ghostery, AdBlock Plus, Flashblock, and NoScript. Go figure . . .

      Let's see what it looks like in Firefox:

      "How well is your browser protecting you?

      We do not have any data for your browser, so we can’t give your browser a score.
      See how other browsers scored > "

      The site like my Firefox setup better than it liked my Chromium setup - I can at least advance through the menus. But, they can't rank my browser. Phht. Same old tired FUD, if you ask me. What a waste of bandwidth!

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    12. Re:NoScript by HermMunster · · Score: 4, Insightful

      We all know Microsoft's response is total bullshit. What this is in response to is that a recent report indicating that IE is the primary vector for infection in Windows environments, which is nearly all of them as the infection rate for other OSes isn't even measurable.

      This is a deflection tactic. It is mean to push notice on the competition that is suffering now in the press at various stages. It has no merit, none at all. It is a weak tactic and one we all should despise.

      Instead of Microsoft actually fixing their problems, or exiting the market, they have to make others look bad to make themselves look better. I'm sure few of us will take the bait, but when addressing the unwashed masses it has it's intended affect.

      Everyone here should be a correction mechanism for this for their family and friends. Microsoft can reach more people with a single utterance than any of us can, but together we can work to ensure we offset that with the real causes of infections (Microsoft's shoddy work), and we can shed light on our family and friends to make it clear that they understand these are shameful tactics.

      --
      You can lead a man with reason but you can't make him think.
    13. Re:NoScript by Tasha26 · · Score: 2

      Look at the title, "Microsoft says..." and about their own product. It must be true... right... umm?

    14. Re:NoScript by jcfandino · · Score: 2

      To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

      For a typical user, a better analogy would be: Enjoying the web without Javascript is like having sex while wearing a condom made of inch-thick rubber.

      Well, it depends if you are the one wearing the condom or the other one.

    15. Re:NoScript by hairyfeet · · Score: 2

      I hate to break the news to ya friend, but as much as I think IE is shit (haven't let my users run it since the whole ActiveX mess) infected computers are something I have to deal with at the shop constantly and I can tell you its almost always the users fault and no amount of software can keep stupid people from being dumbasses.

      Here are how I'd say a good 90%+ of Windows bugs get in: 1.- "ZOMG U got teh viruz! Run "Iz not viruz iz cleanerz!.exe" to kill teh bug ZOMG!" 2.-"want teh hot lezboz? U 2 can have teh hot lezboz! Just run "Iz not bug iz codecz.exe" and U can be watching teh hot lezboz right now!" 3.-"Want teh latest (insert Hollywood movie or song) for free? U 2 can have teh (insert Hollywood movie or song) for free! Just run "Iz not bug iz new limewirez" and U can have (insert Hollywood movie or song) right now!"

      Notice how NONE of the above counted on the browser? hell noticed how none of the above even counted on the OS they were running? Good old social engineering friend, you scare them, offer them sex or something free, and their PC is yours. Hell one of my teachers used to love to tell this story about how he was taking a class on a tour of some security firm and just got tired of listening to the BOFH bullshit by the guy leading the tour. Finally he said "If you think your security is THAT hot, tell you what: you let me loose in this place for TEN MINUTES and I'll be in your system, no problem. If I fail I'll give you a $100 and buy you a steak dinner" and the guy took the bet. 8 minutes later the teacher walked up and handed him over a dozen usernames and passwords, including a couple that had full access to everything. When the guy asked "How could you do that? We make them change their passwords and use complex and blah blah blah" he just started flipping over keyboards and all over the place were sticky notes with usernames and passwords.

      In the end the user is always the weakest link and is a hell of a lot easier to crack than any software or OS, so its no wonder why social engineering has gone through the roof. Hell I had an admin friend that ended up being drug before the regional head as the PHB immediately above him wanted him fired because, and I quote: "You have NO RIGHT to tell me whom I can speak to! You will let my emails from Melissa through right this minute or YOU'RE FIRED!". That's right folks, this genius was fighting for the right to infect the system and THAT is the kind of stupid you are up against. MSFT could make the most secure OS in the world but as long as the user has ANY control? Its fucked.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Seen the same data elsewhere, re: Exploits by Tridus · · Score: 5, Interesting

    I've seen the same data from Mcafee, and it was really something. For every computer exploited using a Windows flaw, 100 are exploited using Flash. Acrobat Reader and Java are the other major culprits.

    In a lot of ways, browser security itself has never been better. There's several highly capable ones out there in this area. The weak link is some truly terrible plugins.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    1. Re:Seen the same data elsewhere, re: Exploits by Cryacin · · Score: 2

      As an RIA and web developer, let me tell you what would need to happen for me to start developing in HTML5.

      1. Every browser would need to implement the W3C standards as laid out. It's madness to go back to the days where you had to write the same code block in several different flavours, not only to support different browsers, but different VERSIONS of browsers. Wake up kiddies, a lot of corporates are still on IE6.
      2. When we have the full IDE toolset for HTML5 that we have for flash, and the frameworks to support fast development. If you do not produce value to the business through leveraging tools, you are working for sweatshop wages at the same cost to the business. Who uses a hammer to commerically build a wooden fence when you have nail guns?
      3. When HTML5 *really* has the same feature set and grunt that AS3/MXML has. And I don't mean fantasy proof of concept, but only under these conditions, if you install the latest browser version, stand on one hand and wiggle your ears feature sets. Furthermore, the grunt has to be there. All HTML5 exmples I've seen have taken longer to develop than their AS3 counterparts, and run like a dog in comparison.

      Please, if I'm wrong, and all this stuff is here, give me the links, and I'm gone baby. I'm now a HTML5 developer, or whatever language you want to throw in its stead. The fact of the matter is that Flash/Flex is the fastest enterprise RIA development tool that can consume any endpoint you can possibly imagine to throw at it, whilst providing a snappy front end that's lightning fast to develop.

      I agree, Adobe would benefit by plugging security holes, but if you're actually serious about getting us devs to switch over, address these issues, and we're gone.

      --
      Science advances one funeral at a time- Max Planck
  3. If only it werent for the inaccuracies... by LordLimecat · · Score: 4, Insightful

    It might have been informative. Seriously, when you accuse Chrome of not meeting the requirement,
    "Does the browser help protect you from websites that are known to distribute socially engineered malware?"
    when google's anti-malware service is the basis for at least two browsers, and predates IE's effort by at least a year (probably more like 2), it sort of hampers your credibility.

    1. Re:If only it werent for the inaccuracies... by PickyH3D · · Score: 2

      Although I realize it's not very cool to mention, reports would suggest otherwise: block rate.

      Of course, the report uses Chrome 12, so it's about a week old.

    2. Re:If only it werent for the inaccuracies... by LordLimecat · · Score: 2

      Even if we were simply to pretend that those stats mean that IE9's blocking is 9x as effective as Chrome's (which is one heck of an allowance), that has nothing to do with Microsoft's claim. Chrome DOES provide a mechanism for filtering malware URLs, in direct contradiction to their claim.

      Im not saying IE9 sucks or that chrome is superior or any of that, Im simply marveling at their gall in making completely false statements with no compunctions.

    3. Re:If only it werent for the inaccuracies... by swillden · · Score: 2

      Does the browser automatically block insecure content from secure (HTTPs) pages? (Even though Chrome does in fact warn you of this. Props to MS, though, they HAVE warned about this since IE6-- though Im pretty sure IE9 does NOT block it automatically).

      Even if Chrome warns the user, I guess what they're saying is after the page has loaded, it's too late. Any passive eavesdropper can see which included resources you've downloaded over an unencrypted connection.

      Chrome doesn't download the unencrypted resources unless you tell it to. The warning pops up and asks you if you want to download the insecure pieces or not.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:If only it werent for the inaccuracies... by elashish14 · · Score: 2

      This is the same NSS that's funded by Microsoft. Also the same company that once tried to publish a study where they compared a development version of IE against a version of Chrome that was twice outdated.

      http://www.google.com/search?q=nss+microsoft

      Hard to trust a company with that kind of history....

      --
      I have left slashdot and am now on Soylent News. FUCK YOU DICE.
  4. severely damaging to test credibility by v1 · · Score: 2

    when you don't allow users to run your test on some of your competition's offerings, such as Safari.

    All they're trying to do is say "We're the best (in this carefully chosen group)" Of course they're going to win that argument. Even a catbox smells nice if you're only allowed to compare it with a hog shed.

    Now I'm not out to smear the other offerings they did include, but even leaving out one significant competitor from your test is more than enough to raise reasonable doubt as to how your product really stacks up against all your competition.

    --
    I work for the Department of Redundancy Department.
  5. Re:Big deal! by jonbryce · · Score: 2

    IE9 is much better than previous browsers. It gets 100% in the acid 3 test, but it still ignores <q>tags</q>.

  6. Site is fake, not tests are run by Derling+Whirvish · · Score: 5, Informative

    The site is fake and does nothing other than tell you to use IE9. It determines your user agent and responds based on the result. It does not run any security tests against your browser. When I go the the site with IE9 I get a score of 4 of 4. When I go to it with Firefox 8 I get a 2 of 4 score. When I switch my user agent in Firefox 8 with the user agent switcher add-on to report I am using IE9 and go to the site using Firefox 8, I get a score of 4 of 4.

  7. Malicious Website Content! by znerk · · Score: 2

    Get Adobe Flash player
    This page requires Flash Player version 10.2.0 or higher.

    My browser only scored a 2 out of 4, yet was able to keep me from seeing most of the malicious content on the linked page.

    NoScript and AdBlockPlus, thank you.

    My browser: 1
    Microsoft FUD: 0

    Moving along, now... so much more internet to see, so little time.

    --
    This work is licensed under a Creative Commons Attribution 3.0 Unported License.
  8. It doesn't rate Opera either, but by Eadwacer · · Score: 4, Interesting

    When I went there with my Opera browser, it said it couldn't rate it. So I used Opera's site preferences to lie to the site and tell it I was using IE (version unspecified). I then got a rating of 4/4. So even a fake IE is better than none.

  9. Re:Big deal! by Rhodri+Mawr · · Score: 2

    The Acid 3 test was revised and now all of the major browsers get 100%. It is no longer relevant.

  10. Typical Microsoft Site by dtjohnson · · Score: 4, Informative

    All show and no go. It doesn't actually test your browser or system, it just attempts to identify the browser and then matches it up with a "score." My firefox 6 got a score of 2 out of 4 based on a list of features that it allegedly had or did not have and, among other things, gave me a check box under 'yes' for "Does the browser benefit from Windows Operating System features that protect against arbitrary data execution?" even though I was running a non-Windows OS. Then I hit it with Netscape 2, Netscape 4, HotJava 3, and Opera 3 and it was unable to identify any of those and just said it couldn't give a score. The best part, though, was where it said 'The flash plugin was needed to display the page' advising me on security.

  11. Cut'em some slack by FyberOptic · · Score: 3, Insightful

    Why does everyone fall back on attacking Microsoft for press releases like this? Statistically, IE HAS been safer than other browsers in certain respects nowadays. It's silly to dismiss their complete turnaround in taking security seriously just because it's fun to hate on the company.

    Of course there's going to be some marketing thrown into it as well. But what company doesn't? Why isn't everyone attacking Apple when they claim Safari is the fastest and safest browser? Or Mozilla, which has made the same claims for years too? It's not true for either of those, and they certainly can't both be right at the same time. Everyone lets that slide, because it's not cool to hate on them, despite their own terrible histories with security/vulnerability problems.

    I haven't used IE for years (stopped for security reasons, in fact), but that doesn't change the fact that I can still offer them kudos for helping keep the web a safer place, especially when they still provide the dominant browser. The less infected machines on the internet is beneficial to ALL of us.

  12. Firefox Needs Sandboxing by rsmith-mac · · Score: 2

    Even though the site is the usual mix of MS inaccuracies, one thing it does do a good job pointing out is that Firefox is the odd man out right now when it comes to sandboxing. IE has it, Chrome has it, Safari on the Mac has it. Yet Firefox as the #2/#3 browser in the world lacks it. And while it's of limited use in protecting against attacks on plugins (which are the most common vector), it means it's easier to exploit the browser itself.

    The FF devs should be working on getting Firefox appropriately sandboxed, even if it's Windows-only at the start. It would go a long way towards bringing it up to par with Chrome, which is Firefox's real competition.