In September 2010, Microsoft commissioned a study to see how effectively Web browsers protect users against socially
engineered malware and malicious websites, which are websites that look benign, but aim to convince visitors to download and execute malicious software. NSS Labs conducted tests involving six browsers using real-world threats that showed the beta version of Microsoft's Internet Explorer 9 (IE9) does a better job of defending against real-world malware than any other browser.
For companies not running Internet Explorer, it may well be worth considering a move to IE 9, especially as companies roll out Windows 7.
In fact, the results scored IE9 five-times more effective at warning users of potential danger than its closest rival, Mozilla's Firefox. According to NSS Labs, IE9 blocked 99% of the 636 malware-distributing sites that were included in the final data, with IE8 blocking 90%, Firefox 3.6 just 19%, and Safari 5, Chrome 6 and Opera 10 at 11%, 3% and 0% respectively.
So, why does Internet Explorer 9 security do so unbelievably well? Are the results simply indicative of a test that favored IE9 and Microsoft, or are the results for real? Finally, now that IE9 as of March 14 has been officially released, should everyone be making the switch to IE9? Those are the questions we’ll address in this tip.
NSS Labs largely attributed IE9’s high score to a new feature called SmartScreen Application Reputation. This feature warns users when it suspects an application about to be downloaded is dangerous. It checks the file's hash and digital certificate, if present, to determine whether the file is a known application with an established reputation. If the algorithm ranks the file as unknown based on criteria such as download traffic, download history, past antivirus results and URL reputation, it warns the user if he or she tries to run or save it. The idea behind the rankings is to reduce the number of generic warnings users see and provide more relevant warnings when a program is deemed higher risk.
This feature of IE9 isn't strictly an application whitelist, however, as users can still ignore the warning, but if combined with a security policy that forbids skipping such warnings, it could dramatically reduce the number of infections that result from malicious downloads. It also provides protection against new varieties of malware before they are detected and added to antivirus updates.
Unfortunately, SmartScreen Application Reputation has some shortcomings. For example, there are plenty of perfectly legitimate applications that don't have digital certificates, which would score badly under this approach Also, the feature only checks applications: doctored PDF files and images that carry an attack payload are not included, there are simply too many. Finally, its success depends on users following its policy instead of ignoring its warning.
The other main protection technology used by IE9 is SmartScreen URL filtering, introduced in IE8; Firefox, Safari and Chrome rely on Google's similar SafeBrowsing alternative. These reputation-based systems search the Internet for malicious websites and flag their content accordingly. IE requests reputation information for any URL a user requests and will present a warning to them if its content has been flagged as potentially dangerous.
The results of the NSS study are good news for Microsoft and users of Internet Explorer, but it didn't evaluate browser security related to vulnerabilities in plug-ins or the browsers themselves.
A good source of information for assessing how prone a browser is to vulnerabilities is Secunia's security fact sheets. Looking at the fourth quarter 2010 fact sheet for Firefox 3.6 (.pdf) and IE 8 (.pdf) -- there isn't a fact sheet for IE 9 yet as it is in beta -- you will see there were 51 vulnerabilities for IE8 while Firefox had 88. Both had 11 advisories, an approximation for the number of security events or administrative actions required to keep a program secure. IE8 had eight vulnerabilities ranked as “high” or “extreme,” and Firefox had 10. Both vendors have a good record of making patches available within 30 days of the vulnerability being disclosed.
These stats certainly show that Microsoft has closed the gap on Firefox in terms of browser security, and it's good news for everyone that the battle is still on for the title of safest browser. All browsers have vulnerabilities, so it's a case of choosing the vendor that instills the most confidence when it comes to patching problems. As you can see from the facts and figures, Microsoft has done a great deal to improve not only the overall security and maintenance of Internet Explorer, but also the protection it provides users while surfing the Internet.
As attacks against users continue to become more sophisticated, a layer of protection provided by the browser is becoming an increasingly important feature and Microsoft appears to currently have the lead in this area. For companies not running Internet Explorer, it may well be worth considering a move to IE 9, especially as companies roll out Windows 7. It would mean dealing with one less vendor for patches and plugins, and, based on current evidence, a safer browsing experience.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.