According to a recent NSS Labs report, Microsoft Internet Explorer 9 is far less prone to infection than other browsers, including Firefox. For years I’ve recommended our end users use Firefox because it’s safer than IE. Should I change my recommendation?
This particular report actually looked at how effectively Web browsers protect users against socially engineered malware, rather than how vulnerable particular browsers are to attack. The researchers put the latest version of each of the main browsers -- Internet Explorer 8 and 9, Firefox 3.6, Safari 5, Chrome 6 and Opera 10 -- through a series of tests to see how fast and efficiently they detected socially engineered malware attacks.
Socially engineered malware attacks aim to evade traditional antivirus software defenses by using Web links to take victims to a download that delivers a malicious payload or to a website that hosts malware links. As these links appear harmless, this type of attack poses a significant risk to anyone using the Internet. Statistics show this kind of attack is increasing at a rapid rate, making detection and prevention of these threats an important function for today's browsers.
Protection against these threats is achieved by using reputation-based systems, which search the Internet for malicious websites and flag their content accordingly. Browsers request this reputation information from these in-the-cloud systems for any URL a user requests and present a warning to them or even block access to a site if its content has been flagged as potentially dangerous. In the test to which you refer, the beta version of Microsoft's Internet Explorer 9 (IE9) caught an impressive 99% of the live threats compared to Mozilla Firefox 3.6, which caught 19%.
Internet Explorer 9 security protection technology includes SmartScreen URL filtering and SmartScreen application reputation, both of which are new to IE9 and represents a differentiating feature vs. other browsers. URL filtering looks for characteristics of unsafe websites and alerts users to any potentially dangerous links, and application reputation helps the user in judging whether to trust the source of a download and, according to the researchers, helps boost IE9’s protection capabilities. Over the past several tests, Internet Explorer has been consistently improving its malware detection capabilities and currently comes out ahead of other browsers.
This is obviously good news for users of Internet Explorer, but this study did not evaluate browser security related to vulnerabilities in plug-ins or the browsers themselves. To assess whether IE or Firefox are less prone to vulnerabilities, you need to turn to Secunia's security fact sheets. Looking at the second quarter 2011 fact sheets for Firefox 3. (PDF), IE 8 (PDF) and IE 9 (PDF), there were 17 vulnerabilities for IE8 and 11 for the still-new IE9, while Firefox had 38. In terms of advisories, an approximation for the number of security events or administrative actions required to keep a program secure, IE8 had four, IE9 one and Firefox three. IE8 had six vulnerabilities ranked as “high” or “extreme,” IE9 had one and Firefox had eight. (It’s also worth noting that the recently released Firefox 4.0 so far has had 16 vulnerabilities, two advisories and no high or extreme vulnerabilities.) Both vendors have a good record of making patches available within 30 days of the vulnerability being disclosed.
As you can see from the facts and figures, Microsoft has done a great deal to improve not only the overall security of Internet Explorer, but also the protection it provides users while surfing the Net. Now may be the time to review your clients' needs and recommend IE9 as an option depending on other features of interest to you and your organization, which may not necessarily be specific to security. Keep in mind, however, that IE9 is only compatible with Windows 7 and Windows Vista, so it may be logical to roll out IE9 and Windows 7 simultaneously. Whichever they choose, always ensure they are running the latest version with all the up-to-date security fixes.
This was first published in September 2011