Microsoft calls out Firefox and Chrome for security weaknesses
In a move that's sure to raise hackles in Silicon Valley, Microsoft today debuted a new web site designed to raise awareness of security issues in web browsers.
When you visit the site, called Your Browser Matters, it allows you to see a score for the browser you're using. Well, if you're using IE, Chrome, or Firefox—other browsers are excluded. Not surprisingly, Microsoft's latest release, Internet Explorer 9, gets a perfect 4 out of 4:
Part of the goal of the site is to prod users of outdated IE versions to switch. So IE6 gets a solid zero on this page, and IE7 gets a 1 out of 4.
If you visit the site with the most recent public releases of Firefox or Google Chrome, however, the results are less than perfect. Here, for example, are the detailed results for Chrome 14 and Firefox 7:
Microsoft's methodology is available for detailed scrutiny. If you dig deep enough into the site, you can find this table that lists whether each browser implements particular security features:
Click to see a larger version
The takeaways?
Microsoft is giving itself full credit for its SmartScreen technology. I've written about this before (see IE9 versus Chrome: which one blocks malware better?), and I think Microsoft has a strong case to make here. IE9 does a great job of identifying suspicious software and differentiating it from known safe downloads. Both Chrome and Firefox are very weak when it comes to providing information that you can use to decide whether a download is safe.
All three modern browsers get full credit for anti-phishing protection
Microsoft dings itself (but doesn't deduct any points) for its inability to auto-update browser extensions and to sandbox browser sessions. In particular, this seems unfair to Chrome, which should get credit for automatically updating the potentially dangerous Flash plugin. If I could make any change to this scale, I would give IE9 a 0.5 on this score and give Chrome a full point.
As for attacks on websites, no one's perfect, but IE9 gives itself full marks for implementing 4 out of 5 features and deducts a half-point from the scores for Chrome and Firefox.
Microsoft is positioning this site as a user education tool and has recruited some outside organizations to endorse its methodology, including the Anti-Phishing League, Identity Theft Council, and Online Trust Alliance. But the educational message is unfortunately overshadowed by the aggressive marketing. Given that roughly a third of Internet users are running dangerously outdated web browsers, I wish they had placed a greater emphasis on the need to upgrade all your software as an essential security step.
To read more about the site and get Microsoft's full pitch, see this post on the Windows Team Blog: Are You One of the Millions at Risk from Socially Engineered Malware?
In a separate but related development, Microsoft also released its latest Security Intelligence Report today. I'll be digging into its findings in more detail in a follow-up post.
Related posts: