Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NSS Labs Browser Report Says IE Is the Best, Google Disagrees

samzenpus posted more than 3 years ago | from the stacking-the-deck dept.

Google 205

adeelarshad82 writes "Independent testing company NSS Labs recently published a report on the ability of popular browsers to block socially engineered malware attack URLs. The test, funded by Microsoft, reported a 99 percent detection rate by Internet Explorer 9 beta, 90 percent by Internet Explorer 8, and 3 percent by Google Chrome. However, Google doesn't entirely approve of this report's focus and conclusions. According to Google not only didn't the report use Chrome 6 for the tests, the current version is Chrome 8; it also focused just on socially engineered malware, while excluding vulnerabilities in plug-ins or browsers themselves. Google defended its browser by claiming that it was built with security in mind and emphasized protection of users from drive-by downloads and plug-in vulnerabilities."

Sorry! There are no comments related to the filter you selected.

Socially engineered attacks ARE a huge problem (0)

devbox (1919724) | more than 3 years ago | (#34565404)

Note that the report focus on socially engineered malware which is actually a huge problem currently. This includes all those malicious links on twitter, facebook, instant messaging and so on. They are coming directly from your friends, so most people assume they are safe. If Internet Explorer 9 beta blocks 99% of those and Chrome only 3%, that makes a huge difference.

Just like the days of worms automatically spreading over the internet via remote exploits are quite much gone, the amount of drive-by download exploits is lowering too. However a well-crafted socially engineered attack will always work on people and as a bonus it works across all browsers and even on Mac OSX and Linux. That is, if browser isn't itself trying to prevent those, like Internet Explorer 9 is. With IE's sandboxing and this feature, IE9 is surely starting to look like a really secure browser for people to use. Now, if companies would just start updating their stuff and abandon IE6...

Re:Socially engineered attacks ARE a huge problem (1)

bhcompy (1877290) | more than 3 years ago | (#34565466)

This is all true and no one should really have a problem with it unless(until?) Microsoft starts marketing it as more than it is(essentially suggesting that IE9 blocks 99% of malware with the small print saying it only applies to social engineering)

Who cares? Not Joe six-pack... (0, Troll)

crovira (10242) | more than 3 years ago | (#34566544)

Same ol' Microsoft FUD.

They're closing the barn door after the barn burnt down and all the horses are bolted.

Just ask them how Bing is doing to hear paeans about how well that's doing.

Switching the rails on the flacks is trivial, you just have to ask 'em the right question.

Fact is that Microsoft OWNS the business desktop and business things tied to it, but THAT'S ALL.

Browsing is something that occurs OFF the business desktop and NOBODY TRUSTS MICROSOFT not to rat them out to the corporate IT department.

That's why Chrome is a fast riser.

That's why Google is so big in web searches.

That's why Android is the "up and coming" and phone app system.

That's why Apple OWNS the consumer "Intelligent Appliance" space (iPod, iPad, IPhone, Macs of all stripes,)

That's why Nintendo, Sony and X-Box are ducking it out over CONTENT (the best game experience,) in the console space,.

Screw Microsoft... They've been screwing your workplace for years.

For 90% of workers, the money that is spent on IT is money that comes out of THEIR pockets.

Be afraid... BE VERY AFRAID /.ers,

Re:Who cares? Not Joe six-pack... (0)

Anonymous Coward | more than 3 years ago | (#34566922)

Someone has been reading too much timecube [slashdot.org] ...

Re:Who cares? Not Joe six-pack... (1)

bigstrat2003 (1058574) | more than 3 years ago | (#34567356)

Browsing is something that occurs OFF the business desktop and NOBODY TRUSTS MICROSOFT not to rat them out to the corporate IT department.

What does this even mean??

Re:Socially engineered attacks ARE a huge problem (5, Insightful)

mcgrew (92797) | more than 3 years ago | (#34565578)

The test, funded by Microsoft

That says it all.

Re:Socially engineered attacks ARE a huge problem (2)

DoofusOfDeath (636671) | more than 3 years ago | (#34565632)

The test, funded by Microsoft

That says it all.

So its results are unquestionably incorrect and/or irrelevant?

Re:Socially engineered attacks ARE a huge problem (4, Insightful)

Joehonkie (665142) | more than 3 years ago | (#34565688)

They certainly cannot be considered "independent" or "unbiased" at a minimum. So they aren't of much value until real 3rd party tests are performed.

Re:Socially engineered attacks ARE a huge problem (1, Insightful)

lgw (121541) | more than 3 years ago | (#34565958)

Do you value the "UL Listing" on electrical gear that you buy? I certainly take that as an assurance that stuff won't just randomly catch fire. All UL Listed testing is paid for by the vendor - and vendor-paid testing is normal in the real world.

This test may be a crock, but you can't just assume that from the fact that MS paid for it. The simple fact is: anyone competent to test browser security probaly has a strong opinion about MS, and pretty much anyne will have a reason to be biased. The professionalism of the tester is what matters, not the existance of a reason to be biased.

Re:Socially engineered attacks ARE a huge problem (4, Insightful)

CyprusBlue113 (1294000) | more than 3 years ago | (#34566034)

UL is to test your products for saftey, this is a *comparative* test against several competing products for quality.

Apples, meet Oranges, meet troll.

Re:Socially engineered attacks ARE a huge problem (1)

lgw (121541) | more than 3 years ago | (#34566990)

If UL tests 2 products, and finds one passes and another fails, there's certainly a comparison that can be made between them, and a company selling the passing product might feel inclined to draw attention to this (of course, UL itself never comments publicly on failed tests). In this case, the tester tested two products and rated one "99%" and one "3%" against some standard. The methodology might have been totally bogus (no idea), but the act of paying for the test isn't automatically so.

Re:Socially engineered attacks ARE a huge problem (3, Insightful)

MobyDisk (75490) | more than 3 years ago | (#34567328)

This is totally different.

In this case, the tester tested two products and rated one "99%" and one "3%" against some standard.

The key difference is that UL tests against a pre-existing standard. Not a standard that they made after looking at the product. UL can't customize their test to make one product look better or worse.

The methodology might have been totally bogus (no idea), but the act of paying for the test isn't automatically so.

The act of paying for a test to be designed for you, or a test you designed ahead of time to make your product look good, is bogus. Paying to have a test executed for you is not bogus. One is independent, the other is not.

Re:Socially engineered attacks ARE a huge problem (2, Informative)

MrHanky (141717) | more than 3 years ago | (#34566336)

Tests like this are done for marketing purposes. The professionalism of the tester will make sure the test is rigged to give Microsoft the result they want. Get the facts.

Re:Socially engineered attacks ARE a huge problem (0)

geekoid (135745) | more than 3 years ago | (#34567292)

Bullshit. Stop getting the facts from under a tinfoil hat.

Re:Socially engineered attacks ARE a huge problem (-1)

Anonymous Coward | more than 3 years ago | (#34567298)

can you provide your source of facts that proves your statement to be true?

Re:Socially engineered attacks ARE a huge problem (1)

blueg3 (192743) | more than 3 years ago | (#34566426)

UL testing isn't a product comparison, it's a test for standards conformance. The requirements for independence and impartiality are substantially different.

Re:Socially engineered attacks ARE a huge problem (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34566628)

I work for UL. you don't know shit - UL's tests and the kind of stuff going on here are entirely different.

you can actually reproduce UL's tests, and they aren't out there to "compare to another company".

It'd be more like this:

NSS labs browser report says IE blocks 99% of social networking vectors.

Nothing about "in comparison to chrome", or "excellence", or how well it does. Yet all of those are in the study.

In fact, it's incredibly unethical to comment on the performance of a product as a testing studio as good, bad or otherwise. That by itself in the studies guarantees you that these studies are biased due to the funding.

Re:Socially engineered attacks ARE a huge problem (1)

david_thornley (598059) | more than 3 years ago | (#34566762)

If I want to know what is unlikely to burn my house down, I look for the UL listing, and rely on vendor-performed standard tests.

If I want to know whether product A or B is better, I check out Consumer Reports, which accepts no funding from any vendor, not even advertising.

I was willing to believe that IE wouldn't burn my house down anyway, so this report gives me precisely no useful information.

Re:Socially engineered attacks ARE a huge problem (1)

geekoid (135745) | more than 3 years ago | (#34567272)

It raises a red flag, but that is all. They could very well be unbiased and independent.

Yes, like all tests, confirmation from others is a good thing.

Look at the data. compare to the conclusions. Do the match the conclusions? Is the methodology the correct one for the tests they are doing?

That's the only way to tell if a study is good.

Re:Socially engineered attacks ARE a huge problem (1)

cacba (1831766) | more than 3 years ago | (#34565982)

Data points: IE 9 gets 99%, Chrome gets 3%, Funded by Microsoft. What a beautiful line.

No I haven't looked at how the study worked, on Slashdot being first is better than being right.

Re:Socially engineered attacks ARE a huge problem (5, Interesting)

rtfa-troll (1340807) | more than 3 years ago | (#34566018)

So its results are unquestionably incorrect and/or irrelevant?

They may be technically true in some sense or other. However, in past such situations, Microsoft has been seen commissioning several similar reports; possibly even iterating the instructions for running the reports; then throwing away (under NDA) all the ones which don't match with their marketing wishes. You can basically assume that whatever it says is the opposite of the truth in some way or another because if it was true they would be able to just say directly it instead of commissioning someone else to say it to they can avoid claims of false advertising (for example, their old "Get the Facts" campaign was one of the few things of this type the ASA has clearly stated was misleading [wikipedia.org] ). And yes; most companies do this to some extent, but few other companies could come near to sustaining the level of deception Microsoft does because eventually some employee would become disenchanted and start leaking results. For example, have a look at the Comes documents [groklaw.net] , which only came out because of a lawsuit, to get some idea of the kind of things they can keep secret. Nowadays Microsoft's data destruction policies [theregister.co.uk] are much stricter and they ensure that all deals are finalised by lawyers [pbs.org] and so are legally privilaged. This kind of secrecy and professional deception means that almost any marketing claim from them should be disregarded completely until there is some level of independent confirmation.

Re:Socially engineered attacks ARE a huge problem (1, Insightful)

winnitude (1352731) | more than 3 years ago | (#34566040)

The report is almost useless because it has compared the latest stable and dev releases of IE with versions of Firefox and Chrome that are years old.

To use a car analogy, it is comparing the safety features of a '10 Chev Corvette and a 1970 Chev BelAir. I would be embarrassed if the company I worked for released such a report.

Re:Socially engineered attacks ARE a huge problem (4, Interesting)

natehoy (1608657) | more than 3 years ago | (#34567368)

The report is almost useless because it has compared the latest stable and dev releases of IE with versions of Firefox and Chrome that are years old.

What. No, wait, what?

Read on to the end, because later I'm going to tell you what's really wrong with the test and why it's bullshit, but I have to first burn down the obvious straw man you've introduced.

The report was released in October 2010. http://www.nsslabs.com/assets/noreg-reports/NSS%20Labs_Q32010_Browser-SEM.pdf [nsslabs.com]

It used Google Chrome 6, which was the current stable Chrome at the time (6 came out in September 2010). Google Chrome has gone from 6 to 8 in two months. It used Firefox 3.6, which is the current stable Firefox RIGHT NOW, two months after the report was released. 3.6 was released in January 2010, but Mozilla has only done "dot" releases since October. It also included Internet Explorer 8, which was released in March 2009.

In other words, if you want to say "older is worse", then IE8 should have been absolutely fucking pasted by this test. Ummm, right? It's the oldest browser in the test by almost a year.

Now we get to the point that won't upset you, because THIS is what is wrong with the test.

According to their test, what they were really testing was vendor responsiveness to known threats (on-time maintenance of the blacklist), not some response internal to the browser. They took a bunch of really recent entries of bad sites from someone and plugged them into the browsers, getting a new batch of URLs every few hours. The time was measured in hours, so what this is really saying is that Microsoft seems to be the best vendor at maintaining the server-based "bad URLs" list, though it took them 4 hours on average to block sites as opposed to Firefox's 6 hours.

If they got these sites from their paid sponsor, then the list could easily have been biased. But there's more actual provable bias to the test than just that.

The real bias is in the percentages. They do not actually represent "Microsoft browsers blocked 90% of sites while Firefox only blocked 20%". they are a grade-type score, where 100% means all sites were blocked immediately, while a 0% means no sites were blocked, ever. Early detection (measured in hours) seems to play a much larger role than actual number of sites detected. The scores appear to have been done on some form of normalization curve, with the sweet spot being somewhere around "One Half Hour Longer than Internet Explorer".

Otherwise, how does an increase in response time from 4 hours (IE, both versions to within a few minutes plus or minus) to 6 hours (Firefox) make your score go from 90% to 20%?

The net conclusion is, if you're going to use a web browser and you depend on vendor-maintained "baddie" lists as your primary line of defense (rather than script protections like NoScript, which don't depend on a vendor to maintain stuff for you), you're better off with Internet Explorer than any other mainstream browser in the market.

It doesn't make you "70% safer" or protect you from "70% more threats", it means that it has, on average, 2 hours of lead time on the next-best browser in terms of the list of sites it protects you from. It's like saying that McAfee is better than Norton because McAfee generally releases specific virus signatures, on average, 2 hours before Norton does.

So, the test is correct, it's just expressing the results in a very misleading way, showing a very low number for "everyone but Microsoft" because the test results were designed to score what IE did best in the highest way possible. They even spelled that out in their results:

The value of this table is in providing context for the overall block rate, so that if a browser blocked 100% of the malware, but it took 264 hours (11 days) to do so, it is actually providing less protection than a browser with a 70% overall block rate and an average response time of 10 hours.

In other words, this test heavily biases time-to-response over number of sites it protects you against. It's like saying "we didn't pay attention to viruses older than 11 days, and most of your score counts from responding to the ones announced in the four and a half hours".

For all I know, they contacted Microsoft and found out Microsoft's database update schedule for bad-site signatures, and ran their test 1/2 hour after that each day.

Re:Socially engineered attacks ARE a huge problem (0)

FauxPasIII (75900) | more than 3 years ago | (#34566384)

So its results are unquestionably incorrect and/or irrelevant?

Are you just posting this to be contrary?

Seriously, are you advocating that, when we see a study paid for by Microsoft which shows an _overwhelmingly_ lopsided result in Microsoft's favor in a product space where they would generally be expected by experts in the field to be the worst performer, we should take it at face value?

If not, what _are_ you saying?

Re:Socially engineered attacks ARE a huge problem (1)

alvinrod (889928) | more than 3 years ago | (#34566662)

[I'll suppose that you were being facetious, but my sarcasm detector is in the shop---]

Nope, that merely gives you reason to question the outcomes and examine the experimental procedure in depth. It's a meta-level reputation system. If an entity has shown a lack of bias in the past, you can generally choose to accept their work. Otherwise you examine the experiment design and see if anyone was playing fast and loose with the statistics and analysis. Microsoft probably qualifies for most people.

The summery raised a few points. It may be that some older version of Chrome is crap in some aspect compared to the beta of Microsoft's latest and greatest. That's a simple fact that can be supported by some measurement. You can question whether what is being measured is actually useful, but let's assume that it is. Still doesn't change the fact that it's and old version of Chrome vs. a beta version of IE. The study is still perfectly valid, just utterly pointless. It would be like a study on carbon emissions that only looks at cars made during the 60's. Utterly pointless for the current situation.

Skepticism is fine, but be a good skeptic who evaluates the experimental methods and study conclusions. Don't call a club a spade just because it suits your black-and-red view of the world. Otherwise you're really no better than what you purport to despise.

Re:Socially engineered attacks ARE a huge problem (-1, Troll)

Threni (635302) | more than 3 years ago | (#34565834)

That, and that the dodgy websites were probably hosted on servers running IIS shite.

Re:Socially engineered attacks ARE a huge problem (0)

Anonymous Coward | more than 3 years ago | (#34565956)

Yeah no kidding. Everyone knows it's completely impossible to host malware on apache. When will all the microsofties learn?

Re:Socially engineered attacks ARE a huge problem (4, Insightful)

vux984 (928602) | more than 3 years ago | (#34566156)

The test, funded by Microsoft

That says it all.

And the response from google criticizing it was by someone right on google's payroll representing google's interests. I guess we can ignore their criticism then too?

Or perhaps we should let the work stand for itself, evaluate the methodology, strip away the marketing spin, and come away with some nugget of truth, regardless of who funded it. Of course that's "work".

Re:Socially engineered attacks ARE a huge problem (4, Informative)

TENTH SHOW JAM (599239) | more than 3 years ago | (#34567050)

What the Faceless Google rep said was that this test cannot be peer reviewed because they did not release all the data (specifically the URLs visited). Now releasing a report that does not allow for independent review does not make for good science.

The tests may be valid. But until there is enough information to confirm this, I can only be skeptical of the faceless Microsoft rep.

IE might be the best (on an intranet), because... (-1)

Anonymous Coward | more than 3 years ago | (#34566224)

It works with just about anything, which yes, CAN "backfire" on you (online comes to mind, security, etc. & bugs) - & there's things about its surfing experience that I personally do not like vs. Opera especially (though MS pinched tabs + Speedial page & more from Opera))

E.G.-> IE doesn't have the right-click "paste-n-go" in the address bar as Opera does, NOR DOES IT ESPECIALLY NOT HAVE EASILY ADJUSTED "By Site" INDIVIDUAL PREFERENCES, & BY SITE... so they can be diff. on diff. sites you visit (say this one, vs. www.whatever.com, w/ Javascripting, Cookies, or Frames/IFrames, diff. on each one & more per my example here). Nor does IE have Opera's speed. Turn off javascript??? IE "bitches" like a nagware.

HOWEVER:

You guys ever code in IE? Specifically IE + VB.NET or ASP.NET?? Especially for not only online public internet usage, but in business environs for internal shop usage by employees (1000's @ a time etc.))???

Well - I have many times since 1996, & I have to say 1 thing about it IN IE'S DEFENSE IN BUSINESS & INTRANET USAGE - it's flexible & extensible as all hell + EZ to code 4... bigtime. If you can code VB, you can do .NET, especially VB.NET... probably some of the most successful & widely used programming tools ever as far as market-share & widespread use, just like Windows itself.

(Disclaimer, & I am sure SOME of you will understand: Yes, I know - after awhile, ALL the languages come down to more of concepts mastered & knowing what to do in 1 language/IDE is simple enough, because you've done said task before in other tools/IDE... so, my praising VB for ease of use? Hey - WHEN & IF you're good enough to be considered a decent enough coder that can get the job done?? By then, I think you all understand that ALL the languages & tools/IDE's are fairly pretty much the SAME thing, conceptually, & nowadays? Syntactically too, with OOP's Object.Property Method parameters syntax? Well, if they're not? LMAO - build a callable lib/dll in the tool than can & link to its functionality @ runtime - problem solved! Anyways... back on track).

IE + VB.NET coding, or ASP.NET, are excellent for ease of use & RAD buildspeed times, which rocks & saves you time/work/effort (via ActiveX controls), & for business? The way Visual Studio renders either Active Documents or .NET apps, it's a snap for DB access for instance (grid controls etc. & all)... and IE's certainly "setup from the 'get-go'" for corporate LAN/WAN intranet usage for (any DB engine, locally run .exe, or webservice there is out there, and built like you have always built VB apps since 1992 onwards).

Makes it easy to snap together business apps via prebuilt controls & visual template based design that VB itself was "revolutionary" for vs. other competing tools over time. A lot of successful ontime projects have been built off of it all over the planet, so... there you are.

Now, online on the public internet? Well... you know - not so great, security-wise most of all, & imo, especially compared to the latest Opera Betas as of TODAY that just came out -> http://my.opera.com/desktopteam/blog/ [opera.com] ?? IE IS SLOW... bad slow (not so horrible I can't use it, but it's NO Opera).

APK

P.S.=> Plus, IE has policies templates for network admins too, and built/baked right in place, so you can "mass enforce policies" almost as easily as you can on a Citrix/TS setup, which is, WICKED EZ also...

WHICH IS PROBABLY WHY GOOGLE DID THIS FOR CHROME TODAY -> http://www.theregister.co.uk/2010/12/15/chrome_for_business_tools/ [theregister.co.uk]

Easy is good: It gets out to production faster - make budget, make deadline, make money - it works for that which is, imo & experience over 17 yrs. in professional computing? LOL, might be a "wee bit skewed" but, that works for me...

Only thing is: Yes, IE can be secured a LOT better by policy or even by local system, but you have to cut off the "disease vectors" like ActiveX, ActiveScripting, JavaScript, Frames/IFrames, IF you're smart to try keep the damage down from online or crackers etc. possibly, but that also LIMITS users too, so - how many admins out there can REALLY use that? There's always some "exception users" (e.g. mgt. wants it usually or marketing) that want this & that turned on etc., which messes up security initiatives imo... again, like I said about IE above in closing, there you are!... apk

Re:IE might be the best (on an intranet), because. (2)

cp.tar (871488) | more than 3 years ago | (#34567244)

Woah.

I haven’t seen style this terrible in a long, long while. Even the GNAA trolls are more legible.

Re:Socially engineered attacks ARE a huge problem (0)

Anonymous Coward | more than 3 years ago | (#34566316)

Yep. I stopped reading after that. Nothing to see here, move along.

Yet another, in a long list of other studies, funded by Microshaft, which come to the conclusion that M$ wants the PHBs to hear...

Re:Socially engineered attacks ARE a huge problem (1)

camperslo (704715) | more than 3 years ago | (#34567030)

When one uses only a single test, perhaps a specially crafted one, the conclusions may be misleading.

As an extreme example if one takes an area of a country where people are very well fed, and perhaps taking in far more nutrients than needed, it is entirely possible that one could come up with a study showing substantial nutritional value in sewer waste. Without taking into account the other characteristics (bacteria, viruses, levels of toxic medications, smell etc.), sewer waste might actually be portrayed as a good inexpensive source of nutrition.

I don't mean to pass any judgement on whether IE is wonderful or terrible. The point is that one narrow measure should be kept in perspective and not used as the sole basis for an overall opinion.

Re:Socially engineered attacks ARE a huge problem (1)

dave562 (969951) | more than 3 years ago | (#34567322)

I would love to see a study funded by X that does not then show X as being the best product. Given that it seems $ > Truth, I doubt such a thing will ever happen.

Re:Socially engineered attacks ARE a huge problem (0)

commodore64_love (1445365) | more than 3 years ago | (#34566002)

>>>If Internet Explorer 9 beta blocks 99% of those and Chrome only 3%, that makes a huge difference.

Yeah yeah, but Chrome (and Mozilla seaMonkey) can run on my tiny 0.1 gigabyte laptop. Can IE 8 or 9? Ha! Nope. Tried it; was like a snail on molasses. ALSO why in the world was the test run on the latest IEbeta but on the ancient CrO-6? A setup.

Re:Socially engineered attacks ARE a huge problem (1)

ardeez (1614603) | more than 3 years ago | (#34566154)

Just what exactly *is* 'socially engineered malware' ?? which is apparently 'actually a huge problem currently.' ?
I'm curious to know?

In what was is it different to any run of the mill link that attempts to exploit browser vulnerabilities?
Most of which I believe are fixed by the browser vendors pretty quickly the minute they're known about.

Otherwise this whole study seems like a made up problem which is a bit of a non-issue and which appears to be
miraculously solved by only one vendor. Unsurprisingly the sponsor of said report.

Re:Socially engineered attacks ARE a huge problem (0)

dragonhunter21 (1815102) | more than 3 years ago | (#34566174)

If Internet Explorer 9 beta blocks 99% of those and Chrome only 3%, that makes a huge difference.

If being the key word, here. The study was funded by Microsoft, so any pretext of objectivity is out the window. Plus, a 96% discrepancy between Chrome and IE9 is just a little suspicious.

Let's just say I still trust Google a lot more than I trust Microsoft. As my sig might attest.

Re:Socially engineered attacks ARE a huge problem (2)

iserlohn (49556) | more than 3 years ago | (#34566604)

I don't know about you but I rarely receive tarballs, rpms or debs from friends to compile or install on IM or facebook. That's the good thing about the repository system, where there is a (hopefully) trusted source where you install the majority of your applications.

I can't really see socially engineered malware taking off under Linux, really.

It's Clear to Me Why They Waited (5, Informative)

eldavojohn (898314) | more than 3 years ago | (#34565440)

From the response article:

It's not clear why Microsoft and NSS Labs waited until December to release the results.

Maybe it's like the last time this happened [microsoft-watch.com] ?

Furthermore, Moy said, the study started as a private test for Microsoft's engineering team, which was seeking to make internal improvements. "They decided to release it based on the positive results. Many of the test reports we write do not get released by vendors, but they do get used to improve products. So what does 'sponsored' mean in this case?"

So you (internally) strike a deal to test your browser (but also your competitors') with an "independent company" that you pay to perform this service. You get to define the "success parameters" of the test. Then you get the results back and you fix everything. After that time spent fixing has passed, you release the report and add that you have fixed all the problems with your product. Unsurprisingly, you look really really good when this news hits. Since your competitor is not also paying NSS Labs, NSS has no reason to update the report to meet the latest and greatest version of browsers. Meanwhile you can decide if your competitor's browser performed inadequately enough or not for the report -- maybe you even select the success parameters afterward? Heck, you already waited to see if you could release the report.

Independent? HA!

Re:It's Clear to Me Why They Waited (2, Interesting)

Dan East (318230) | more than 3 years ago | (#34565974)

I know this isn't in the spirit of the other posts on this topic today, but I applaud MS for concentrating on security and the best interests of their end users. It's good to see they are taking these matters seriously as part of the product development process.

That said, I still use Firefox, followed by Chrome, for browsing, but at least they are looking out for those stuck with IE simply because it ships with their OS.

Engineering Versus Marketing (4, Interesting)

eldavojohn (898314) | more than 3 years ago | (#34566688)

I know this isn't in the spirit of the other posts on this topic today, but I applaud MS for concentrating on security and the best interests of their end users. It's good to see they are taking these matters seriously as part of the product development process.

Don't get me wrong, I'm always happy when security is improved -- even in the most hated of products by the most hated of companies. The problem I have is when marketing gets a hold of this and spins it to attack competitors, thereby improving the public perception of their own product. This could have all been avoided had Microsoft just kept the report internal like most of NSS Labs' customers. And doing so while comparing the latest IE9 to Chrome 6 and releasing that to the public as a 'current' report now ... well, that's what I have a problem with. If a Chrome user read that report as today's news they're going to think that it's been done with today's Chrome.

Re:It's Clear to Me Why They Waited (2, Insightful)

WARM3CH (662028) | more than 3 years ago | (#34566216)

You have valid points, still Google didn't deny the results and in a sense, confirmed it. Read Google's response again: NSS says IE is better than Chrome in X, but hey, they didn't say Chrome is better at Y and Z. NSS didn't claim X covers everything related to security so bringing Y and Z to the discussion is just a move to draw attentions from X.

beta Apples to outdated Oranges (4, Informative)

DragonWriter (970822) | more than 3 years ago | (#34566496)

You have valid points, still Google didn't deny the results and in a sense, confirmed it. Read Google's response again: NSS says IE is better than Chrome in X, but hey, they didn't say Chrome is better at Y and Z.

I think you missed the other important part: "Also, the version of Chrome that NSS says all this about is two major versions behind the current stable release, while the version of IE they say is better is the current beta release."

A more relevant comparison would be IE 8 to Chrome 8 (current generally release version of both version), or IE 9 to Chrome 9 (current publicly available pre-release version of each browser.)

Perhaps someone should do a similar comparison, but using Chrome 9 and IE 6, instead...

Re:beta Apples to outdated Oranges (1)

cacba (1831766) | more than 3 years ago | (#34566834)

The reason the test used Chrome 6 was it was performed Sept 17-27, before the Chrome 7 release of Oct 21.

The test specifically stripped out Y & Z from potential malware links.

Re:beta Apples to outdated Oranges (2)

DragonWriter (970822) | more than 3 years ago | (#34567396)

The reason the test used Chrome 6 was it was performed Sept 17-27, before the Chrome 7 release of Oct 21.

Which made it, at the time, merely beta Apples to stable Oranges, which is slightly-less-bad -- but the relevance of the report when it was written isn't important to anyone, the relevance when it is released matters, since that's when people will be reading it and potentially making decisions based on it.

Had the report been released when it was current (leaving aside issues of who was paying for it, and whether what it actually tested was particularly meaningful on its own) it would be a bad comparison of IE's current beta to Chrome's current stable release. Released now, its a really bad comparison of IE's current beta to an outdated version of Chrome.

Re:It's Clear to Me Why They Waited (2)

Col. Klink (retired) (11632) | more than 3 years ago | (#34566594)

You missed one other step. When the results DON'T show IE ahead, you just don't release them...

Re:It's Clear to Me Why They Waited (0)

Anonymous Coward | more than 3 years ago | (#34567254)

Indeed. This could almost be viewed as a form of extortion, akin to street gangs requiring local businesses to pay "protection" money. Either you pay us, too, or we make your product look like shit when the review hits the press.

Re:It's Clear to Me Why They Waited (1)

geekoid (135745) | more than 3 years ago | (#34567316)

So they use the test to improve their browser until it's better then the others being test, then say it's the best.

Well..good.

Huh? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34565468)

Google is complaining that a report on socially engineered attacks is only focused on socially engineered attacks? And they're whining that a study done back when Chrome 6 was the most recent release doesn't mention Chrome 8, which is currently the most recent release? Seriously?

Re:Huh? (0)

Anonymous Coward | more than 3 years ago | (#34566290)

a study done back when Chrome 6 was the most recent release

If the study is that old, then how did IE9 beta get into it?

Check the funding (0)

longtailedhermit (1544819) | more than 3 years ago | (#34565490)

This: "The test, funded by Microsoft"

dammit, you beat me to it (0)

ChipMonk (711367) | more than 3 years ago | (#34565580)

But really, those five words are the #1 takeaway.

Re:Check the funding (4, Informative)

eldavojohn (898314) | more than 3 years ago | (#34565614)

This: "The test, funded by Microsoft"

The real warning flag is that it doesn't say that on NSS Lab's site nor does it say it anywhere in the report. So if I was being paid to do this, I would have that in big bold letters as a disclaimer on the front page of the report if I wanted to maintain credibility. So either the Google response article is wrong (which the same IE8 report from last year [thetechherald.com] was funded) or you're just being flat out disingenuous when you say "independent." We just happen to receive funding from one of the participants and they decide when and if the report is released.

One more thing, if you dig into this report, the parts where they reference Microsoft read like an advertisement:

It became obvious from this test and comparisons to the earlier test that Microsoft continues to improve their IE malware protection in Internet Explorer 8 (through its SmartScreen® Filter technology) and in Internet Explorer 9 (with the addition of SmartScreen application reputation technology). With a unique URL blocking score of 94% and over-time protection rating of 99%, Internet Explorer 9 was by far the best at protecting against socially-engineered malware. The 89% zero-hour block rate suggests a far superior malware identification, collection, and classification method.

"What kind of registered application reputation technology did you say they used? Simply revolutionary progress!" Compare that section to that same section on Chrome:

With a protection rating of just 3%, Chrome 6 dropped more than 14% from our last test. And, Chrome’s unique URL score of 4% was also a major decline. Chrome’s overall poor protection makes it difficult to compare it to other Safe Browsing API-related products.

"Boo, Chrome sucks!" Hahaha oh my this is too funny. Google shouldn't have to explain themselves. Just take what you can to improve from this report, become aware of your opponent's tactics and move forward.

Re:Check the funding (2)

DragonWriter (970822) | more than 3 years ago | (#34566518)

The real warning flag is that it doesn't say that on NSS Lab's site nor does it say it anywhere in the report. So if I was being paid to do this, I would have that in big bold letters as a disclaimer on the front page of the report if I wanted to maintain credibility.

The report is of greater value to Microsoft, the paying customer, the less obvious it is the Microsoft is the paying customer.

Re:Check the funding (1)

geekoid (135745) | more than 3 years ago | (#34567424)

Too bad the said Microsoft paid for the test. They even put it where it goes in ALL tests.

Anyone who reads these tests know exactly where to look for funding. IT was NOT hidden.

4.4 ABOUT THIS TEST
This private test was contracted by Microsoft’s SmartScreen product team as an internal benchmark,
leveraging our Live Testing framework. It has subsequently been approved for public release.

Re:Check the funding (1)

geekoid (135745) | more than 3 years ago | (#34567378)

Depends on how the funding takes place, and for what purposes. Did they fund This test? DO they just make a annual payment to a generic fund to be part of the 'club'? Are the a testing lab where everyone knows the test is paid for by the vendor*?

*UL safety testing is paid for by the vendor, at it works very well/ Different kind of testing, but hopefully you see my point.

Re:Check the funding (0)

Mongoose Disciple (722373) | more than 3 years ago | (#34566348)

And of course, rebuttal funded by Google.

So it's a wash.

Stop! (-1, Redundant)

d474 (695126) | more than 3 years ago | (#34565512)

You had me LOL at "The test, funded by Microsoft..."

Bad summary? (3, Informative)

Anonymous Coward | more than 3 years ago | (#34565514)

According to Google not only didn't the report use Chrome 6 for the tests where as the current version is Chrome 8...

Should it be:

According to Google not only did the report use Chrome 6 for the tests, whereas the current version is Chrome 8...

Re:Bad summary? (1)

SgtKeeling (717065) | more than 3 years ago | (#34565952)

I was wondering about this as well. The way it's written makes it very difficult to understand the intention of the author.

What Googles' response should have been: (0)

epiphani (254981) | more than 3 years ago | (#34565522)

FOR IMMEDIATE RELEASE

REGARDING: Claims by NSS Labs of Chrome vs. IE Security.

Comment:

HAHAHAHAHAHA

Attack urls? (3, Funny)

TheL0ser (1955440) | more than 3 years ago | (#34565566)

I'm well aware of what social engineering is, but what are "socially engineered malware attack URLs"? Those things that pop up in my inbox say "check out this picture of us!" with a link that looks like someone smashed their head on the keyboard?

Re:Attack urls? (4, Informative)

ittybad (896498) | more than 3 years ago | (#34565822)

Didn't you read the arti.... oh, wait. Slashdot. Right. From the article: "For clarity, the following definition is used for a socially-engineered malware URL: a web page link that directly leads to a download that delivers a malicious payload whose content type would lead to execution, or more generally a website known to host malware links. These downloads appear to be safe, like those for a screen saver application, video codec upgrade, etc., and are designed to fool the user into taking action. Security professionals also refer to these threats as “consensual” or “dangerous” downloads."

Re:Attack urls? (4, Funny)

tycoex (1832784) | more than 3 years ago | (#34566632)

So basically, IE9 does a good job at protecting morons who download everything they see... from themselves.

Would SlashBot Dispense With Browser Wars (0)

Anonymous Coward | more than 3 years ago | (#34565586)

and pay some attention to the Wikileaks wars?

Thanks in advance.

Yours In Osh,
K. Trout, C.T.O.

Re:Would SlashBot Dispense With Browser Wars (1)

Wyatt Earp (1029) | more than 3 years ago | (#34565734)

You mean the story on the front page isn't enough? http://tech.slashdot.org/story/10/12/15/1822216/Todays-WikiLeaks-News [slashdot.org]
Or the one from last night - http://tech.slashdot.org/story/10/12/15/0038211/Air-Force-Blocks-NY-Times-WaPo-Other-Media [slashdot.org]

Or the one from yesterday - http://idle.slashdot.org/story/10/12/14/1612247/Julian-Assanges-Online-Dating-Profile-Leaked [slashdot.org]

Or the other one from yesterday - http://tech.slashdot.org/story/10/12/14/168248/Michael-Moore-Posts-Julian-Assanges-Bail [slashdot.org]

Or the two to four a day we've had for days?

If anything /. has too much about Wikileaks right now, Reddit is slammed with it as well

Re:Would SlashBot Dispense With Browser Wars (0)

Anonymous Coward | more than 3 years ago | (#34566206)

You don't know Mr. Trout? You must be new here.

Funny definition of Independent (1)

schwit1 (797399) | more than 3 years ago | (#34565590)

As independent as a politician that accepts campaign contributions from AT&T or SEIU.

Re:Funny definition of Independent (3, Insightful)

kaizendojo (956951) | more than 3 years ago | (#34566110)

...Or posts on a site that promotes open source and LAMP stacks and images Bill Gates as a Borg. What I find interesting is how no one questions the monthly posts here about IE losing market share from a site (Net Applications) that only polls their own clients, but no one ever points that out.

I must have missed... (1)

Das Auge (597142) | more than 3 years ago | (#34566994)

I must have missed the part where Net Applications is a shill for Mozilla, Google, and/or Apple.

The credibility issue here is with a Microsoft. A company that has been shown, time and again, that they're not above tweaking the facts (lying) about their products and their competitors' products. That, and the fact that they paid for this supposed bit of research.

Wai . . . What? (3, Interesting)

rudy_wayne (414635) | more than 3 years ago | (#34565596)

"Independent testing company NSS Labs . . . . . . . . . . The test, funded by Microsoft,"

An "independent" test that was "funded by Microsoft". WTF? How is that independent?

Re:Wai . . . What? (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#34565932)

It means they get paid whether they get the results Microsoft wants or not.

Re:Wai . . . What? (0)

Anonymous Coward | more than 3 years ago | (#34566230)

True, still pretty silly though, from the sounds of it the test is more or less how good of a list of malware downloading sites each browser has. They test 400 sites then give a percentage. Microsoft took the test once, learned which 400 sites are tested, didn't publish the results, but added those 400 sites to their warning list. and supprise supprise they passed with flying colors and published the 2nd results.

Just like every browser test, the company that builds for the test wins the test, microsoft got 90% better this time because it was a painfully easy test to build for. Hell IE 6 or the origional netscape navigator could be patched to 100% with a simple change to the hosts file. Really though what's the point of this one, anyone with technical knowhow can see this test is BS, and anyone without it wouldn't be reading test statistics on browser security.

Re:Wai . . . What? (1)

DragonWriter (970822) | more than 3 years ago | (#34566554)

It means they get paid whether they get the results Microsoft wants or not.

Which isn't really independent. I mean, if it was blind, such that Microsoft wouldn't know who was performing the test and couldn't retaliate against them by not paying them to do future tests if they didn't like the results of this one, then that would be independent.

Re:Wai . . . What? (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#34566626)

That rationale is pretty weak.

You're right that the results are questionable, absolutely 100% no dispute about that, but the nitpickery over the term 'independent' is overzealous, especially in the context that the same summary pointed out it was funded by Microsoft.

Re:Wai . . . What? (1)

Col. Klink (retired) (11632) | more than 3 years ago | (#34566864)

> It means they get paid whether they get the results Microsoft wants or not.

Of course, since they are funded by MS, they only get released if MS feels like it.

Re:Wai . . . What? (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#34567048)

Yep. That is, however, distinctly different from "paying to make the results what we want them to be".

I'm only nitpicking the semantics here, not the questionable'ness of the data.

3 percent! (0)

martin-boundary (547041) | more than 3 years ago | (#34565604)

Perhaps Google shouldn't have used OpenBSD code in their browser, then :)

Great example (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34565642)

Looks like the test was a perfect example of social engineering.

Independent? (0)

lucas teh geek (714343) | more than 3 years ago | (#34565658)

Independent my ass

Re:Independent? (1)

ChipMonk (711367) | more than 3 years ago | (#34565750)

Your ass is safe, for now.

Grammar po po (0)

Anonymous Coward | more than 3 years ago | (#34565698)

"According to Google not only didn't the report use Chrome 6 for the tests where as the current version is Chrome 8"

Should that say "not only did"?

Clear writing (1)

myNameIsNotImportant (592769) | more than 3 years ago | (#34565760)

According to Google not only didn't the report use Chrome 6 for the tests where as the current version is Chrome 8

dude, really? couldn't you have said it without using a double negative?

Re:Clear writing (0)

Anonymous Coward | more than 3 years ago | (#34566278)

couldn't you have said it without using a double negative?

Indeed.

Re:Clear writing (1)

cp.tar (871488) | more than 3 years ago | (#34567350)

According to Google not only didn't the report use Chrome 6 for the tests where as the current version is Chrome 8

dude, really? couldn't you have said it without using a double negative?

Apparently, he couldn’t not have said it without using a double negative.

What was even being tested? (4, Insightful)

gman003 (1693318) | more than 3 years ago | (#34565790)

Seriously. What were they even testing? I was under the impression that social engineering was a security flaw in the user, not in the application. Reading the report, it sounds like they were just testing the browsers' databases of known malware/phishing sites. Which, really, has little to do with the security of the browser itself.

Re:What was even being tested? (2)

jfengel (409917) | more than 3 years ago | (#34565990)

I was under the impression that social engineering was a security flaw in the user, not in the application.

It is, but you can't debug the user, so you have to compensate in software. I feel a lot better knowing that J. Random Grandma has something looking over her shoulder to tell her she really shouldn't be going to that site. Cuz once J. Random Grandma's computer is hacked, it starts sending spam to MY computer.

Heck... I'm a software developer, and I've been known to screw up. Humans are buggy.

So I really want software that does both. If IE is ahead in that area, good for them. Sending out a press release declaring themselves more secure *in general* is dirty pool, and Google should say so. But they should also start swiping some of what MS does for Chrome, because it does make things safer along one dimension. Lord knows Microsoft has done it enough times. Let them feel the back hand of it for once.

Re:What was even being tested? (2)

takowl (905807) | more than 3 years ago | (#34566330)

Little to do with the *code* security, yes. But it's got a lot to do with real-users-not-getting-viruses security.

Seriously, everyone. I know it's sponsored by Microsoft, and I wouldn't be surprised if there's some dodgy selection of test URLs behind the scenes. But if these results are even in the right ballpark, then it's something that Google (and Mozilla, and Opera) really need to pay more attention to. Stop finding excuses to ignore it just because we don't like what it says. Go and try to find the methodology, and see how it's dodgy. Or even do your own tests.

Re:What was even being tested? (1)

Anonymous Coward | more than 3 years ago | (#34566428)

Yep. This is my exact concern - Educating users is the only real method of ensuring security, and a browser catching too many things makes users think that if something isn't caught that it is safe every time. As a network administrator, I would rather use a browser which catches a few things than everything because it keeps users on their toes and means that I will never hear the whole "but the browser said it was safe!" speech.

Re:What was even being tested? (1)

blueg3 (192743) | more than 3 years ago | (#34566452)

It has little to do with the theoretical security of the browser code, but it has a lot to do with the practical security of using the browser.

In a recent study of women... (4, Funny)

GodfatherofSoul (174979) | more than 3 years ago | (#34565830)

...researchers discovered that hot supermodels would be most fulfilled in a relationship with Slashdot user GodfatherofSoul*.

* This study funded by GodfatherofSoul

Re:In a recent independent study of women... (0)

Anonymous Coward | more than 3 years ago | (#34567010)

FTFY

Reminds me of MS (1)

fermion (181285) | more than 3 years ago | (#34565900)

Remember when MS would always complain that their software would run better if only every updated. All viruses were the responsibility of the user who not install patches quickly enough. This was especially true for users that refused to upgrade IE. Of course we all wrote websites for specific versions of IE, so it was pretty impossible to upgrade until the web apps were rewrote web apps. Of course this does not hold a candle to the assertion that everyone was required upgrade fees to insure safety.

So Google is not quite as bad as MS, but complaining that a reviewer used an old version is a tried and true attempt at diverting attention for genuine deficits in the product.

IE is the best (0)

Anonymous Coward | more than 3 years ago | (#34565902)

at being a huge security hole.

That's been true for years... I don't care what any study says.

Especially one paid for by microsoft... Jeez... at least setup a shell company and have them pay for the study. at least put some thought into your lies microsoft. come on now

Stopped reading at (1)

w0mprat (1317953) | more than 3 years ago | (#34565980)

"microsoft funded". Google could by rights fund a test of the current Chrome version against IE7/IE8 version from one or two years ago unpatched.

They would have had to intentionally install a old version of chrome with a standalone installer, and prevent it from updating by circumventing google updater which silently updates chrome. Talk about stacking a test.

Very narrow scope (0)

Lucky75 (1265142) | more than 3 years ago | (#34566242)

Note: This study does not evaluate browser security related to vulnerabilities in plug-ins or the browsers themselves.

The scope is very, very limited. It only focused on socially engineered malware, like popping up windows that look like windows alerts.

What did they do, have a bunch of illiterate idiots using the other browsers to skew the results? I fail to see how you can have an objective test about "socially engineered malware". Maybe IE got a high score because it annoys the hell out of you with annoying popups (that most users would just ignore anyway). I *HIGHLY* doubt the accuracy of these results.

IE Smart filtering and anti phishing "technology" is a load of bullshit anyway.

Scriz (0)

Anonymous Coward | more than 3 years ago | (#34566272)

I stopped reading after "The test, funded by Microsoft,"

kthx.

Other browsers don't need it (0)

Lucky75 (1265142) | more than 3 years ago | (#34566404)

Of course, they forgot to mention that most other browsers don't need explicit prompts and notifications against socially engineered malware attacks since the other browsers are not as vulnerable.

valid in its own way (1)

Jodka (520060) | more than 3 years ago | (#34566490)

The test has an odd kind of validity; The foolish who choose Internet Explorer (instead of Firefox, Chrome, Safari or Opera) would be also the foolish victims of "Socially Engineered Malware". That is, the web browser for dupes protects its users from the same vulnerability which causes them to use it.

And that may be all I need to know (1)

element-o.p. (939033) | more than 3 years ago | (#34567024)

"The test, funded by Microsoft..."

That told me everything I needed to know.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?