Sophos: 'Microsoft is comparing apples to … nothing'

According to Chester Wisniewski, Senior Security Advisor at Sophos, Microsoft's statistics relating to the SmartScreen technology built into Internet Explorer (IE) 7, 8 and 9 'just don't really add up.'

According to Chester Wisniewski, Senior Security Advisor at Sophos, Microsoft's statistics relating to the SmartScreen technology built into Internet Explorer (IE) 7, 8 and 9 'just don't really add up.'

Let's begin at the beginning with one of the top-level conclusions - One in every 14 downloads is malicious.

According to Wisniewski, 'Microsoft is comparing apples to … nothing' because SmartScreen doesn't protect users from exploits using technologies such as Adobe Reader, iTunes, Real Player, Adobe Flash, and Java from downloading exploits, and Microsoft has offered up no statistics relating on how often these are used.

Additionally, Microsoft says that 90% of download don't trigger a warning, but this means that a staggering 1 in 10 that the user gets presented with a warned, but as Wisniewski points out the chances of this being a false positive are '30% to 75%.'

Even worse, if up to 75% of the time you get the warning you are downloading a legitimate file, will you continue to pay attention to the warning when it really matters?

Microsoft then goes on to say that a typical user only sees a SmartScreen warning twice a year. For this to be true (that is, 90% of downloads DON'T trigger a warning) then the average user only downloads 20 files a year. Wisniewski finds this hard to believe, saying that 'I don't know anyone who only downloads 20 files per year.'Neither do I.

Also highlighted is a fundamental weakness in SmartScreen:

Microsoft also points out that applications triggering the warning are not Authenticode signed most of the time. While the concept of digital signatures representing trustworthiness is at the heart of many security solutions, its implementation is often flawed.

As we saw with the Stuxnet worm last year, legitimate signing certificatesthat were "trusted" were stolen and used by malware authors to increase their chances of bypassing security technologies.

It gets worse, because Wisniewski doesn't believe that most users have the knowledge or understanding of the technical issues related to security, and see warnings merely as an 'annoying roadblock.' He goes on to say that while SmartScreen does a good job of preventing known badware, reputation technologies that rely on the user making technological decisions aren't an effective answer to the current malware threats.