NSS Labs Web Browser Group Test Socially-Engineered Malware - Europe Q2 2011
Internet Explorer 9 Security - Continues to Excel
#1
Posted 20 July 2011 - 07:10 AM
NSS Labs Web Browser Group Test Socially-Engineered Malware - Europe Q2 2011
#2
Posted 23 July 2011 - 09:28 PM
I'd like to add to your contribution if I may.
For those of us who just have to know why they came to this conclusion (such as myself), here's a link that explains in great detail as to why IE9 has been found to be the more secure browser of the 6 that were tested:
NSS Labs, an independent security testing facility, turned all six browsers loose against a set of 650 malicious URLs. The results are rather alarming for anyone who doesn't use a recent version of Microsoft's Internet Explorer:
- Internet Explorer 9 blocked 92 percent of the malicious links. (IE8 scored at 90 percent.)
- Only 13 percent of malicious links were blocked by Firefox, Chrome, and Safari.
- Opera scored a pathetic 5 percent.
But wait, it gets even better. (Or worse, depending on your preferred browser.) Internet Explorer 9 has a new feature, Application Reputation, which boosted its blocking rate to an astonishing 100 per cent in NSS Labs' test. Application Reputation focuses on downloadable files rather than Web pages. It examines a file's "reputation" in the SmartScreen database: how many times it has been downloaded; is it digitally signed; is the publisher known and reputable; have there been any reports of malware in the file. If a file is known and trusted, the download proceeds without interference from SmartScreen. If it is known malware, you are warned of that fact and given a chance to cancel the download. If it is unknown, you receive a cautionary message before the download is allowed to proceed.
Found here: Is Internet Explorer 9 The Most Secure?...Ask Bob Rankin
Edited by DonnaB, 23 July 2011 - 09:30 PM.
#3
Posted 24 July 2011 - 07:43 AM
Since then, IE has continued to make great strides in improving that catch rate, while sadly, the others have actually dropped - with FF falling behind Safari and Chrome.
You would think the alternatives would either (1) improve or (2) attempt to discredit NSS Labs' findings. I see neither happening with any substance. In fact, I see many reputable sites backing up NSS Labs findings.
That said, in one rebuttal, Google complained that the tests ignored the layered approach to security - where malware would have to get by all other defenses first. That, is true. But I note MS bashers ignore that very same fact every time they slam MS, Windows, and IE for this vulnerability or that weakness.
The bottom line remains the same - the user, not the browser or the OS, but the user is always the weakest link. If the user keeps his system updated, patched, scanned, and blocked, the browser of choice does not matter.
#4
Posted 24 July 2011 - 08:24 AM
The bottom line remains the same - the user, not the browser or the OS, but the user is always the weakest link. If the user keeps his system updated, patched, scanned, and blocked, the browser of choice does not matter.
I agree 100+%!
#5
Posted 24 July 2011 - 11:54 PM
Are you saying that noscript is not necessary if one uses IE?
I think Micro$ is in bed with those who would track you around the web and target you with ads and privacy invasions. Same with Google.
Have to agree that the user is a huge factor.
#6
Posted 25 July 2011 - 05:25 AM
Glad you asked!
IE9 does offer an option to control Tracking Protection and has the ability that imitates NoScript. You should be able to enable or disable the NoScript option via:
Tools > Internet Options > Security tab > Security level > Custom level > Disable Scripting
See the links below:
IE9 and Privacy: Introducing Tracking Protection
Microsoft Imitates NoScript
I feel it is best to allow Digerati to explain this in greater detail for you if needed. He does a much better job than I when getting to the heart of the matter.
Please stay tuned for more and don't hesitate to ask any questions you may have.
#7
Posted 25 July 2011 - 07:34 AM
I am afraid you are sadly misinformed and are buying into hype that without noscript or those add-ons, IE is unsafe, or that you will get infected if you use IE, or that you are safe if you use an alternative. That is not, and never was (even with IE6) true. If it was then 100s of millions of IE users would be infected and the fact remains, most users use Windows and IE right out of the box with no problems, or infestations. When in the trenches of computer repair, it may seem a major issue - but the careless user is the real issue. Certainly a casual observer at a Honda garage full of broken Hondas may feel Hondas are unreliable too. But the fact remains, with a capable firewall like Windows Firewall and a capable anti-malware solution, and by keeping Windows updated (all the things everyone (including FF users) must do anyway), IE users will remain safe - unless they open the door and invite the badguy in via illegal P2P or torrent filesharing - then all bets are off, regardless the browser of choice.What about users who like Firefox noscript and several good privacy addons which IE does not have and why not?
Are you saying that noscript is not necessary if one uses IE?
This scripting business is really fanaticism and IE bashing. Disabling scripting/active content has been an simple option in Internet Explorer since IE3.
And you are absolutely correct, noscript is not necessary if one uses IE. Never was. And BTW - not sure I would put any faith in NoScript anyway. See NoScript Controversy.
Frankly, that's just ridiculous MS bashing - with a touch of paranoia. If there is any company in this world that is under constant scrutiny, it is Microsoft. I would be more worried with wayward add-ons than IE itself.I think Micro$ is in bed with those who would track you around the web and target you with ads and privacy invasions. Same with Google.
Note the #2 add-on ComputerWorld says FF users need to avoid - Top 10 Firefox Extensions to Avoid
You ask why doesn't IE have NoScript - I ask, if NoScript is so important, why hasn't Mozilla incorporated it into FF? But FTR, AdblockIE works great.IE does not have and why not?
The only feature sadly missing with IE is a spelling checker - fortunately, there is Speckie.
Google has nothing to do with this, and should not be lumped in with Microsoft. Microsoft produces and "sells" products and services. Google does not sell anything, to the best of my knowledge - so you may question their revenue practices all you want.
#8
Posted 25 July 2011 - 10:35 AM
I use only four addons, those being noscript (thank you for the link, it is enlightening) betterprivacy, ghostery, and adblockplus. I noted that the link to AdblockIE has not updated in nearly a year.
In my 12 years online i have not had to deal with a single serious malware or virus infection,(yes i know there was luck involved) due mostly to careful and nearly paranoid surfing habits, close attention always paid to updates, coupled with a healthy dose of skepticism.
I have spent much time dealing with family and friends problems stemming from carelessness in their security apps and bad surfing habits.
I cannot totally attribute my lack of problems the past few years to my own knowledge and need to give full credit to my AV and Malwarebytes pro.
I fully understand the necessity of ads to carry website costs as well as profit, there is no free lunch but i believe that the cost can be trimmed some for those that choose to do so. However, if the ubiquitous abuse of commercial selling that is a normal part of human interaction and greed can be somewhat ameliorated then i am onboard.
Please do not mistake me for an uninformed fanboy of Mozilla, nor am i a Microsoft hater, a realist perhaps. I also understand that those who have received the benefits of Microsoft's excellent training must be careful about biting the hand that feeds, that is fair ball. As an adjunct i would mention that my own website, which is a hobby/professional/mining/lobbying site, is free, is ad free, and costs me about 60 dollars a year. It is an altruistic venture of many years, that is my choice.
I would agree that IE is now much safer than ever before, and that Firefox is often overly hyped. That being said, we did not address the very real presence of borderline malicious tracking cookies that have become so pervasive on the web. I will not delve into those implications as the subject becomes personal and often opinionated, that tends to muddy the waters.
I have of late been using IE on occasion and in fact would (almost) rather use it if i could. Your very informed statements along with other indicators suggest a very strong improvement. I would be remiss if i did not mention past problems with IE which served to put a great many of the slightly better informed than average users off.
Thank you again, your input is respected and appreciated, any further education you can supply is welcome as i do not consider myself an advanced user and am always open to learning.
#9
Posted 25 July 2011 - 11:34 AM
Not sure what that means. I have not had any training from Microsoft, they don't feed me, and I have bitten that hand several times over Microsoft's past business practices - especially for independent system builders like me.I also understand that those who have received the benefits of Microsoft's excellent training must be careful about biting the hand that feeds, that is fair ball.
What's there to discuss? Tracking cookies, malicious or not (and BY FAR!!! - most are harmless), are no more a threat to users of IE than they are to Opera, Safari, FF or Chrome users - plus, they can easily be blocked. So I am afraid you are simply propagating more false rumors and unfounded biases - unless you have links to real corroborating evidence, and in that case, I would be very interested in reading.I would agree that IE is now much safer than ever before, and that Firefox is often overly hyped. That being said, we did not address the very real presence of borderline malicious tracking cookies that have become so pervasive on the web.
Misinformed by whom? I contend the misinformation was little more than propaganda spewed by FF fanatics, MS bashers, and the biased IT media - because AGAIN, if IE was so unsafe, there would not be a VERY LONG history of 100s of millions of safe and happy users.I would be remiss if i did not mention past problems with IE which served to put a great many of the slightly better informed than average users off.
"Past" problems? What about Firefox's past and "current" problems?
From 2005. Firefox has more vulnerabilities per month than Internet Explorer
2006 - IE6.x more Secure that FF 1.x http://www.popularte...ecure-than.html
2007 - Symantec reports FF least secure browser - http://www.yugatech....secure-browser/
2008 - http://www.neowin.ne...ws-applications
2009 and FF still leads in most vulnerabilities - http://www.favbrowse...ulnerabilities/
2010 - IE more secure that FF and Chrome http://www.neowin.ne...ome-and-firefox
You can extol the virtues FF all you want. And you can slam IE and MS, IF due! But you cannot use security as an excuse to slam IE, or praise FF. History has shown, that argument does not hold water.
Now of course, you can find reports that says FF is more secure. And you can find reports that says Opera is more secure. Find a browser, and I am sure their is a report or study that says it is best. But there are consistent, year after year reports and studies that shows IE can hold it own.
For the record, I've been supporting computer hardware and building and supporting custom PCs for a lot longer than 12 years - for whatever that's worth. And I've been using IE ever since my former corporate bosses threated to fire us if we did not give up Netscape, and move to the new IE5, the new corporate browser standard - and that was about 14 years ago. Not one of the system I have been responsible for that had IE on it has been infected - and that includes many used by kids and other careless/carefree users.
***
Mining? Long ago and far away, I used to be a chute tapper and motorman (drove a train) on the 2015 foot level in the world's largest (at the time) underground copper mine in San Manual, Arizona. Great job for 18 - 19 year old - until they went on strike.
#10
Posted 25 July 2011 - 02:05 PM
I sincerely hope the rest of your day goes well.
#11
Posted 25 July 2011 - 04:28 PM
This simple question always made my point, "Did you stop getting infected when you switched to Firefox?" Of course none of them were getting infected before! They were just tired of MS, XP, all the security scares sensationalized by the biased IT media just like the Casey Anthony trial made her some sort of celebrity. They were not getting infected before Firefox because they, like me, "practiced safe computing" and kept their systems updated, patched scanned and blocked, and they paid attention to what they clicked and opened.
For those millions of machines that were getting infected, the overwhelming majority were simply not kept updated in a timely basis. And sadly, many were not kept updated because they were illegal copies and the software thieves were afraid "Big Brother" (MS or BG) would find out. Or they were not getting updated, because it was printed everywhere that Windows will break if you let it update itself automatically.
But again, if there were any shade of truth that IE was inherently unsafe and allow you to get infected, with nearly 1 billion Windows machines out there, the vast majority using IE of some sort, with defaults settings, including Windows Update, many with Windows Firewall and the free MSE, there would be 100s of millions of infected machines. And that's just not anywhere near the case.
So forgive me if my response appeared personal. It was not meant to be. When I hear the same 5 or 6 year old arguments over and over again that were not true then, and are even less true today, I do get a little riled when I should just walk away - but I guess that would not be me. Anyway, my apologies again.
And for the record - yeah, okay. While I insist and truly believe the choice of browser today should be based on look and feel and not security, I started this thread to poke holes in some of those arguments that continue to linger.
Oh, and if you want to keep track of the new vulnerabilites - in all software, I recommend signing up for the weekly US-CERT Vulnerability Summary. Very informative. It is a good place to set the record for Apple and Linux "enthusiasts" too! Browsing through some of the recent archives can be a real eyeopener.
#12
Posted 25 July 2011 - 04:40 PM
I understand the frustration level you experience and am sorry if gave the wrong impression.
Your points regarding browser choice, myths, and the user aspect are very well put and helpful indeed. It is nice to be shown how to avoid getting used oats in ones teeth!
Best regards
#13
Posted 26 July 2011 - 07:18 AM
Thanks for your understanding.
#14
Posted 29 July 2011 - 03:44 AM
IE, Firefox and Chrome are all secure. Like Digerati said, updating is more important.
However, IE has less vulnerabilities doesn't mean it's more secure; they might have not spotted the problem yet.
Firefox and Chrome are both open-source; bugs are fixed in a matter of hours, rather than days. I will be surprised if you can show me IE source code, but anyone can get their hands on Firefox/Chrome source with a single command.
Plus
That is not nearly enough.650 malicious URLs
Some background on NSS Labs, an "independent" facility, for the lulz (not really relevant):
http://www.thetechhe...benefits-of-IE8
http://viruslab.blog...ble-report.html
http://en.wikipedia....ware_protection
Manufacturers of other browsers criticized the test, focusing upon the lack of transparency of URLs tested and the lack of consideration of layered security additional to the browser, with Google commenting that "The report itself clearly states that it does not evaluate browser security related to vulnerabilities in plug-ins or the browsers themselves", and Opera commenting that the results appeared "odd that they received no results from our data providers" and that "social malware protection is not an indicator of overall browser security".
Clearly we need some neutral information on this.
#15
Posted 29 July 2011 - 07:00 AM
IE has less vulnerabilities doesn't mean it's more secure; they might have not spotted the problem yet.
Sorry, but that is some very twisted rationalization. By that rational, how can ANYTHING be trusted? Or are unspotted problems only an issue with IE?
While I agree, more vulnerabilities does not automatically indicated something is less secure, it is a pretty good indicator of problems and a clear indication to keep those vulnerabilities protected by a secured OS and computer - and a careful user.
Again, if you don't trust NSS Labs, subscribe to the CERT Summary. But note of the 6 applicable (to IE) links I posted above citing problems through the years, Symantec (hardly a Microsoft supporter), ZDNet (also a long time MS basher), Secunia, and Bit9 all report IE was more secure! If anything, especially Symantec and ZDNet, these guys are not neutral, they have a long, documented history of being anti-Microsoft!Clearly we need some neutral information on this.
And I am sorry again, but open source does not mean more secure. It actually can mean there is less control over what happens, and whether that is good or bad is case dependent. Yes, I would like to see MS push out fixes faster, but it averages 4 days, which I don't think is too bad, considering the update must be setup to be tested and pushed out via Windows Update.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users