[Amst3rDamag3]

With little effort, we can find reports where Firefox is the most secure and the same for Safari, or probably just about any browser you can find. And they are all right - no browser is perfect!

It just proves it does not matter which browser you use, or which version of Windows. You, STILL have to practice safe computing! You still have to use the latest browser your OS supports, you must keep Windows updated, your firewall up, and your anti-malware solution running, and don't be click happy.

We, as advisors, cannot tell someone to buy a Honda because we don't like Nissan!

You say you don't like the testing methodology - you are not alone. But note EVERY "loser" of any study will find fault in the study. So you need to see who lines up where, and what may influence their decision.

This would have been enough to push the +1 like, if you would have ended here...

Are you saying Ed Bott is wrong too? Just because Ed Bott now writes for ZDNet, that does not mean he is going to pull any punches. He praises when due too, and Microsoft puts out good software - especially in the last couple years. I agree there have been some questionable calls out of some writers at ZDNet - I challenged their review of MailWasher. I challenged PCWorld's MS bashing headlines too. Do you want reports and sites that only report what you agree with?

Not at all, you had to drag it out of me. I wrote what I wrote, and that was clearly about zdnet in general, and not about Ed Bott in particular.
That said, I will not use terms of wrong or right either. Those would indicate facts, and I am only in the position to question facts, not to publish them.
Your Bright objections, wherever I saw them at least, are deeply respected and supported, by many.

It serves Microsoft no purpose to be associated with an organization that would "fix" the testing in some way. Microsoft's business practices are under too much constant scrutiny by Congress, the EU, bloggers, IT press and bashers to even think about it.

***BUSTED***

Who said anything about "fixed"???
So.... ....Please tell me, Mr. Bright, what do you know about MS "fixing" tests -as an MVP- that I don't ???

just kidding here, couldn't resist.

Telling people our opinions is fine, but we have to be objective first, if our advice is to be sound.
Just remember, if Windows and IE were unsafe at their default settings, there would be 100s of millions of infected machines out there. And there just isn't.

I am referring to "struggling with security settings" resulting in "being vulnerable." An unsafe (your words) browser used with safe practicing is still not going to be likely to get infected in the first place.
I am not talking numbers of people infected, which more often is a result of wrong usage a/o poor maintenance than the wrong vehicle, like you said yourself as well. (most used = probly most infected sooner or later anywyas)

My whole point in starting this thread was to draw out and expose these deep long-seated biases against Internet Explorer (and perhaps MS) as what they are - unfounded.
Also - there a good reason the alternatives are gaining in Europe and Asian countries - there, you can buy Windows 7 without a browser. That said, this thread is not about browser popularity.

I am very sorry, but then you should have named this topic "IE 9 - Better then ever" or something. YOU are comparing to un-named others. This cancels the +1 I was going to give you, as if you needed it!



The fact that Win7 is also sold without IE (why is that in the first place / other story ) is new to me, and is HIGHLY interresting. I take it that MS / Windows-update no longer must use IE to work?
Man, I need a new system that I can 'play with' (read as -mess up and fix again-) to keep up here... Serioulsy.


But I am glad we came to a balanced agreement.
You prefer IE, I prefer Chrome, DonnaB prefers FF, and we all seem to stay reasonably safe, even when researching malware (requires some extra layers for us all anyways) and following up on those nasty spam links I come across, even here at GeeksToGo!^tm... I learned a lot from our little discussion, not at the very least that I should recommend further education rather than a single browser / security-system -talk. What a nice thread this has been

As stated before, thank you for sharing !!!

Note: Could I ask you to answer my question here?

Edited by Amst3rDamag3, 27 August 2011 - 08:41 AM.

[Advertisements]

The fact that Win7 is also sold without IE (why is that in the first place / other story ) is new to me

You need to get out more often! This has been coming for a very long time. It was not a choice by MS, but a EU directive.

I will concede my choice of titles might have been better (and I changed it just for you), but it seems you judged the book by it's cover! The message of my opening post is the message - not the title and there I made it clear this thread was about IE's ability to deal with socially engineered threats,

Microsoft continues to take security seriously as IE9 (and IE8) once again excels over the alternatives, at least with socially engineered malware threats, the most prevalent for Internet users.

And in my second post I said,

You would think the alternatives would either (1) improve or (2) attempt to discredit NSS Labs' findings. I see neither happening with any substance. In fact, I see many reputable sites backing up NSS Labs findings.

That said, in one rebuttal, Google complained that the tests ignored the layered approach to security - where malware would have to get by all other defenses first. That, is true. But I note MS bashers ignore that very same fact every time they slam MS, Windows, and IE for this vulnerability or that weakness.

The bottom line remains the same - the user, not the browser or the OS, but the user is always the weakest link. If the user keeps his system updated, patched, scanned, and blocked, the browser of choice does not matter.

That said, the title was an intentional jab at alternative browser users (many of whom are respected colleagues) who insisted, and often still do insist they are safer with their alternative, or that IE users are somehow unsafe, and will get infected if using IE. That NEVER was true! That was pure MS bashing and alternative propaganda - as history has proven.

Because none of the major browsers are "unsafe", I will not tolerate advisors telling users to switch for better security, for that is bad, uninformed and/or biased advice.

I ask all the time for those who insist IE is unsafe, "Did you stop getting infected simply and only by changing browsers?" That stops every expert in their tracks. Never did I get a "yes". If someone was getting infected, it was because they had an inadequate defense. No firewall, outdated (or illegal) Windows or a rogue anti-malware solution - poor computing habits. Not because of the browser they used. And they stopped getting infected because they secured their computer, not because they switched browsers.

I am only in the position to question facts, not to publish them.

WRONG!!! Not only are you in a position to question facts, but you, as a technical advisor, have the RESPONSIBILITY to verify and validate facts presented, yours and others. I remind you, you did post comments as facts, such as your unfounded comment, "Chrome now actually has the largest user base...".

Also, I am at Google Chrome 13 at the moment.

Which just came out a couple weeks ago! This time last year, Chrome was at V6! Seven revisions in less than year is a challenge for anyone to keep up. NSS tests quarterly and IMO, they have done a great job keeping up. But to that, so what? The V13 release notes indicate the update had nothing to do with security.

One final note. My long time colleague and friend Tony Klein wrote that article over 6 years ago - almost a year before XP SP"2". IE9 is not IE6.

[Digerati]

The fact that Win7 is also sold without IE (why is that in the first place / other story ) is new to me

You need to get out more often! This has been coming for a very long time. It was not a choice by MS, but a EU directive.

I will concede my choice of titles might have been better (and I changed it just for you), but it seems you judged the book by it's cover! The message of my opening post is the message - not the title and there I made it clear this thread was about IE's ability to deal with socially engineered threats,

Microsoft continues to take security seriously as IE9 (and IE8) once again excels over the alternatives, at least with socially engineered malware threats, the most prevalent for Internet users.

And in my second post I said,

You would think the alternatives would either (1) improve or (2) attempt to discredit NSS Labs' findings. I see neither happening with any substance. In fact, I see many reputable sites backing up NSS Labs findings.

That said, in one rebuttal, Google complained that the tests ignored the layered approach to security - where malware would have to get by all other defenses first. That, is true. But I note MS bashers ignore that very same fact every time they slam MS, Windows, and IE for this vulnerability or that weakness.

The bottom line remains the same - the user, not the browser or the OS, but the user is always the weakest link. If the user keeps his system updated, patched, scanned, and blocked, the browser of choice does not matter.

That said, the title was an intentional jab at alternative browser users (many of whom are respected colleagues) who insisted, and often still do insist they are safer with their alternative, or that IE users are somehow unsafe, and will get infected if using IE. That NEVER was true! That was pure MS bashing and alternative propaganda - as history has proven.

Because none of the major browsers are "unsafe", I will not tolerate advisors telling users to switch for better security, for that is bad, uninformed and/or biased advice.

I ask all the time for those who insist IE is unsafe, "Did you stop getting infected simply and only by changing browsers?" That stops every expert in their tracks. Never did I get a "yes". If someone was getting infected, it was because they had an inadequate defense. No firewall, outdated (or illegal) Windows or a rogue anti-malware solution - poor computing habits. Not because of the browser they used. And they stopped getting infected because they secured their computer, not because they switched browsers.

I am only in the position to question facts, not to publish them.

WRONG!!! Not only are you in a position to question facts, but you, as a technical advisor, have the RESPONSIBILITY to verify and validate facts presented, yours and others. I remind you, you did post comments as facts, such as your unfounded comment, "Chrome now actually has the largest user base...".

Also, I am at Google Chrome 13 at the moment.

Which just came out a couple weeks ago! This time last year, Chrome was at V6! Seven revisions in less than year is a challenge for anyone to keep up. NSS tests quarterly and IMO, they have done a great job keeping up. But to that, so what? The V13 release notes indicate the update had nothing to do with security.

One final note. My long time colleague and friend Tony Klein wrote that article over 6 years ago - almost a year before XP SP"2". IE9 is not IE6.

[Amst3rDamag3]

I will concede my choice of titles might have been better (and I changed it just for you)

That is a huge compliment, seriously.
It's a clear sign of your ability to debate as well.
Huge & +1Like

The bottom line remains the same - the user, not the browser or the OS, but the user is always the weakest link. If the user keeps his system updated, patched, scanned, and blocked, the browser of choice does not matter...
...I ask all the time for those who insist IE is unsafe, "Did you stop getting infected simply and only by changing browsers?" That stops every expert in their tracks. Never did I get a "yes". If someone was getting infected, it was because they had an inadequate defense. No firewall, outdated (or illegal) Windows or a rogue anti-malware solution - poor computing habits. Not because of the browser they used. And they stopped getting infected because they secured their computer, not because they switched browsers.

My view exactly.

I remind you, you did post comments as facts, such as your unfounded comment, "Chrome now actually has the largest user base..."

Excuse me? Please quote me correctly:

Also, ... recent polls suggest Chrome now actually has the largest user base, mainly in Europe and Asia.

I made a statement. There is a difference between statement and fact.
Thanks for the "advisory" label. I can assure you this topic alone learned me a whole lot, and made me realize even more how many people can be affected by a single -wrong- piece of advise.

One final note. My long time colleague and friend Tony Klein wrote that article over 6 years ago - almost a year before XP SP"2". IE9 is not IE6.

I was not aware the fact you were friends, I would say, "my compliments to the cook!
I am fully aware of the publishing date, however. The fact remains that a lot of people still use XP, and the article still has very good advice on additional things and settings. It is an important thing to remember and an important note when linking to (a related to) that article as well.

Thanks for all the pointers!

[Digerati]

"Chrome now actually has the largest user base..."

Excuse me? Please quote me correctly:

recent polls suggest Chrome now actually has the largest user base, mainly in Europe and Asia.

I made a statement. There is a difference between statement and fact.

I HATE to be misquoted too, so my apologies - however, I put the "..." in there on purpose to illustrate my point, which was, your statement, which was a "statement of fact", was incorrect. Chrome does not have the largest user base, here, there, or anywhere.

Tony and I have not actually met face to face, but like many of my friends and colleagues who "work" "on-line" we have known each other for many, many years. In Tony's case, almost 10 years going back to the now defunct, CastleCops (then ComputerCops) days where he knows me by my real name (I started using Digerati later).

The fact remains that a lot of people still use XP...

Yes, XP is still widely used today. BUT, as part of "Practicing Safe Computing", users should, and it is our job to ensure they are using the latest versions of the applications they use. For XP and IE, that is SP3 and IE8. And SP3 and IE8 work just fine and are perfectly safe at their default settings - as indicated by the 10s and 100s of millions of users out there, running with the defaults, who are not infected.

If an XP user is still using IE7 or before, shame on them - and on the person advising them.

[Amst3rDamag3]

I HATE to be misquoted too, so my apologies.

Accepted, ofcourse.
I have to research your next sentence, but I intentionally used "suggest" to not present it as a fact. I might need some more grammar- lessons

Tony and I have not actually met face to face, but like many of my friends and colleagues who "work" "on-line" we have known each other for many, many years. In Tony's case, almost 10 years going back to the now defunct, CastleCops (then ComputerCops) days where he knows me by my real name (I started using Digerati later).

I'm sure the cooperation is a pleasure to both of you. I can relate to the distant friendship you must have build up in the past 10 years, even without ever actually meeting face-to-face. This -I believe- is one of the biggest advantages of the whole www.
It's nice to read the clarification, it gives a little insight on how things grew and evolved. For example, a year ago, I was oblivious to the fact the writer of HJT, Merijn is just a regular Dutch guy like me, with a regular job, living in a regular house, maybe even here, right around the corner


Thanks for the lessons Digerati, and thanks for listening as well.



Note: I really appreciate the answer on my oem-question, I'll let you all know how it turned out.

[Digerati]

I note this thread, as mentioned earlier, has prompted a discussion behind the scenes in the staff forums concerning the tutorials/guides - specifically in regards to IE, and those articles should be updated soon. I realize there may be some folks who still may not believe me, in spite of all the links I provided to substantiate my position. So to you folks, please note our fearless leader and site owner/admin, Blair, has allowed me to quote his comments/insights about social engineering. Please note in particular for the purpose of this thread, his comments about IE9 and its unique ability, among the leading browsers, at thwarting those threats (my bold underline added). Thanks, Blair!

I do think that guide needs a major re-write. Malware is constantly changing, and that guide was written for a time when drive-by downloads ruled the day.

While drive by downloads still happen (rarely), they usually result from infected websites, and reply on computers that have unpatched 3rd-party software (or Windows). So enabling Windows Update is still very important, as is an updater like Secunia or Ninite (now with auto update option).

Most infection vectors now involve social engineering. The most common are poisoned search and advertising links, fake email that looks legitimate or missing codec type schemes. Traditional antiviruses do little against these threats since the payloads are usually polymorphic, or the virus code changes faster than the definitions can be updated. Reputation checking like included in IE9 is very effective, as is Norton Internet Security 2011 and Trend Micro Titanium Maximum Security. Of course IE9 does it for free. Our sigs should say dump Firefox/Chrome, use IE9 it's more secure.