IE8 outperforms competing browsers in malware protection -- again

IE8 outperforms competing browsers in malware protection -- again

Summary: A recently released study by NSS Labs is once again claiming that based on their internal tests, Microsoft's Internet Explorer 8 outperforms competing browsers like Google's Chrome, Mozilla's Firefox, Opera and Apple's Safari in terms of protecting their users against "socially engineered malware" and phishing attacks.

SHARE:

A recently released study by NSS Labs is once again claiming that based on their internal tests, Microsoft's Internet Explorer 8 outperforms competing browsers like Google's Chrome, Mozilla's Firefox, Opera and Apple's Safari in terms of protecting their users against "socially engineered malware" and phishing attacks.

Not only did IE8 top the chart, but also, the rest of the browsers have in fact degraded their "socially engineered malware" and phishing block rate in comparison to the results released by the company in the March's edition of the study.

How objective is the study? For starters, it's Microsoft-sponsored one. Here’s how it ranks the browsers:

Socially engineered malware block rate:

  • Microsoft Internet Explorer v8 - 81% block rate
  • Mozilla Firefox v3 - 27% block rate
  • Apple Safari v4 - 21% block rate
  • Google Chrome 2 - 7% block rate
  • Google Chrome 2 - 7% block rate

Phishing attacks block rate:

  • Microsoft Internet Explorer v8 - 83% block rate
  • Mozilla Firefox v3  - 80% block rate
  • Opera 10 Beta - 54% block rate
  • Google Chrome 2 - 26% block rate
  • Apple Safari v4 - 2% block rate

What is "socially engineered malware" anyway? Basically, it's the direct download dialog box that appears on a, for instance, scareware or Koobface video page spoofing Facebook's layout, like the one attached. using "socially engineered malware" as a benchmark for malware block rate isn't exactly the most realistic choice in today's threatscape.

And even if it is, some pretty realistic conclusions can be drawn by using some internal traffic statistics from Koobface worm's ongoing malware campaigns. The Koobface worm, one of the most efficient social engineering driven malware, is a perfect example of how security measures become obsolete when they're not implemented on a large scale. The stats themselves:

- MSIE 7 - 255,891 visitors - 43.33% - MSIE 8 - 189,380 visitors - 32.07% - MSIE 6 - 76,797 visitors - 13.01% - Javascript Enabled - 585,374 visitors - 99.13% - Java Enabled - 576,782 visitors - 97.68%

What does this mean? It means that with or without the supposedly working "socially engineered malware" block filter using a modest sample of several hundred URLs, the Koobface botnet is largely driven by MSIE 7 users. The irony is that the previous edition of the study dubbed IE7 a browser which "practically offers no protection against malware" with the lowest block rate achieved back than - 4%.

Just like the previous edition of the study, this one also excludes the notion that client-side vulnerabilities (Secunia: Average insecure program per PC rate remains high; Secunia: popular security suites failing to block exploits) continue contributing to the "rise and rise" of web malware exploitation kits. By excluding client-side vulnerabilities, the study isn't assessing IE8's DEP/NX memory protection, as well as omitting  ClickJacking defenses and IE8's XSS filter, once pointed out as a less sophisticated alternative to the Firefox-friendly NoScript.

Socially engineered malware is not the benchmark for a comprehensive assessment of a browser's malware block rate. It's a realistic assessment of the current and emerging threatscape combined with comprehensive testing of all of the browser's currently available security mechanisms, a testing methodology which I think is not present in the study.

Topics: Security, Browser, Malware, Microsoft

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

164 comments
Log in or register to join the discussion
  • Well the credibility of the test is extremely...

    suspect since the winner is also the sponsor, why even print it.
    mrlinux
    • Have to agree with the Linux fanboys this time. Since it is

      sponsored by MS that it`s credibility is zero, or close to zero. But the same goes for any test sponsored by Apple or the Linux comunity.

      Waiting for an AdBlock+ addon for Chrome...come on already.
      NeoGeneration
      • But if one was done by

        Google or Mozilla, and their browsers scored poorly, would they post results showing IE8 as better, or do they just realese reports in which their browsers came out on top?

        GuidingLight
        • Good question

          Or they might not release that report at all
          JonWayn
          • Wrong

            >>Or they might not release that report at all <<

            Wrong, the article clearly states:

            'The irony is that the previous edition of the study dubbed IE7 a browser which ?practically offers no protection against malware?'
            deepee912
        • Piss off loser (NT)

          NT
          No More Microsoft Software Ever!
      • Actually I would believe a study sponsored

        Actually I would believe a study sponsored by Microsoft, Apple, Google, or Canonical - But only if their product lost.

        You figure study authors will give their sponsors as good a shot as possible, and then if they lost they LOST.

        Of course, if the sponsors win, it is pretty meaningless.
        CodeCurmudgeon
      • Browser wars are on again?

        They've paid for studies in the past for other products and every single time their top placement was controversial because in the real world this is not the case.
        Every company, since forever, will give themselves a little extra to have a slight lead in their advertising. Just look at ATI vs Nvidia as the biggest example. But this study is a leap in stupidity. I recommend everyone to use IE8 and browse all kinds of suspected malware sites and see how far it protects you.
        The irony is I cleaned a machine this morning with IE8 and spyware somehow was installed. No joke. How did that happen NSS Labs?
        IMHO anything is better than IE.

        What's the deal? I thought they didn't care about going to war against other browsers since they won the marketshare war? Hey, I know they're losing ground, I see the news updates, but I find it interesting that they're dusting-off their old bag of tricks again? What's next, is Balmer going to come out on stage running and screaming again?
        Rude Union
        • Presentation is everything...

          When I was doing terminal emulators for a living, a competitor came up with an ad that showed a bar graph comparing performance between themselves and the competition based on results from an independant testing lab (which they had not paid for). The graph appeared to indicate that they were 50% to 90% faster than us (one of the major players in the market at the time). What was not clear unless you read the graph is that this is not what it showed. I don't recall the actual numbers, but it was in terms of CPS throughput (with flow control enabled) while performing certain key operations. If the best performance was, say, 38.4kbps, the base line of the graph was 35.0kbps, so all the graph showed was the margin between the products within less than 15% of the total range of possible values. Also, they only included the results for the tests that they won on, and only on the HW configuration where their video card support was better than ours. We beat them on the same tests (from the same lab) on other hardware.

          Even if the article does not say this makes IE8 the most secure browser, the title of the article does.

          The fact that the study results, even if correct, are a tiny part of the security story does not matter as much as perceptions created in people without the background to understand the results (or those who don't bother to look into the results).

          There are clueless folks posting on both sides. I notice that MS-philes seem to think that the press is pro-FOSS/Linux. I don't see the bias going that way. I also see more uninformed attacks on Linux and Unix than I see on Microsoft. I actually spent a few years (1995-1997) when part of my job was to identify weaknesses and possible attacks or exploits in various types of Internet connected OSs and transactions (regardless of OS), so I think I have a pretty clear picture of what this report actually means, which isn't much.

          A comprehensive study of all threats vs. anti{malware, phishing, virus} measures commonly available, including the ease of use and how gracefully they deal with various failures (like being unable to reach a remote database), and weaknesses in the operating environment security (vulnerabilities that allow an attacker to gain control of a system over the network) would include trojans, viruses, drive-by attacks, root-kits, key loggers, escalation of priority, backdoors, etc., but would still not be able to tell you which <i>browser</i> is more secure.

          If you have 100 tiny non-overlapping datasets, and you see that in 20 of those, product A was as good or better than other players, but in the other 80 they were well below at least one other major player, you would realize that just looking at those 20 datasets does not give you the whole picture; but if you're not told, up front, that those 80 datasets were excluded, or that they exist at all, you might come to the wrong conclusions. It is my opinion that this is what MS marketing wants to have happen.
          Filker0_z
      • OMG! You agree that Microsoft does ANYTHING to sell their warez! (NT)

        NT
        No More Microsoft Software Ever!
    • Well, on the flip side of that

      If Apple or Mozilla knew that their browsers where not at good at malware prevention as their competitors, would they fund research to show that?

      And even if they themselves did fund some sort of research into that area and found they "lost" do you think they would release those results?

      Maybe that is why Microsoft funded this, they knew their competitors would not spend the money only to show IE8 was better?
      GuidingLight
    • If the report was false...

      ...do you not think that they'd have been 'called' on it?

      If the report contained outright lies or was deliberately misleading -- every Linux fanboy would be on them like white on rice.

      Can you provide evidence of any of this?

      On a second point, since Linux is a bunch of fragmented freebie distributions -- WHO from THAT side of the equation would invest the time and money to do ANY kind of report or study?

      Are YOU willing to take a few hundred thousand from your pocket to invest in something like that? If not you, then WHO???

      Don't let logic or common sense get in your way...
      Marty R. Milette
      • Sounds like a fellow who's never heard of RedHat

        "On a second point, since Linux is a bunch of fragmented freebie distributions -- WHO from THAT side of the equation would invest the time and money to do ANY kind of report or study?"
        FrankleeMiDeer
        • So WHERE is THEIR report? <NT>

          <NT>
          Marty R. Milette
          • Uhh ... why do one?

            Since in general, with very few exceptions, Linux isn't vulnerable to the kinds of malware attacks tested for in the article, why would a Linux vendor fund a study on how browsers protect against them? Defense in depth, layers ... the OS protects you, even if the browser doesn't, resulting in better OVERALL protection.
            daboochmeister
          • Exactly

            It's just windows which needs protection because it doesn't provide much of the same itself.

            So it could be concluded that Microsoft want to persuade their customers to use IE8 instead of the alternatives.

            I wouldn't fall for it because ActiveX has been a common vector straight into Windows, the alternatives to IE don't execute ActiveX code, why something like Firefox remains the wisest choice.
            Mikael_z
          • What's with the FUD about ActiveX?

            Really, the people who seem to be most terrified by the word "ActiveX" are the people who actually seem to know the least about it -- including what it is FOR and how IE has ALREADY been locked-down to protect it.

            Having USED ActiveX to build some super cool and extremely powerful applications (that COULD NOT have been created without it) -- I consider non-Microsoft browsers to be fundamentally 'crippled' without having it.

            ActiveX lets you build incredibly powerful and slick-looking web-based applications that can hook in to the full power of the operating system and corporate computing resources.

            Java -- well, if you want to create wimpy, slow applications that look like Windows 3 or OS/2 -- enjoy it.

            Unfortunately, with great power comes great responsibility. (Thanks spiderman. :)

            Yes, evil people too advantage of ActiveX, but Microsoft has had MANY ways to protect users for MANY YEARS.

            To start with -- users can completely disable ActiveX. Out of the box, IE will PROMPT users whether or not they want to use unsigned controls.

            IE also allows users to configure ActiveX use based on IE ZONES -- either standard or customized ones -- again, users have the complete and total freedom to CHOOSE whether or not to accept either digitally signed and/or unsigned controls.

            Using IE Zones -- users can, for example, specify that ActiveX controls will ONLY be loaded when visiting the corporate portal, or any other trusted site -- completely blocking it on any other.

            Lastly, there is the difference between digitally signed and unsigned ActiveX controls. Malware writers don't buy digital signatures to do code signing -- and even if they did, the user would be prompted and presented with the name of the developer/company -- so if anything was fishy there, they could simply reject it.

            In simplest possible terms -- those people terrified of ActiveX should get a life.

            Playing in the sandbox is nice and safe -- but REAL developers enjoy having REAL POWER to develop REAL applications -- and that is very much what ActiveX gives.

            As well, there are so many ways to lock down ActiveX capability -- one would be a fool to state that just because IE CAN use ActiveX that this automatically makes it totally insecure. As noted -- corporations AND individuals can lock down ActiveX as much or as little as they want.
            Marty R. Milette
      • The report is not credible

        I believe the report is not credible not because of its conclusions, but because of the basis on which its conclusions were made.

        The organization issuing the report refuse to define their criteria for measurement. The "social engineered malware" could be just about anything. Without the actual information on which they based their report, I will not accept the conclusion.

        IE8 is [i]not[/i] more secure than Firefox, it's default configuration is less susceptible to one kind of attack that requires the user to enable the malware. Any browser that supports ActiveX by default is going to have every issue that ActiveX has by default.

        I have been a software engineer since the early 1980s. I have been involved in security stuff since before IP networking was common. I wrote opinion pieces about the flaws in the Microsoft ActiveX security model back in 1996-1997, and even made some suggestions on how it could be fixed.

        I have studied the security of various network tools, including browsers, identified weaknesses, demonstrated exploits of them, and alerted the authors, CERT, and in one case, a government agency that will not be named, of flaws found [i]before[/i] they were exploited in the wild. I have done this professionally.

        Therefore, I believe that I'm qualified to say that, without presenting more information, the report is [b]not[/b] credible, and should [b]not[/b] be used as a factor in decisions as to which browser to adopt at an enterprise level, nor at a personal level.

        If you think this report is aimed at individuals, you're mistaken, it's the enterprise. I currently work at a company that has banned Firefox on its network because MS claims it's not secure, and our IT department believes everything MS tells them. The FUD created by such a report, even if it's worthless, can only help MS maintain a strangle hold on IT departments around the world.
        Filker0_z
        • Internet Explorer relys on third parties...

          to mitigate exploits, just like Mozilla relies on NoScript.

          My lab honey pots have been attacked on IE7, but not since IE8. Even I don't consider this as evidence of particular improvement.

          But I've NEVER had an active X attack for 8 years since Javacools put their registry tool on the market.

          And Secunia PSI goes a long way to help in closing exploit holes [b]before[/b] a zero day attack! This has pretty much put Windows x64 equal or superior to Linux and OSX in my opinion. The FOSS community don't have attacks anyway, so how to they know? Till they are combat proven, I got my doubts - news has started to filter in about some gaps lately - one of which apparently lasted for 8 years hidden in the original Linux Kernel.

          Yes I know they supposedly close the gaps sooner than Microsoft, but in the last year; I've rarely had any holes to close on Vista x64 - not even with java and adobe problems! IE 8 64 bit has had Chrome and FireFox beat for at least two months!

          I do not work for any company - I just hate malware to pieces!!!
          JCitizen
        • Instead of your whole life story...

          ...you could have written down some relevant arguments to back your opinion.

          "Therefore, I believe that I'm qualified to say that, without presenting more information, the report is not credible"

          No your not, I need arguments, not your history.
          Rubix_z