[Digerati]

Microsoft continues to take security seriously as IE9 (and IE8) once again excels over the alternatives, at least with socially engineered malware threats, the most prevalent for Internet users.

NSS Labs Web Browser Group Test Socially-Engineered Malware - Europe Q2 2011

[Advertisements]

Hi Digerati,

I'd like to add to your contribution if I may.

For those of us who just have to know why they came to this conclusion (such as myself), here's a link that explains in great detail as to why IE9 has been found to be the more secure browser of the 6 that were tested:

NSS Labs, an independent security testing facility, turned all six browsers loose against a set of 650 malicious URLs. The results are rather alarming for anyone who doesn't use a recent version of Microsoft's Internet Explorer:

• Internet Explorer 9 blocked 92 percent of the malicious links. (IE8 scored at 90 percent.)
• Only 13 percent of malicious links were blocked by Firefox, Chrome, and Safari.
• Opera scored a pathetic 5 percent.

But wait, it gets even better. (Or worse, depending on your preferred browser.) Internet Explorer 9 has a new feature, Application Reputation, which boosted its blocking rate to an astonishing 100 per cent in NSS Labs' test. Application Reputation focuses on downloadable files rather than Web pages. It examines a file's "reputation" in the SmartScreen database: how many times it has been downloaded; is it digitally signed; is the publisher known and reputable; have there been any reports of malware in the file. If a file is known and trusted, the download proceeds without interference from SmartScreen. If it is known malware, you are warned of that fact and given a chance to cancel the download. If it is unknown, you receive a cautionary message before the download is allowed to proceed.

Found here: Is Internet Explorer 9 The Most Secure?...Ask Bob Rankin

Edited by DonnaB, 23 July 2011 - 09:30 PM.

[DonnaB]

Hi Digerati,

I'd like to add to your contribution if I may.

For those of us who just have to know why they came to this conclusion (such as myself), here's a link that explains in great detail as to why IE9 has been found to be the more secure browser of the 6 that were tested:

NSS Labs, an independent security testing facility, turned all six browsers loose against a set of 650 malicious URLs. The results are rather alarming for anyone who doesn't use a recent version of Microsoft's Internet Explorer:

• Internet Explorer 9 blocked 92 percent of the malicious links. (IE8 scored at 90 percent.)
• Only 13 percent of malicious links were blocked by Firefox, Chrome, and Safari.
• Opera scored a pathetic 5 percent.

But wait, it gets even better. (Or worse, depending on your preferred browser.) Internet Explorer 9 has a new feature, Application Reputation, which boosted its blocking rate to an astonishing 100 per cent in NSS Labs' test. Application Reputation focuses on downloadable files rather than Web pages. It examines a file's "reputation" in the SmartScreen database: how many times it has been downloaded; is it digitally signed; is the publisher known and reputable; have there been any reports of malware in the file. If a file is known and trusted, the download proceeds without interference from SmartScreen. If it is known malware, you are warned of that fact and given a chance to cancel the download. If it is unknown, you receive a cautionary message before the download is allowed to proceed.

Found here: Is Internet Explorer 9 The Most Secure?...Ask Bob Rankin

Edited by DonnaB, 23 July 2011 - 09:30 PM.

[Digerati]

Yeah, there is a pretty dramatic gap between ratings. I note NSS Labs first started these tests in Q1 2009, IE8(RC1) was just coming out and it scored a measly 69%. I say measly but FF came in second and only got 30% and the others less than that. IE7 got just 4%.

Since then, IE has continued to make great strides in improving that catch rate, while sadly, the others have actually dropped - with FF falling behind Safari and Chrome.

You would think the alternatives would either (1) improve or (2) attempt to discredit NSS Labs' findings. I see neither happening with any substance. In fact, I see many reputable sites backing up NSS Labs findings.

That said, in one rebuttal, Google complained that the tests ignored the layered approach to security - where malware would have to get by all other defenses first. That, is true. But I note MS bashers ignore that very same fact every time they slam MS, Windows, and IE for this vulnerability or that weakness.

The bottom line remains the same - the user, not the browser or the OS, but the user is always the weakest link. If the user keeps his system updated, patched, scanned, and blocked, the browser of choice does not matter.

[DonnaB]

The bottom line remains the same - the user, not the browser or the OS, but the user is always the weakest link. If the user keeps his system updated, patched, scanned, and blocked, the browser of choice does not matter.

I agree 100+%!

[goldhound]

What about users who like Firefox noscript and several good privacy addons which IE does not have and why not?
Are you saying that noscript is not necessary if one uses IE?
I think Micro$ is in bed with those who would track you around the web and target you with ads and privacy invasions. Same with Google.
Have to agree that the user is a huge factor.

[DonnaB]

Hi Goldhound,

Glad you asked!

IE9 does offer an option to control Tracking Protection and has the ability that imitates NoScript. You should be able to enable or disable the NoScript option via:

Tools > Internet Options > Security tab > Security level > Custom level > Disable Scripting

See the links below:

IE9 and Privacy: Introducing Tracking Protection

Microsoft Imitates NoScript

I feel it is best to allow Digerati to explain this in greater detail for you if needed. He does a much better job than I when getting to the heart of the matter.

Please stay tuned for more and don't hesitate to ask any questions you may have.

[Digerati]

What about users who like Firefox noscript and several good privacy addons which IE does not have and why not?
Are you saying that noscript is not necessary if one uses IE?

I am afraid you are sadly misinformed and are buying into hype that without noscript or those add-ons, IE is unsafe, or that you will get infected if you use IE, or that you are safe if you use an alternative. That is not, and never was (even with IE6) true. If it was then 100s of millions of IE users would be infected and the fact remains, most users use Windows and IE right out of the box with no problems, or infestations. When in the trenches of computer repair, it may seem a major issue - but the careless user is the real issue. Certainly a casual observer at a Honda garage full of broken Hondas may feel Hondas are unreliable too. But the fact remains, with a capable firewall like Windows Firewall and a capable anti-malware solution, and by keeping Windows updated (all the things everyone (including FF users) must do anyway), IE users will remain safe - unless they open the door and invite the badguy in via illegal P2P or torrent filesharing - then all bets are off, regardless the browser of choice.

This scripting business is really fanaticism and IE bashing. Disabling scripting/active content has been an simple option in Internet Explorer since IE3.

And you are absolutely correct, noscript is not necessary if one uses IE. Never was. And BTW - not sure I would put any faith in NoScript anyway. See NoScript Controversy.

I think Micro$ is in bed with those who would track you around the web and target you with ads and privacy invasions. Same with Google.

Frankly, that's just ridiculous MS bashing - with a touch of paranoia. If there is any company in this world that is under constant scrutiny, it is Microsoft. I would be more worried with wayward add-ons than IE itself.

Note the #2 add-on ComputerWorld says FF users need to avoid - Top 10 Firefox Extensions to Avoid

IE does not have and why not?

You ask why doesn't IE have NoScript - I ask, if NoScript is so important, why hasn't Mozilla incorporated it into FF? But FTR, AdblockIE works great.

The only feature sadly missing with IE is a spelling checker - fortunately, there is Speckie.

Google has nothing to do with this, and should not be lumped in with Microsoft. Microsoft produces and "sells" products and services. Google does not sell anything, to the best of my knowledge - so you may question their revenue practices all you want.

[goldhound]

Thank you Digerati,

I use only four addons, those being noscript (thank you for the link, it is enlightening) betterprivacy, ghostery, and adblockplus. I noted that the link to AdblockIE has not updated in nearly a year.

In my 12 years online i have not had to deal with a single serious malware or virus infection,(yes i know there was luck involved) due mostly to careful and nearly paranoid surfing habits, close attention always paid to updates, coupled with a healthy dose of skepticism.
I have spent much time dealing with family and friends problems stemming from carelessness in their security apps and bad surfing habits.
I cannot totally attribute my lack of problems the past few years to my own knowledge and need to give full credit to my AV and Malwarebytes pro.

I fully understand the necessity of ads to carry website costs as well as profit, there is no free lunch but i believe that the cost can be trimmed some for those that choose to do so. However, if the ubiquitous abuse of commercial selling that is a normal part of human interaction and greed can be somewhat ameliorated then i am onboard.

Please do not mistake me for an uninformed fanboy of Mozilla, nor am i a Microsoft hater, a realist perhaps. I also understand that those who have received the benefits of Microsoft's excellent training must be careful about biting the hand that feeds, that is fair ball. As an adjunct i would mention that my own website, which is a hobby/professional/mining/lobbying site, is free, is ad free, and costs me about 60 dollars a year. It is an altruistic venture of many years, that is my choice.

I would agree that IE is now much safer than ever before, and that Firefox is often overly hyped. That being said, we did not address the very real presence of borderline malicious tracking cookies that have become so pervasive on the web. I will not delve into those implications as the subject becomes personal and often opinionated, that tends to muddy the waters.

I have of late been using IE on occasion and in fact would (almost) rather use it if i could. Your very informed statements along with other indicators suggest a very strong improvement. I would be remiss if i did not mention past problems with IE which served to put a great many of the slightly better informed than average users off.

Thank you again, your input is respected and appreciated, any further education you can supply is welcome as i do not consider myself an advanced user and am always open to learning.

[Digerati]

I also understand that those who have received the benefits of Microsoft's excellent training must be careful about biting the hand that feeds, that is fair ball.

Not sure what that means. I have not had any training from Microsoft, they don't feed me, and I have bitten that hand several times over Microsoft's past business practices - especially for independent system builders like me.

I would agree that IE is now much safer than ever before, and that Firefox is often overly hyped. That being said, we did not address the very real presence of borderline malicious tracking cookies that have become so pervasive on the web.

What's there to discuss? Tracking cookies, malicious or not (and BY FAR!!! - most are harmless), are no more a threat to users of IE than they are to Opera, Safari, FF or Chrome users - plus, they can easily be blocked. So I am afraid you are simply propagating more false rumors and unfounded biases - unless you have links to real corroborating evidence, and in that case, I would be very interested in reading.

I would be remiss if i did not mention past problems with IE which served to put a great many of the slightly better informed than average users off.

Misinformed by whom? I contend the misinformation was little more than propaganda spewed by FF fanatics, MS bashers, and the biased IT media - because AGAIN, if IE was so unsafe, there would not be a VERY LONG history of 100s of millions of safe and happy users.

"Past" problems? What about Firefox's past and "current" problems?

From 2005. Firefox has more vulnerabilities per month than Internet Explorer
2006 - IE6.x more Secure that FF 1.x http://www.popularte...ecure-than.html
2007 - Symantec reports FF least secure browser - http://www.yugatech....secure-browser/
2008 - http://www.neowin.ne...ws-applications
2009 and FF still leads in most vulnerabilities - http://www.favbrowse...ulnerabilities/
2010 - IE more secure that FF and Chrome http://www.neowin.ne...ome-and-firefox

You can extol the virtues FF all you want. And you can slam IE and MS, IF due! But you cannot use security as an excuse to slam IE, or praise FF. History has shown, that argument does not hold water.

Now of course, you can find reports that says FF is more secure. And you can find reports that says Opera is more secure. Find a browser, and I am sure their is a report or study that says it is best. But there are consistent, year after year reports and studies that shows IE can hold it own.

For the record, I've been supporting computer hardware and building and supporting custom PCs for a lot longer than 12 years - for whatever that's worth. And I've been using IE ever since my former corporate bosses threated to fire us if we did not give up Netscape, and move to the new IE5, the new corporate browser standard - and that was about 14 years ago. Not one of the system I have been responsible for that had IE on it has been infected - and that includes many used by kids and other careless/carefree users.

***

Mining? Long ago and far away, I used to be a chute tapper and motorman (drove a train) on the 2015 foot level in the world's largest (at the time) underground copper mine in San Manual, Arizona. Great job for 18 - 19 year old - until they went on strike.

[goldhound]

It appears that you have read much aggression into my post that did not exist. Bit of a tough job picking what is probably good information out of an angry lecture.
I sincerely hope the rest of your day goes well.

[Digerati]

My apologies. Please understand, I've done my fair share of complaining to and about Microsoft, so they are not, by any means, off-limits. But I will defend them too, if blamed unjustly. When Firefox first came upon the scene in a big way 5 or 6 years ago, even many of my fellow colleagues insisted, often to the point of ridicule, that my systems were unsafe with IE6 - using the same arguments you raised.

This simple question always made my point, "Did you stop getting infected when you switched to Firefox?" Of course none of them were getting infected before! They were just tired of MS, XP, all the security scares sensationalized by the biased IT media just like the Casey Anthony trial made her some sort of celebrity. They were not getting infected before Firefox because they, like me, "practiced safe computing" and kept their systems updated, patched scanned and blocked, and they paid attention to what they clicked and opened.

For those millions of machines that were getting infected, the overwhelming majority were simply not kept updated in a timely basis. And sadly, many were not kept updated because they were illegal copies and the software thieves were afraid "Big Brother" (MS or BG) would find out. Or they were not getting updated, because it was printed everywhere that Windows will break if you let it update itself automatically.

But again, if there were any shade of truth that IE was inherently unsafe and allow you to get infected, with nearly 1 billion Windows machines out there, the vast majority using IE of some sort, with defaults settings, including Windows Update, many with Windows Firewall and the free MSE, there would be 100s of millions of infected machines. And that's just not anywhere near the case.

So forgive me if my response appeared personal. It was not meant to be. When I hear the same 5 or 6 year old arguments over and over again that were not true then, and are even less true today, I do get a little riled when I should just walk away - but I guess that would not be me. Anyway, my apologies again.

And for the record - yeah, okay. While I insist and truly believe the choice of browser today should be based on look and feel and not security, I started this thread to poke holes in some of those arguments that continue to linger.

Oh, and if you want to keep track of the new vulnerabilites - in all software, I recommend signing up for the weekly US-CERT Vulnerability Summary. Very informative. It is a good place to set the record for Apple and Linux "enthusiasts" too! Browsing through some of the recent archives can be a real eyeopener.

[goldhound]

Thank you!
I understand the frustration level you experience and am sorry if gave the wrong impression.
Your points regarding browser choice, myths, and the user aspect are very well put and helpful indeed. It is nice to be shown how to avoid getting used oats in ones teeth!

Best regards

[Digerati]

Used oats? lol

Thanks for your understanding.

[devper94]

My two cents:
IE, Firefox and Chrome are all secure. Like Digerati said, updating is more important.
However, IE has less vulnerabilities doesn't mean it's more secure; they might have not spotted the problem yet.
Firefox and Chrome are both open-source; bugs are fixed in a matter of hours, rather than days. I will be surprised if you can show me IE source code, but anyone can get their hands on Firefox/Chrome source with a single command.

Plus

650 malicious URLs

That is not nearly enough.

Some background on NSS Labs, an "independent" facility, for the lulz (not really relevant):
http://www.thetechhe...benefits-of-IE8
http://viruslab.blog...ble-report.html
http://en.wikipedia....ware_protection

Manufacturers of other browsers criticized the test, focusing upon the lack of transparency of URLs tested and the lack of consideration of layered security additional to the browser, with Google commenting that "The report itself clearly states that it does not evaluate browser security related to vulnerabilities in plug-ins or the browsers themselves", and Opera commenting that the results appeared "odd that they received no results from our data providers" and that "social malware protection is not an indicator of overall browser security".

Clearly we need some neutral information on this.

[Digerati]

IE has less vulnerabilities doesn't mean it's more secure; they might have not spotted the problem yet.

Sorry, but that is some very twisted rationalization. By that rational, how can ANYTHING be trusted? Or are unspotted problems only an issue with IE?

While I agree, more vulnerabilities does not automatically indicated something is less secure, it is a pretty good indicator of problems and a clear indication to keep those vulnerabilities protected by a secured OS and computer - and a careful user.

Clearly we need some neutral information on this.

Again, if you don't trust NSS Labs, subscribe to the CERT Summary. But note of the 6 applicable (to IE) links I posted above citing problems through the years, Symantec (hardly a Microsoft supporter), ZDNet (also a long time MS basher), Secunia, and Bit9 all report IE was more secure! If anything, especially Symantec and ZDNet, these guys are not neutral, they have a long, documented history of being anti-Microsoft!

And I am sorry again, but open source does not mean more secure. It actually can mean there is less control over what happens, and whether that is good or bad is case dependent. Yes, I would like to see MS push out fixes faster, but it averages 4 days, which I don't think is too bad, considering the update must be setup to be tested and pushed out via Windows Update.