Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IE 9 Beats Other Browsers at Blocking Malicious Content

Unknown Lamer posted more than 2 years ago | from the slid-into-the-wrong-universe dept.

Internet Explorer 235

Orome1 writes with an article in Net Security. From the article: "Microsoft's Internet Explorer 9 has proved once again to be the best choice when it comes to catching attacks aimed at making the user download Web-based malware. This claim was made by NSS Labs in the recently released results (PDF) of a test conducted globally from May 27 through June 10 of the current year, which saw five of the most popular Web browsers pitted against each other. Windows Internet Explorer 9, Google Chrome 12, Mozilla Firefox 4, Apple Safari 5, and Opera 11 were tested with 1,188 malicious URLs — links that lead to a download that delivers a malicious payload or to a website hosting malware links."

cancel ×

235 comments

Sorry! There are no comments related to the filter you selected.

And who paid for this study? (0, Flamebait)

CaptainInnocent (2439004) | more than 2 years ago | (#37111522)

I'm fairly sure both Firefox and Chrome are the safest browsers out there, especially if you use Adblock and NoScript. GOOG has done a remarkable job in making their browser as secure as it can be, with autoupdating, sandboxing and different processes for tabs. They also bundle their own fixed Flash version that updates itself automatically. Microsoft should stop paying for these fake studies.

Who paid? (4, Interesting)

benjymouse (756774) | more than 2 years ago | (#37111592)

This report was produced as part of NSS Labs’ independent testing information services.
Leading vendors were invited to participate fully at no cost, and NSS Labs received no
vendor funding to produce this report.

Firefox still does not have a sandbox in place. That right there is a severe problem. Especially as Firefox is *the* browser with most vulnerabilities. The only thing Mozilla has going for Firefox security is that they are really fast to patch once a vulnerability has become known.

Re:Who paid? (5, Interesting)

Jeremiah Cornelius (137) | more than 2 years ago | (#37111900)

You have a valid point about the sandbox - but the study doesn't really do security a justice, when comparing the browsers.

Malware is seldom a browser injection issue, but is instead vectored through plug-ins (I'm looking at YOU, Adobe!) which are privileged at a higher-level than the "sandboxed" container application.

Flash has been a real horrorshow. It was never designed - rather acquiring tacked-on and retro-fitted capability for dynamic content updating, video playback and scripting with user interactivity, etc.

I could deliver extended anecdotes about the 0-day flash and pdf exploits that I've witnessed, unfolding right in front of me... Suffice it to say, fully patched systems with browser sandboxes are not immune. :-)

The combination of security and privacy extensions that are developed for Firefox are, still, unmatched. Ghostery, AdBlock+ and BetterPrivacy will together prevent the opportunity to ever render many of the malicious, content delivered exploits. They also serve to screen and scrub the most pernicious of web-threats: covert bugging and monitoring of the browser by a third party.

Re:Who paid? (4, Interesting)

benjymouse (756774) | more than 2 years ago | (#37112184)

You have a valid point about the sandbox - but the study doesn't really do security a justice, when comparing the browsers.

Malware is seldom a browser injection issue, but is instead vectored through plug-ins (I'm looking at YOU, Adobe!) which are privileged at a higher-level than the "sandboxed" container application.

No. These days some 85% of infections derive from social engineering. Malware comes in through the user. Vulnerability exploits seems to be a lot less effective these days. Social engineering is precisely what the tested security (reputation) mechanisms are aimed at.

Having said that, yes, Flash is really, really bad. So is Java. And both are rather prolific, regrettably.

I could deliver extended anecdotes about the 0-day flash and pdf exploits that I've witnessed, unfolding right in front of me... Suffice it to say, fully patched systems with browser sandboxes are not immune. :-)

That piques my interest. When was this? AFAIK there has not been a *single* in-the-wild sandbox breach of neither Chrome nor IE (yes, pwn2own demonstrated a combination of 3 techniques which escaped the IE sandbox - but this has not been reported in the wild). Up until some (fast) versions ago, Chrome did not sandbox Flash. IE did that since IE7.

The combination of security and privacy extensions that are developed for Firefox are, still, unmatched. Ghostery, AdBlock+ and BetterPrivacy will together prevent the opportunity to ever render many of the malicious, content delivered exploits. They also serve to screen and scrub the most pernicious of web-threats: covert bugging and monitoring of the browser by a third party.

Whether they are unmatched is a matter of opinion. Firefox requires addons and will block more broadly (which is desirable to some). To me, the fact that FF code quality seems to lack (they have had most vulns reported for the last 5 years going) combined with their nonsensical refusal to implement a sandbox makes it a no-go for me. (I'm, using Chrome, btw).

Re:Who paid? (1)

MozeeToby (1163751) | more than 2 years ago | (#37111902)

Especially as Firefox is *the* browser with most vulnerabilities.

Citation please? Actually don't bother, because the statement is impossible to support with any amount of evidence. Firefox is the only major browser that openly reports vulnerabilities so of course it is going to have the highest publicly countable number. And even if you had an accurate count of known vulnerabilities from the other vendors, known vulnerabilities hardly equates to total vulnerabilities, even less so when every vulnerability is counted as equal to every other one.

Re:Who paid? (5, Informative)

benjymouse (756774) | more than 2 years ago | (#37112068)

Citation please? Actually don't bother, because the statement is impossible to support with any amount of evidence.

2008: http://www.favbrowser.com/firefox-browser-with-the-most-disclosed-vulnerabilities/ [favbrowser.com]

2009: http://tech.blorge.com/Structure:%20/2009/11/09/firefox-leads-in-browser-vulnerabilities/ [blorge.com]

2009: http://www.computerworld.com/s/article/9140582/Firefox_flaws_account_for_44_of_all_browser_bugs [computerworld.com]

You can also query Secunia for vulnerabilities. With the new version number scheme and ultra-fast previous versions retirement (where you are left vulnerable if you don't upgrade immediately), you'll have to grok the numbers somewhat. Basically count the *unique* CVEs affecting all FF versions since -say FF3.5. Do the same for IE8&9. You will not like the result.

Firefox is the only major browser that openly reports vulnerabilities so of course it is going to have the highest publicly countable number.

BS. All the major vendors are obligated to report vulnerabilities through Mitre. All browser vulnerabilities are assigned unique CVEs.

And even if you had an accurate count of known vulnerabilities from the other vendors, known vulnerabilities hardly equates to total vulnerabilities, even less so when every vulnerability is counted as equal to every other one.

If you consider a set of browsers which must be assumes to receive an equal amount of scrutiny (IE,FF,Chrome), if one browser year after year comes out with most vulnerabilities, surely that does say something about code quality.

Re:Who paid? (1)

BagOBones (574735) | more than 2 years ago | (#37112332)

Where are those mod points when you need them?

Re:And who paid for this study? (2, Insightful)

bonch (38532) | more than 2 years ago | (#37111598)

Prediction:

The results are favorable to Microsoft, so there will be a ton of skepticism, investigation, and outright dismissal. However, when studies favorable to this particular community's ideologies are announced, none of that occurs, even though the same kinds of skepticism can and should be applied.

Re:And who paid for this study? (-1, Flamebait)

Jorl17 (1716772) | more than 2 years ago | (#37111660)

No, the same kinds of skepticism shouldn't be applied because it is not exactly the same amount of possible money involved (MS pays big),given that MS owns not only Money but half of the world with its OS. Bullshit.

Bullshit.

Re:And who paid for this study? (0)

Anonymous Coward | more than 2 years ago | (#37111748)

So ideology is incapable of causing corruption, but money is always an indication of corruption, right?

Re:And who paid for this study? (0)

CaptainInnocent (2439004) | more than 2 years ago | (#37111804)

Microsoft is a convicted monopoly, Google is not.

Re:And who paid for this study? (1)

LifesABeach (234436) | more than 2 years ago | (#37112000)

Aye, but Google has yet to kiss the Blarney Stone.

Re:And who paid for this study? (1)

u-235-sentinel (594077) | more than 2 years ago | (#37111886)

So ideology is incapable of causing corruption, but money is always an indication of corruption, right?

Whenever I perform an investigation I first look at who benefited or where the money came from in a case. Generally it's helped in establishing who's guilty as I follow the evidence.

Money is a great place to start if you want a clearer understanding of who's guilty. Depends on the case of course :-)

Re:And who paid for this study? (0)

Anonymous Coward | more than 2 years ago | (#37112204)

Bullshit.

And may I say to you, Jorl17, fuck you. Bonch nailed you square in your tiny dick with his description of the Anti-Microsoft zealots that unfortunately make up a sizable portion of the Slashdot readership. You are just as fucking biased as a Republican or Democrat. Just as diluted as a Christian or Jew. Blind and ignorant, but I'm sure you're so proud of yourself. Again, fuck you.

Re:And who paid for this study? (0)

Anonymous Coward | more than 2 years ago | (#37112386)

You can always trust Jorl17 [slashdot.org] to give you the facts about Microsoft. He's not some hate filled troll. He's fair, balanced, mature, and he honors the GPL.

Kind of correct. (5, Insightful)

khasim (1285) | more than 2 years ago | (#37111692)

The results are favorable to Microsoft, so there will be a ton of skepticism, investigation, and outright dismissal.

Yep. Mostly because Microsoft has a history of purchasing favourable "findings" from "independent" "research" firms.

However, when studies favorable to this particular community's ideologies are announced, none of that occurs, even though the same kinds of skepticism can and should be applied.

Kind of. The process and parameters should always be checked. But the other browsers do not have a history of their parent companies purchasing favourable "findings".

It's called "learning from experience".
There is no reason to forget every past instance when evaluating a new instance. Quite the opposite, in fact.

Re:And who paid for this study? (5, Informative)

bioster (2042418) | more than 2 years ago | (#37111744)

Frankly, the page itself screams bias with the line "has proved once again". I don't recall this being proved in the past, but hey, I try to be open minded. So I threw NSS labs into google, and immediately turned up:
http://www.thetechherald.com/article.php/200912/3268/Can-you-trust-the-NSS-Labs-report-touting-the-benefits-of-IE8 [thetechherald.com]

So apparently they tested IE8 and thought it was awesomesauce. Uhm, ok... I thought IE8 wasn't completely terrible but I wouldn't say it was good. That link seems to think NSS might be a microsoft shill. But ok, I like to be open minded. Let's keep looking. Going down the first page of my google search:
Firewall Vendors Challenge Findings of NSS Labs Report | PCWorld
Haavard - Malware report from NSS Labs manipulates statistics?
Google Responds to NSS Labs Browser Security Report | News
A recent test by NSS Labs gave a near-perfect score to Internet Explorer 9 beta and very poor marks to Chrome and other browsers.


So uhm... yeah... at first glance, I'd say treating them with some skepticism seems more than warranted here.

Re:And who paid for this study? (0)

WrongSizeGlass (838941) | more than 2 years ago | (#37111850)

Prediction:

The results are favorable to Microsoft, so there will be a ton of skepticism, investigation, and outright dismissal.

They didn't test IE 7 or IE 8, both of which have a larger install base than IE 9. They also should have tested Firefox 3.

I predict this study won't represent that majority of browsers installed on people's computers.

Re:And who paid for this study? (0)

Anonymous Coward | more than 2 years ago | (#37111958)

IE users wouldn't know how to tell the difference between browsers anyway. They would read this and think their IE version 6 is the best.

Re:And who paid for this study? (2)

Matheus (586080) | more than 2 years ago | (#37112180)

...and I respectfully ask: Who cares?

The study is comparing the latest released versions of the major browsers to show who can handle current threats. IMHO if you are still using an outdated browser then you have no right to feel all warm and fuzzy with your security.

Step 1: Upgrade to latest version of browser of your choice.
Step 2: THEN decide if this study gives you reason to want to switch to IE (of said latest version)

I predict you didn't RTFA and are doing exactly what Parent said only trying to sound smarter about it.

Re:And who paid for this study? (1)

elrous0 (869638) | more than 2 years ago | (#37111632)

Firefox and Chrome are the safest browsers out there, especially if you use Adblock and NoScript

Chrome doesn't have NoScript. The closest they have it NotScripts [wikipedia.org] , which sucks by comparison. Nothing, IMHO, can touch Firefox with AdBlock and NoScript. Comparing any other browser to that configuration should almost have to come with an asterisk indicating that, though X browser may be more secure in the STOCK version, nothing compares to the POTENTIAL security of Firefox with the right add-ons.

Re:And who paid for this study? (1)

The MAZZTer (911996) | more than 2 years ago | (#37111782)

Chrome actually has built-in support for basic NoScript-like behavior. Block all JS and Plugins and you can whitelist sites from the omnibox. Only downside is, unlike NoScript, you only whitelist the domain in the address bar to allow ANY origin script/plugin embedded in it, including ads and tracking scripts and the like. This is also a problem when you have sites like ytmnd or deviantart with tons of domains, but you can always go into options and add a blanket whitelist for the whole domain.

Re:And who paid for this study? (2)

Ryantology (2388210) | more than 2 years ago | (#37111978)

Of course, in the wider scheme of things, a browser's stock security is probably more important because add-ons and extensions are effective only if a person is aware of them and takes the time to install them. I'm sure a lot of people don't know to do this, or know and don't bother.

Re:And who paid for this study? (1)

jd (1658) | more than 2 years ago | (#37111684)

It could be a study by a PC vendor involving 1,188 sites with Apple malware. (They have to include IE after all, and nobody likes looking like a fool.) Or it could be a genuine study by a really bad security guy (all the browsers support Selenium, so they could have automated tests against as many URLs as they liked - a mere thousand in an automated test is really not that many, given that they'll have been testing against similar attack vectors in many cases).

Not that it matters much. It's not like the most vulnerable users read studies and it's not like those who read studies will pay much attention to anything that advocates one browser over another since many geeks tend to be rather more passionate about what they're seen with than with instantaneous snapshots that won't be valid the next day anyway.

wrong question (0)

poetmatt (793785) | more than 2 years ago | (#37111798)

Wrong question with "firefox is better", etc etc. The real question is, who the hell uses IE9 in the first place?

I dont' care how good it is at "blocking malicious content" if the underlying OS is still completely unsafe, which is due to what consumers put on their PC's.

End result = IE9 could be bulletproof and the OS will still be pwned a million times over.

Re:wrong question (1)

Anonymous Coward | more than 2 years ago | (#37111950)

Please cite your source that Windows 7 is less safe compared to other modern OSs? I say Windows 7 because IE9 won't work on Windows XP.

I grant you that users can be stupid, but that's not the fault of the OS.

Who uses IE 9? (1)

westlake (615356) | more than 2 years ago | (#37112252)

Wrong question with "firefox is better", etc etc. The real question is, who the hell uses IE9 in the first place?

About 7 in 10 Windows 7 users in the states.

As we've mentioned before, Microsoft skipped XP support for Internet Explorer 9 in order to compete more effectively on Windows 7. In July on Windows 7, Internet Explorer 9 hit 18.5% share worldwide and 24.8% in the United States. There are indications that this strategy is working. Although Internet Explorer lost usage share on XP, on Windows 7, Microsoft increased global usage share, going from 54.6% in June to 54.8% in July. And in the U.S., Internet Explorer share on Windows 7 grew 0.6% to 68.1%.

Browser Wars [hitslink.com] [August 1, 2011]

I dont' care how good it is at "blocking malicious content" if the underlying OS is still completely unsafe, which is due to what consumers put on their PC's.

Unpatched 0%
Vendor Patch 100%

Microsoft Windows 7 Solution Status (Based on 28 advisories from 2011) [secunia.com]

Re:And who paid for this study? (0)

Anonymous Coward | more than 2 years ago | (#37111922)

If running NoScript is a criteria, then I'm pretty sure Lynx is safer.

Re:And who paid for this study? (2)

amicusNYCL (1538833) | more than 2 years ago | (#37112336)

I'm fairly sure both Firefox and Chrome are the safest browsers out there

Well shit, man, what the hell are you doing? Have you contacted the authors of the study to inform them that you are "fairly sure"? I'm sure this is information that will be useful to them. All they have now are one thousand, one hundred and eighty-eight data points for each of five browsers, I doubt they even allowed themselves to dream that you would be "fairly sure" about what they were trying to study. I'm fairly sure that they only reason they didn't contact you first to get your input was because they never dreamed it possible.

especially if you use Adblock and NoScript

Don't look now, Sport, but AdBlock and NoScript aren't part of Firefox. I know this because my installation of Firefox doesn't include either of them. If Mozilla wants to enjoy the benefits of those extensions for studies like this one then they should merge them into the trunk. Any respectable study should test the vanilla browser as it ships from the vendor, without changing any defaults.

It should be zero surprise to anyone that Microsoft puts a heavy focus on security for IE9+. Microsoft has been hammered for a long time about IE's poor security, if there's any single browser vendor that would put a disproportionate amount of development work into security features, it's Microsoft. Hell, that's probably why they still lack support in other areas.

Well (0)

Anonymous Coward | more than 2 years ago | (#37111544)

You could say it's beating off the competition.

see this rock here? (0)

Anonymous Coward | more than 2 years ago | (#37111562)

This rock beats IE9 at blocking all malicious content. You plug your keyboard, mouse, and monitor into it and I guarantee, you will see NO malicious content.

missed the 'many' times before... (0)

Anonymous Coward | more than 2 years ago | (#37111570)

"has proved once again"

uh-huhhhhhhhh....

Re:missed the 'many' times before... (0)

mfh (56) | more than 2 years ago | (#37111816)

I proved that the Earth is flat. Just now.

I placed my coffee on my desk and it didn't roll off therefore the EARTH MUST BE FLAT!

Once again, I am as smart as Microsoft.

Re:missed the 'many' times before... (1)

Riceballsan (816702) | more than 2 years ago | (#37112172)

Well it is true that this is at least the second time Microsoft has proven that IE blocks more dangerous URLs, but the bigger question is, which browser actually catches infections from the URLs. Via this study it would consider me browsing to a site infected with a script that can't even have a chance of infecting my computer as a failure (say whatever vulnerability the site attempts to take advantage of was already patched 3 years prior, or never even effected the browser being tested). While simultaneously ignoring the risk of infections from legitimate sites that chose to display the wrong advertisement, or were hacked.

I still think... (1)

jd (1658) | more than 2 years ago | (#37111572)

Lynx is safer still. Some of the browsers for Emacs are fairly secure, too.

Re:I still think... (2)

Nimey (114278) | more than 2 years ago | (#37111582)

How secure can Emacs be with all that malicious Lisp code floating around?

Re:I still think... (1)

Samantha Wright (1324923) | more than 2 years ago | (#37111788)

As a Discordian, aren't you bound by religious law to defend the honour of the Lambda Calculus?

Re:I still think... (1)

obarel (670863) | more than 2 years ago | (#37111864)

I am the psychotherapist. Please, describe your problems. Each time
you are finished talking, type RET twice.

How secure can Emacs be with all that malicious Lisp code floating around?

Are you sure malicious lisp code floating around?

Re:I still think... (0)

Anonymous Coward | more than 2 years ago | (#37112460)

Uncle billy knows what is good for me?? RET RET

Re:I still think... (1)

impaledsunset (1337701) | more than 2 years ago | (#37112276)

While Lynx is probably very secure right now, it has seen a security hole or two: https://secunia.com/advisories/product/5883/?task=advisories [secunia.com]

Just because it is a text browser with very little features doesn't necessarily make it safe, although the chances for a vulnerability are lower under the *same* conditions.

Bwhahahahahah (0)

mfh (56) | more than 2 years ago | (#37111610)

That is all.

Nice try (2)

Lysander7 (2085382) | more than 2 years ago | (#37111616)

I almost believed this story, then, with my superior intelligence (as shown by my browser, Opera) I realized that this story is probably pulled out someone's ass.

Re:Nice try (2)

Errtu76 (776778) | more than 2 years ago | (#37111722)

Nice reference :)

Re:Nice try (4, Insightful)

mckinnsb (984522) | more than 2 years ago | (#37111874)

If by "pulled out of someone's ass" you mean "they engineered the test to perform best with Internet Explorer 9", then completely.

The main center-point of this test was evaluating a "cloud based trust ranking algorithm". But the study provides no evidence that these algorithmns exist in any of the browsers; its a simple assumption which is likely false (especially when you look at the graphs). What the graphs are really showing is the performance of each browser's black list versus a set of URLs they selected, and not randomly.

If you look at the graphs themselves, they actually don't show the action of any algorithm (which would likely linearly increase or show volatility); in fact, IE9 (With App Rep) is simply a straight line. It's pretty clear that the URLs they used were already in the black list before hand, and that straight line is a continual rejection of them.

Testing a browsers ability to 'blacklist' websites is fine, I guess, but my first problem with this study is that's not the only way to measure 'security'. My second problem is that there's no evidence that the browsers themselves actually perform this activity, making the tests in the study feel like "studying the maximum (flying) climb speed of humans, rats, horses, and bats". My third - and the most troubling - problem is that they don't provide any information as to how these lists were obtained. They only say they tried to "mix URLs so as to make sure that certain domains were not overemphasized", and "NSS Labs operates its own network of spam traps and honeypots.", in addition to "In addition, NSS Labs maintains relationships with other independent security researchers, networks, and security companies,".You can assume without being overly bold that this list could have been a list of URLs that they knew IE would block. Conversely, you could probably easily design a similar test that would have Chrome at 100% block rate, and IE 9 at 10% - it's merely a measure of "what sites were in our test pool that are also in the browser's black list"

Pffft.

Re:Nice try (1)

93 Escort Wagon (326346) | more than 2 years ago | (#37112092)

If by "pulled out of someone's ass" you mean "they engineered the test to perform best with Internet Explorer 9", then completely.

Studies have shown that random detritus pulled out of someone's ass performs best on IE9!

Re:Nice try (1)

93 Escort Wagon (326346) | more than 2 years ago | (#37112070)

I almost believed this story, then, with my superior intelligence (as shown by my browser, Opera) I realized that this story is probably pulled out someone's ass.

Someone with superior intelligence probably would've remembered the correlation between browser usage and IQ was shown to be an elaborate hoax [digitaljournal.com] .

(Yes I know you weren't being serious, but feel free to "whoosh" anyway)

Re:Nice try (1)

Lysander7 (2085382) | more than 2 years ago | (#37112344)

If I knew how to embed links in posts, I would have done so in mine. :l

IE9 Downloads (0)

Anonymous Coward | more than 2 years ago | (#37111624)

It would be HELPFUL if IE9 showed the transfer rate on a download. It didn't when I tried it a while back, and I'm not especially eager about downloading it again to see. Firefox for me it is.

Re:IE9 Downloads (1)

game kid (805301) | more than 2 years ago | (#37111836)

It does now (Ctrl+J after you start downloading, then check the Location column for each file). It didn't in pre-release versions (I forget which, but I used them).

How come? (0)

Tei (520358) | more than 2 years ago | (#37111630)

And what or who has installed IE9 to begin first? Whos so crazy to navigate internet with a IE explorer?

Re:How come? (2)

karnal (22275) | more than 2 years ago | (#37111990)

I don't know, but I use my PIN number at the ATM machine all the time now!

If you block everything, your score is 100% (5, Insightful)

Anonymous Coward | more than 2 years ago | (#37111652)

MSIE got the highest "malware detection rate" because they used it in a mode where nearly every page is marked as "dangerous". It had the highest detection rate but also the highest false positive rate.

If I sit at the airport saying "that plane is going to crash" for every plane that takes off, and eventually get it right, that doesn't mean I'm able to predict which planes are going to crash (even though I got "100% of the crashes" right)...

Re:If you block everything, your score is 100% (1, Informative)

RKThoadan (89437) | more than 2 years ago | (#37111758)

Finally! A legitimate complaint about the study. I was beginning to doubt we could do anything other than beat our chests and say "MS BAD!" Kudos to you!

Re:If you block everything, your score is 100% (0)

Anonymous Coward | more than 2 years ago | (#37112448)

Finally! A legitimate complaint about the study. I was beginning to doubt we could do anything other than beat our chests and say "MS BAD!" Kudos to you!

Are you being sarcastic? Because the FTA doesn't say anything close to supporting that claim. So it is just an unsupported "MS BAD" response.

Re:If you block everything, your score is 100% (1)

Anonymous Coward | more than 2 years ago | (#37112032)

You might want to actually read the study because it doesn't say that anywhere.

Re:If you block everything, your score is 100% (1)

93 Escort Wagon (326346) | more than 2 years ago | (#37112106)

If I sit at the airport saying "that plane is going to crash" for every plane that takes off, and eventually get it right, that doesn't mean I'm able to predict which planes are going to crash (even though I got "100% of the crashes" right)...

I don't think you'll be allowed to sit there long enough to make your scenario statistically likely.

As a matter of fact, I doubt you'll get the chance to observe more than one plane taking off.

Re:If you block everything, your score is 100% (1)

F.Ultra (1673484) | more than 2 years ago | (#37112302)

He doesn't have to speak out loud.

Re:If you block everything, your score is 100% (0)

Anonymous Coward | more than 2 years ago | (#37112198)

In all reality, that is actually the least secure mode. People will either disable protection completely or get so used to clicking through that they will do it even on bad sites. Just looked what happened with UAC.

Is it safer than FF + NoScript + GNU/Linux? (1)

impaledsunset (1337701) | more than 2 years ago | (#37112290)

Is IE9 safer than Firefox + NoScript running on a non-Windows operating system that's less targeted by malware authors?

Re:If you block everything, your score is 100% (0)

Anonymous Coward | more than 2 years ago | (#37112464)

Can you put this in terms of cars?

They need it most (0)

Anonymous Coward | more than 2 years ago | (#37111656)

subject

NSS Labs is MS Shill (0)

gtall (79522) | more than 2 years ago | (#37111670)

Please, NSS Labs is just another Microsoft shill organization. Check out what they did for Explorer 8.

Re:NSS Labs is MS Shill (2)

Baloroth (2370816) | more than 2 years ago | (#37111914)

They also made a few technical errors in the report, at least surrounding Opera. At one point, they list "Opera 10" as having 6.1% block rate, yet earlier in the report they list that as the rate for Opera 11 and Opera 10's rate as 0.00%. That, combined with the absolutely gushing praise for IE9 and its App block (or w/e they call it) filter lead me to suspect quite strongly that this is just another MS paid add by an "independent" (i.e. not directly MS-owned) company.

No technical examination of any other browser's malware blocking was mentioned. Nor did they seem to do any testing of add-ons or extensions. I imagine Add-block alone probably blocks many malicious sites. Oh, and no list of URL's tested was given. Even if this wasn't horribly biased (which I doubt), it was terribly conducted technically speaking.

incorrect summary (0)

Anonymous Coward | more than 2 years ago | (#37111688)

They found IE9 to be the best choice to defend against attacks aimed at IE9. Other browsers where found to be severely lacking in in defending against attacks aimed at IE9.

Re:incorrect summary (0)

Anonymous Coward | more than 2 years ago | (#37111812)

. . . doesn't that make the other browsers even worse?

Re:incorrect summary (1)

losfromla (1294594) | more than 2 years ago | (#37111966)

I didn't RTFA but, superficially thinking about it, it seems that other browsers would not be vulnerable to attacks aimed at IE9 and so would not detect anything malicious; hell, the attack might not even launch if it doesn't detect an IE9 browser.

Re:incorrect summary (0)

Anonymous Coward | more than 2 years ago | (#37112110)

lol, if you use another browser than IE9 then you don't need to defend against attacks aimed at IE9.

Re:incorrect summary (1)

gdshaw (1015745) | more than 2 years ago | (#37112024)

They found IE9 to be the best choice to defend against attacks aimed at IE9. Other browsers where found to be severely lacking in in defending against attacks aimed at IE9.

Not only that, but they ran all of the tests on Windows. That is hardly the platform that you would choose if you were trying to block malware, so given a free choice of platform IE would be at a severe disadvantage because it is tied to Windows[1]. The test nullifies that disadvantage by making all of the browsers play on Microsoft's home ground. I don't see how they could possibly claim that this was an unbiased test.

[1] unless you count IE5 on Mac OS, which is unlikely to win any prizes in this contest.

Not good comparison (0)

Anonymous Coward | more than 2 years ago | (#37111706)

>catching attacks aimed at making the user download Web-based malware

so what it compares is how stupid the company views the end-user....and i would like to see a comparison of what site Microsoft blocks as 'malicious' to what other browsers block

Firefox and Chrome have different results (0)

Anonymous Coward | more than 2 years ago | (#37111708)

I could have sworn that Firefox and Chrome both used the same list of websites from Google. If so, how did the applications vary so much? Something else must be going on.

Re:Firefox and Chrome have different results (1)

Skuto (171945) | more than 2 years ago | (#37112020)

The protocol for doing so has been extended to include malware downloads at some point, and Chrome implements this, but this part of the protocol is not documented, so Firefox (and Safari) don't.

Easy to Pass the Test (0)

Anonymous Coward | more than 2 years ago | (#37111714)

... when you are the one providing it to the company testing you.

NSS Labs: The best studies money can buy (4, Insightful)

thoromyr (673646) | more than 2 years ago | (#37111724)

Of course, when your methodology is that only the bare browser configuration is allowed (e.g., no AdBlockPlus, no NoScript) and you carefully select the malware URLs (obtained from "honey pot" email addresses and then filtered, and then "prune out non-conforming URLs" -- without fully specifying what made them non-conforming) *and* require the malware URLs to be live for at least 6 consecutive hours it gets a lot easier to massage the results. To further exaggerate results not only does a "hit" increase the score but a "miss" decreases it to magnify the difference.

This is the same song as they sang about IE8 with the same, predictable, results. Microsoft didn't pay them a wad of money for this study for nothing.

Re:NSS Labs: The best studies money can buy (2)

The MAZZTer (911996) | more than 2 years ago | (#37111800)

To be fair I can imagine a lot of Firefox users not even knowing add-ons exist.

Re:NSS Labs: The best studies money can buy (0)

Anonymous Coward | more than 2 years ago | (#37111872)

True I wonder what the safest out of the box browser is with default configurations.

Re:NSS Labs: The best studies money can buy (3, Interesting)

cobrausn (1915176) | more than 2 years ago | (#37111810)

What is wrong with testing the bare browser configuration? Aren't we trying to protect those who are most likely to download malware by accident, i.e., those who are also unlikely to install AdBlockPlus and NoScript?

Re:NSS Labs: The best studies money can buy (1)

_0xd0ad (1974778) | more than 2 years ago | (#37111860)

I don't care about them; I care about how secure my browser is, and my friends' and parents' browsers, which I've configured similarly to mine. As far as I'm concerned, even if the virus gets as far as downloading its executable, just as long as MSE stops it when they try to launch it I consider that a successfully thwarted attack.

Re:NSS Labs: The best studies money can buy (1)

uigrad_2000 (398500) | more than 2 years ago | (#37112064)

I don't care about them; I care about how secure my browser is...

Actually, I do care about them, but they aren't really relevant. Someone who doesn't know about extensions is not going to be reading studies about browser safety.

The study should consider the audience. Anyone digging for information about browser security is going to know about noscript.

Even if noscript wasn't one of the most commonly installed browser addon, an article about browser security should certainly discuss it. The .pdf with the results is 21 pages long, and doesn't even mention noscript, yet claims to be a study on browser security. That proves (to me) that there must have been an ulterior motive behind this study.

Re:NSS Labs: The best studies money can buy (1)

thoromyr (673646) | more than 2 years ago | (#37112030)

Ah, so you ignore the rest of their methodology because it was clearly indefensible?

If the study was really aimed at identifying browser security then a NoScript enabled browser *should* be part of the test. It would illustrate the difference between not using NoScript and using NoScript. It would illustrate the difference between IE9 and FF with NoScript. There are two problems with that:

1. Due to their mechanism for grossly exaggerating minute variations, it would sink IE9 as being the run away favorite. Except for number two.

2. Due to how the study was carefully constructed it wouldn't make any difference (FF with NoScript wouldn't tell the user they'd just been protected -- it would just silently happen -- so FF would *still* be down graded).

Since people don't tend to read the article (much less the NSS Lab's purchased findings that were mislabelled as a study)

> Success: NSS Labs defines success based upon a web browser successfully preventing
> malware from being downloaded *and* correctly issuing a warning.

Re:NSS Labs: The best studies money can buy (1)

cobrausn (1915176) | more than 2 years ago | (#37112342)

I ignored the rest of the methodology because I didn't agree with it. I chose to defend the one point that I saw of value - testing unmodified browsers against each other. You know, the kind that non-geeks use. That's it. Anything else you are reading from my original post is imagined.

Re:NSS Labs: The best studies money can buy (1)

benjymouse (756774) | more than 2 years ago | (#37112346)

Since people don't tend to read the article (much less the NSS Lab's purchased findings that were mislabelled as a study)

So did you read the study? Did you come across the following section?

This report was produced as part of NSS Labs’ independent testing information services.
Leading vendors were invited to participate fully at no cost, and NSS Labs received no
vendor funding to produce this report.

Actually, this is a running study, so it also reflects the speed by which the browser vendors update their respective reputation databases. Some 85 new urls were entered on average each day (after being confirmed as malware-serving urls) throughout the quarter. NSS releases these results each quarter.

Re:NSS Labs: The best studies money can buy (1)

Nimey (114278) | more than 2 years ago | (#37112038)

Your average luser isn't going to know about ABP or NS.

Try again.

Re:NSS Labs: The best studies money can buy (1)

Sebastopol (189276) | more than 2 years ago | (#37112310)

How do you know MS paid for this?

Re:NSS Labs: The best studies money can buy (0)

thoromyr (673646) | more than 2 years ago | (#37112528)

uh, because it is clearly stated? You *do* know how to read, don't you? And they paid for the last "study" as well. Microsoft pays for lots of studies. I seem to recall RedHat purchasing a study or two. IBM does it. Just because the practice is common doesn't mean the "bought and paid for" studies shouldn't be mocked.

Re:NSS Labs: The best studies money can buy (1)

amicusNYCL (1538833) | more than 2 years ago | (#37112446)

when your methodology is that only the bare browser configuration is allowed (e.g., no AdBlockPlus, no NoScript)...

... then you're doing it right. If Mozilla wants the benefit of extensions for studies, then merge them into the trunk. Because right now, neither ABP nor NoScript are part of Firefox. There's no reason that something testing Firefox should test those.

Yeah.... no. (1)

_0xd0ad (1974778) | more than 2 years ago | (#37111784)

IE's idiot mode where it tells you "I'm sorry, Dave, I'm afraid I can't do that" might be better at keeping users off bad websites than other browsers, okay.

Give me a study that shows the actual infection rate once you've visited the site; I'm betting that the scores would look different then.

IE 9 does not work with XP (1)

Newer Guy (520108) | more than 2 years ago | (#37111876)

IE 9 does not work with XP-the most used OS in the world.

Re:IE 9 does not work with XP (0)

Anonymous Coward | more than 2 years ago | (#37112052)

By businesses you mean. Remainder of the install base is mainly grandmas.

It has to be (1)

tehniobium (1042240) | more than 2 years ago | (#37111896)

Well IE9 HAS to be the best at "catching attacks aimed at making the user download Web-based malware".

That's because only the most stupid web user (read: the most stupid 50%) click banners which go "OMG YOU MUST MAKE YOU COMPUTER FAST AND NOT HAVE VIRUZES NAO!". And yes...they are using Internet Explorer, because quite frankly, they aren't smart enough to spot that Chrome/Firefox are better than IE.

Re:It has to be (1)

Anonymous Coward | more than 2 years ago | (#37112548)

aren't smart enough to spot that Chrome/Firefox

Chrome/Firefox/Opera/Gnuzilla/Ice Weasel/Lynx/Camino/Skyfire/Konqueror/Safari/RockMelt/EMacs/w3m...............

are better than IE.

FF4 - How unfair! (3, Insightful)

pseudorand (603231) | more than 2 years ago | (#37111912)

Yet again another M$ sponsored study makes IE look better by using an ancient version of Firefox. FF4 is like way out of date. How dare they make such claims.

Re:FF4 - How unfair! (1)

vlueboy (1799360) | more than 2 years ago | (#37112080)

LOL. Another one in a slippery rope of drawbacks to version inflation death: Even the studies that are supposed to praise you cannot honestly keep.

FF6 was officially released *today*, making the results look ancient because we still expect a major number to last a full year or two for FF. Sadly, I couldn't find much web feedback of this "brand new" version in my native language (a nice way to avoid all the shills and paid reviewers so deeply ingrained in the English-US blogosphere). Zero feedback means I'd look at FF5, but I've never installed it, so it's iffy. The catch 22 is that 4 didn't make stellar grades in this study, so 6 can't be all that much better, with just 6 months of cooking time, can it?

And that, my friends, is the whole thought process that finally drove Mozilla to the madness that was "we're now planning to go all version agnostic [slashdot.org] YEA!"

Re:FF4 - How unfair! (1)

Skuto (171945) | more than 2 years ago | (#37112352)

Malware/phishing protection in Firefox has been essentially unchanged since Firefox 2 received code to do this from Google using their SafeBrowsing service, and Firefox 3.5, 4, 5, 6, 7 and 8 will behave identical, the performance being determined by the Google service.

I don't know of any active efforts inside Mozilla or by the community at large to improve it.

microsoft... mroe like shitrosoft (0)

Anonymous Coward | more than 2 years ago | (#37111952)

OSX IS BETTER /thread

Hahahaahaa - security is much better when you (0)

unity100 (970058) | more than 2 years ago | (#37112120)

block as many things as you can. i wonder how many legitimate sites were caught in those blockings. why not block it altogether and only allow microsoft or orher corporate sites ? - wait - there could still be xss attacks.

ps : the typo r in the word 'other' is intentional. i bet a lot of you grammar nazis went berserk in the duration of one and a half sentence in between that word and this disclaimer.

message : grammar nazism is bad for your health. content over form. yadda yadda. grow up.

Why the other browsers won't get IE's score (2)

Skuto (171945) | more than 2 years ago | (#37112126)

1) The false positive rate of IE is very high. It should be obvious that if you give a lot of false warnings, users will disable or ignore the feature, making it worthless. IE already warns if you download something uncommon, for crying out loud.

2) This "cloud based protection", tracking, among other things, popular downloads, means that info about visited URLs gets sent to Microsoft. There are privacy issues with such a system.

Well duh (1)

davidbrit2 (775091) | more than 2 years ago | (#37112226)

You try delivering malware through all those Javascript and CSS compatibility issues.

Browser versions??? (2)

aglider (2435074) | more than 2 years ago | (#37112260)

The choice is quite interesting ... Opera 11 dates back to 16.12.2010 and Safari 5 to 17.6.2010.

Mozilla Firefox v4 entered the "end of life" on May 25, 2011.
Chrome 12 dates back to 07.06.2011, but that's v12.0.742.

Without proper version numbers all those tests are at least dubious.

IE 9 can beat Firefox and Chrome all it likes (0)

John Allsup (987) | more than 2 years ago | (#37112358)

It doesn't hurt, and IE 9 has no free foundations, so I can't really accept it. Firefox works just fine, as does Chromium, under Ubuntu. Under Windoze I use FF also. IE just isn't relevant anymore. Microsoft should GPL the source of IE... then it would be a real player in the browser market, but for now it is their pet and not mine, and they can keep it.

Comparing Apples to seeds (0)

Anonymous Coward | more than 2 years ago | (#37112378)

I'd like to see how Firefox + WOT perform in such a test.

While many browsers are base platforms that allow users the freedom to modify and extend as they, and the community, see fit, Microsoft targets its core user base (businesses and Mom & Dad) with an all-inclusive user portal to the world. IE9 deftly includes a reputation-based scoring and warning system that scored them huge points in this test. Firefox developers, OTOH, allow the community to provide such functionality, recognizing that it isn't for everyone and is better left to the community to provide add-ons like WOT (Web of Trust). To integrate such a service into the core browser would saddle the Mozilla Foundation with the need to maintain a cloud-based service to support it.

BTW, NSS claims that their work is no longer vendor-funded: http://www.networkworld.com/news/2009/091009-nss-labs-independent-testing.html Who, then is footing the bill for this "free" study & report, when all of their neutral studies are non-free?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>