Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Says IE9 Blocks More Malware Than Chrome

Unknown Lamer posted more than 2 years ago | from the i-heard-macs-don't-get-viruses dept.

Microsoft 226

CSHARP123 writes "In a move that's sure to raise some eyebrows, Microsoft today debuted a new web site designed to raise awareness of security issues in web browsers. When you visit the site, called Your Browser Matters, it allows you to see a score for the browser you're using. Only IE, Chrome, or Firefox are included — other browsers are excluded. Not surprisingly, Microsoft's latest release, Internet Explorer 9, gets a perfect 4 out of 4. Chrome or Firefox do not even come close to the score of 4. Even though the web site makes it easy for users to upgrade to the latest version of their choice of browser, Roger Capriotti hopes people will choose IE9, as it blocks more malware compared to Chrome or Firefox." Of note in the Windows Team post is that the latest Microsoft Security Intelligence Report discovered that 0-day exploits account for a mere tenth of a percent of all intrusions. Holes in outdated software and social engineering account for the majority of successful attacks.

cancel ×

226 comments

Sorry! There are no comments related to the filter you selected.

NoScript (5, Insightful)

Hatta (162192) | more than 2 years ago | (#37684026)

NoScript blocks more malware than either.

Re:NoScript (4, Insightful)

North Korea (2457866) | more than 2 years ago | (#37684058)

Yes, and is pain in the ass to use and something that no normal person will ever do. Hell, even I don't want to use it while being a geek and fully understand it's potential.. but it's just so pain in the ass.

Re:NoScript (3, Insightful)

Hatta (162192) | more than 2 years ago | (#37684134)

If my artist girlfriend can use it with no instruction from me, complaints about complexity ring hollow.

Personally, I find that javascript on average detracts more from the browsing experience than it adds. Slashdot is a perfect example, it's simply not usable with javascript enabled. So even if there was no security benefit at all, it would still be less of a pain in the ass to use NoScript than it would be to browse without it.

Re:NoScript (3, Insightful)

TechLA (2482532) | more than 2 years ago | (#37684182)

No one talked about complexity, but just being pain in the ass to use. You always have to keep reloading sites, allowing scripts and so on when you go new sites. And if you just allow most, then there's no point anyway. Most of the internet now relies on JavaScript and it really does make things easier, allows AJAX and so on. You break a lot of functionality without JavaScript. Yes, most good sites allow non-javascript fallback, but it's not as nice as with JavaScript enabled.

Re:NoScript (0)

rahvin112 (446269) | more than 2 years ago | (#37684202)

After my wife caught a real nasty malware from surfing I've got her to use noscript. And if she can use it, anyone could. Really it takes all of about a day to get all your standard major websites whitelisted. Then it's just a matter of the occasional visited sites. In general I just temp approve, even on my normal sites unless the entire site is non functional without JS in which case I probably don't even i use the site. Most of the places I visit work fine without JS on so I don't even bother. And without JS there is almost no risk from malware.

Re:NoScript (1)

amicusNYCL (1538833) | more than 2 years ago | (#37684416)

Slashdot is a perfect example, it's simply not usable with javascript enabled.

So how do you explain all of the people, like myself, who use Slashdot with Javascript enabled? Your credibility is starting to ring a bit hollow. A lack of Javascript is not a security panacea, not by a long shot. Plugins are the problem, not scripting. Scripting only matters if you're defending against a script injection attack. It doesn't do squat if the server was hacked and the page has an iframe pointing to a PDF, Java applet, or Flash movie, and it does even less against a site that is simply malicious.

Re:NoScript (1)

Nadaka (224565) | more than 2 years ago | (#37684514)

Sure it does, noscript blocks PDFs, applets and flash by default. This means that they can't sneak a hidden plugin attack in. The only way for those plugin attacks to work is if you intentionally approve the content.

Re:NoScript (1)

amicusNYCL (1538833) | more than 2 years ago | (#37684618)

Why not just set the browser to only load plugins on-demand? Is that possible with vanilla Firefox?

Re:NoScript (1)

errandum (2014454) | more than 2 years ago | (#37684532)

I also use Slashdot with javascript enabled, but noscript, by default, also blocks the loading of those plugins in untrusted sites.

Re:NoScript (1)

causality (777677) | more than 2 years ago | (#37684646)

Slashdot is a perfect example, it's simply not usable with javascript enabled.

So how do you explain all of the people, like myself, who use Slashdot with Javascript enabled? Your credibility is starting to ring a bit hollow. A lack of Javascript is not a security panacea, not by a long shot. Plugins are the problem, not scripting. Scripting only matters if you're defending against a script injection attack. It doesn't do squat if the server was hacked and the page has an iframe pointing to a PDF, Java applet, or Flash movie, and it does even less against a site that is simply malicious.

Did you know: NoScript blocks plugins, movies, and applets too? You would have known that, if you were actually in a good position to form an opinion about it. There's a reason it is "NoScript" not "NoJavaScript". Basically NoScript means you get just the basic page layout with nothing "active" like movies or scripts unless you explicitly choose to enable them on a case-by-case basis. To reiterate, you should really understand the most basic functions of NoScript if you're going to comment on it.

Also, I don't recall anyone saying anything was a panacea. Since no one made this claim, what purpose does it serve to refute it? There is no security panacea anywhere. Therefore, to say "X is not a security panacea" is a statement of the obvious. There are no 90-foot purple newts either, by the way. Just like your parroting someone else [slashdot.org] who used the phrase "ring hollow", apparently as a sort of mockery, this is a sign of a content-free post based on emotion.

They do still teach lawyers how to construct an argument, right?

Re:NoScript (1)

amicusNYCL (1538833) | more than 2 years ago | (#37684768)

Did you know: NoScript blocks plugins, movies, and applets too?

Obviously not. I try to avoid Firefox, and I don't need the functionality of NoScript in my browser of choice because most of it is built-in.

There's a reason it is "NoScript" not "NoJavaScript".

Since plugin blocking was added after the initial release, the initial intention (and name) was in fact blocking Javascript. From the changelog, it appears that plugin blocking was added in 1.1.

They do still teach lawyers how to construct an argument, right?

I wouldn't know, I'm not a lawyer, I just appreciate the work of some of them.

Re:NoScript (1)

causality (777677) | more than 2 years ago | (#37684854)

Obviously not. I try to avoid Firefox, and I don't need the functionality of NoScript in my browser of choice because most of it is built-in.

Fair enough, but can you see why that wouldn't put you in a good position to form opinions about it?

Since plugin blocking was added after the initial release, the initial intention (and name) was in fact blocking Javascript. From the changelog, it appears that plugin blocking was added in 1.1.

The initial release of Microsoft Windows was a graphical shell that ran on top of DOS. So that means Windows 7 is still based on 16-bit code, right? Because we all know, nothing ever grows or expands or evolves beyond its initial origins.

I wouldn't know, I'm not a lawyer, I just appreciate the work of some of them.

See there I did make an assumption and you rightly called me on it. I don't mind. Goose, gander, and all of that. Of course I could try to weasel out of that and say something like "could you appreciate the way they construct and deconstruct lines of reasoning too?" but that'd be less honest.

Re:NoScript (1)

amicusNYCL (1538833) | more than 2 years ago | (#37684948)

Fair enough, but can you see why that wouldn't put you in a good position to form opinions about it?

I can form an opinion about whatever I want, but I acknowledge that it's unwise to comment on features without knowing them. I haven't used NoScript in years.

The initial release of Microsoft Windows was a graphical shell that ran on top of DOS. So that means Windows 7 is still based on 16-bit code, right? Because we all know, nothing ever grows or expands or evolves beyond its initial origins.

You're still talking about the origin of the name "NoScript", right?

Re:NoScript (1)

recoiledsnake (879048) | more than 2 years ago | (#37684064)

NoInternet blocks everything except those from local storage.

Expecting novice users to understand and use NoScript is not tenable.

Re:NoScript (0)

Anonymous Coward | more than 2 years ago | (#37684358)

I don't know, I ninja-installed NoScript on my mom's laptop, and showing her just how many sites needed to be running code on her computer to play facebook games scared her a little. That was the entire point of the exercise, so it was a win for me.

Re:NoScript (1)

causality (777677) | more than 2 years ago | (#37684792)

NoInternet blocks everything except those from local storage.

Expecting novice users to understand and use NoScript is not tenable.

To expect them to automatically understand it "out of the box" as though their spirit guide slipped the knowledge into their minds while they slept, no that is not tenable. The expectation is that there will be a short period of adjustment that any literate adult of below-average or higher intelligence should be able to handle.

What's REALLY not tenable and is accumulating untold amounts of cost and damage, is this un-negotiated, unwritten, often unspoken default assumption that "novice" should be a permanent state and not one that is soon outgrown with acquired experience. Naturally the implication is that someone who was paying attention, who maybe read a FAQ or a manual once in a while, should bear both his own burdens and those of a permanent novice. How nice to be so entitled to another's efforts, to scream and cry whenever same is denied. Heaven forbid the novice ever be told to do anything different. That would make you a big meanie.

I suppose the "right" to never be challenged by anything is taking its place next to the "right" to never be offended by anyone.

Re:NoScript (2, Funny)

Anonymous Coward | more than 2 years ago | (#37684076)

NoScript blocks more malware than either.

And abstinence provides better protection than condoms.

Re:NoScript (3, Funny)

Hazel Bergeron (2015538) | more than 2 years ago | (#37684144)

To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

Re:NoScript (3, Funny)

93 Escort Wagon (326346) | more than 2 years ago | (#37684272)

To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

For a typical user, a better analogy would be: Enjoying the web without Javascript is like having sex while wearing a condom made of inch-thick rubber.

Re:NoScript (2, Insightful)

Anonymous Coward | more than 2 years ago | (#37684542)

To help geek up this analogy: enjoying the web without Javascript is like having sex but avoiding partners with STDs.

For a typical user, a better analogy would be: Enjoying the web without Javascript is like having sex while wearing a condom made of inch-thick rubber.

and while also wearing a blindfold...

Re:NoScript (2)

TechLA (2482532) | more than 2 years ago | (#37684244)

NoScript blocks more malware than either.

And abstinence provides better protection than condoms.

Yet, abstinence probably leads to much more serious things than possibility of some minor STD, including depression, anti-social behavior and stress. It's good to let go every once in a while.

Of course, there is a good middle ground too. Serious STD's like HIV/AIDS generally do not spread orally. If you're on the receiving end of a blowjob, you have almost 0% change of catching HIV. Even with prostitutes. I learned this thing and have had sex with many ladyboys and never had any STD. Of course, while having intercourse it's a good idea to use condom, but as a receiving end of a blowjob, you cannot get AIDS.

Re:NoScript (0)

Anonymous Coward | more than 2 years ago | (#37684906)

learned this thing and have had sex with many ladyboys and never had any STD.

I think somebody forgot to check "Post Anonymously"...

Re:NoScript (0, Troll)

amicusNYCL (1538833) | more than 2 years ago | (#37684300)

Since 85% of attacks [net-security.org] come through Java, Acrobat, and Flash, how exactly does NoScript block those?

Re:NoScript (2, Informative)

Anonymous Coward | more than 2 years ago | (#37684344)

NoScript can block all those things since it has configurable plugin blocking, configurable with the same site rule system used for js. This is great, not because of malware, but because I personally would rather just click on the few cases where I want to use flash (even on whitelisted sites).

So your snark attempt has pretty much failed.

Re:NoScript (0)

Anonymous Coward | more than 2 years ago | (#37684382)

Because it blocks them by default....

Re:NoScript (0)

Anonymous Coward | more than 2 years ago | (#37684448)

Flash requires JavaScript to launch. - NoScript selectively blocks Javascript. I have about 20 domains allowed, so my day to day use of javascript is happy for most of my browsing and safer for the remaining.

Java requires a Java plugin - and java applets are part of NoScript options to block.

Using Adobe software (of any kind) - is just stupid. Using it in a browser to make life easier is idiotic, IMHO.

Out of your listed concerns, Flash is the only one that 95% of the world will probably **need** during a day. A few need Java - for corporate environments and **nobody** needs Acrobat/PDF to be viewable in a browser. Save the PDF file, scan it with a good AV program and use a PDF viewer that don't have javascript enabled.

It doesn't matter what MS says, since they don't make programs that run on my OS of choice. I consider MS-Windows too dangerous to allow on the internet except to retrieve patches. That's just me.

Re:NoScript (1)

amicusNYCL (1538833) | more than 2 years ago | (#37684686)

Flash requires JavaScript to launch.

No it doesn't.

It seems to me that loading plugins on-demand is really all you need. I don't see a reason to stop Javascript as a security precaution, I don't know of any plain Javascript attacks that lead to malware being installed. There are too many PDF readers that work better than Acrobat to justify using Acrobat, and I haven't seen Java in use in years. I don't know if an extension is required in Firefox in order to load plugins on-demand, but if you block those 3 then you block at least 85% of attacks. I just don't see any additional security benefit in blocking Javascript.

Re:NoScript (1)

Cryacin (657549) | more than 2 years ago | (#37684776)

It's amazing how many people prevent having accidents in their car by removing the fuel in the first place. Do you no longer live in a house to prevent dying in a fire as well?

Re:NoScript (1)

amicusNYCL (1538833) | more than 2 years ago | (#37684980)

What kind of a stretch is that? I use Opera, I set it to load plugins on-demand. When I get to a page that has Flash content worth watching, I click on it to load the Flash movie. I'm protected against anything I haven't clicked to load. What's so difficult to understand?

It's a fact that Acrobat is crap software, it's a fact that I haven't used a website that requires Java in many years, and it's a fact that the only Flash content I see are things that I explicitly load.

Re:NoScript (0)

Anonymous Coward | more than 2 years ago | (#37684902)

Flash requires JavaScript to launch.

No it doesn't.

I'll rephrase - I haven't see any flash get loaded without the use of javascript, so blocking javascript effectively blocks flash too. Flash player controls all seem to be javascript too.

Perhaps you and I don't visit similar websites of you are seeing something different. Youtube wraps their flash in script/script tags. BLOCKED.

Re:NoScript (1)

amicusNYCL (1538833) | more than 2 years ago | (#37684996)

I'm pretty sure that malicious authors try any number of ways to load Flash. Instead of trying to block all possible ways of loading Flash, how about just block Flash? Where is the threat with Javascript?

Re:NoScript (1)

Baloroth (2370816) | more than 2 years ago | (#37684432)

So does Lynx. Your point?

Re:NoScript (0)

MBoffin (259181) | more than 2 years ago | (#37684704)

NoScript blocks more malware than either.

NoScript turns practically every site a regular user visits into a broken mess. The amount of time I've seen NoScript users deal with reconfiguring NoScript just so they can have a reasonably decent browsing experience far exceeds the amount of time they would have to spend dealing with malware. It's like watching Mel Gibson use his apartment in Conspiracy Theory.

Re:NoScript (1)

Vokkyt (739289) | more than 2 years ago | (#37684762)

That's inappropriate hyperbole. It takes a click or two on non-trusted sites to configure, and that's about it for most NoScript users, and given that severe infections can necessitate a reinstall, the minor inconvenience far outweighs the potential risk.

I do find the comment on "broken mess" a bit funny, cause for a lot of sites, the ads that are getting blocked make it look like a mess anyways.

Re:NoScript (1)

MBoffin (259181) | more than 2 years ago | (#37684860)

I'm not talking about savvy users. I'm talking about average users. Ones who visit a site and get confused why things aren't working and get frustrated before, finally, after a couple minutes, realizing they might be running into a NoScript problem, and then do those one or two clicks to get it working. And then repeat the cycle again when they're off to the next site.

I bring up average users because the malware blocking features in Chrome and IE9 are targeted at average users.

Re:NoScript (0)

Anonymous Coward | more than 2 years ago | (#37685136)

Interestingly, IE (even version 6) blocks some files from being opened accidentally that neither Chrome, nor Noscript protect you against.
This is done by warning when certain files, like executables, are opened. Noscript won't protect you from downloading files. And Chrome won't warn you before executing the file, unless the file is saved to an NTFS partition.
Since many people have their Downloads folder inside their My documents folder on a separate FAT32 partition (for good reasons) Chrome usually won't warn you before you opening an executable. Try to tell someone that (s)he should have looked at the file extension first, if (s)he doesn't know what a file extension is.

Re:NoScript (0)

Anonymous Coward | more than 2 years ago | (#37685142)

Not once your flatmate learns how to unblock...

Seen the same data elsewhere, re: Exploits (5, Interesting)

Tridus (79566) | more than 2 years ago | (#37684034)

I've seen the same data from Mcafee, and it was really something. For every computer exploited using a Windows flaw, 100 are exploited using Flash. Acrobat Reader and Java are the other major culprits.

In a lot of ways, browser security itself has never been better. There's several highly capable ones out there in this area. The weak link is some truly terrible plugins.

Re:Seen the same data elsewhere, re: Exploits (1)

recoiledsnake (879048) | more than 2 years ago | (#37684088)

I think Windows Defender or whatever they have by default on all machines should detect and warn about out of date Java, Flash and Reader at the minimum. Also, they should be made to auto update Chrome style by default unless turned off.

Re:Seen the same data elsewhere, re: Exploits (1)

clarkn0va (807617) | more than 2 years ago | (#37684420)

Translation: We exported all of those problems [wikipedia.org] and their related functionality to some third-party modules.

Re:Seen the same data elsewhere, re: Exploits (1)

Anthony Mouse (1927662) | more than 2 years ago | (#37684558)

Except that isn't what happened at all. There is plenty of stuff in a browser -- javascript to name one -- that would be blatantly insecure if the browser makers wrote code of the same quality as Adobe.

The problem is actually a lack of competition: You can visit the same web page in Firefox as in Chrome, so the browser makers get their shit together or they lose users. But if you want to play a flash movie, you have to use Adobe's flash plugin. There is no viable alternative from the user's perspective, so Adobe has no real incentive to spend money fixing their security.

What would need to happen is for web developers to start using HTML5 instead of Flash. Which is starting to happen. But since Adobe is more concerned about selling authoring tools than getting people to install Flash Player, they might just start selling authoring tools that produce HTML5 output and let Flash die the death it deserves rather than trying to fix it.

Re:Seen the same data elsewhere, re: Exploits (1)

tepples (727027) | more than 2 years ago | (#37684836)

What would need to happen is for web developers to start using HTML5 instead of Flash. Which is starting to happen.

But you're still not going to get existing animated films such as Weebl and Bob or Homestar Runner or 99% of the stuff on Newgrounds converted from Flash vector animation to HTML5 right away.

Re:Seen the same data elsewhere, re: Exploits (2)

Cryacin (657549) | more than 2 years ago | (#37684892)

As an RIA and web developer, let me tell you what would need to happen for me to start developing in HTML5.

1. Every browser would need to implement the W3C standards as laid out. It's madness to go back to the days where you had to write the same code block in several different flavours, not only to support different browsers, but different VERSIONS of browsers. Wake up kiddies, a lot of corporates are still on IE6.
2. When we have the full IDE toolset for HTML5 that we have for flash, and the frameworks to support fast development. If you do not produce value to the business through leveraging tools, you are working for sweatshop wages at the same cost to the business. Who uses a hammer to commerically build a wooden fence when you have nail guns?
3. When HTML5 *really* has the same feature set and grunt that AS3/MXML has. And I don't mean fantasy proof of concept, but only under these conditions, if you install the latest browser version, stand on one hand and wiggle your ears feature sets. Furthermore, the grunt has to be there. All HTML5 exmples I've seen have taken longer to develop than their AS3 counterparts, and run like a dog in comparison.

Please, if I'm wrong, and all this stuff is here, give me the links, and I'm gone baby. I'm now a HTML5 developer, or whatever language you want to throw in its stead. The fact of the matter is that Flash/Flex is the fastest enterprise RIA development tool that can consume any endpoint you can possibly imagine to throw at it, whilst providing a snappy front end that's lightning fast to develop.

I agree, Adobe would benefit by plugging security holes, but if you're actually serious about getting us devs to switch over, address these issues, and we're gone.

Re:Seen the same data elsewhere, re: Exploits (0)

Anonymous Coward | more than 2 years ago | (#37684584)

Google has been working on its Native Client to correctly sandbox Flash, Acrobat, and Java. This alone puts Google lightyears ahead of IE9.

If only IE worked in Linux. (1)

SquirrelDeth (1972694) | more than 2 years ago | (#37684036)

Then I would feel really safe while conducting my online activities.

Re:If only IE worked in Linux. (1)

monkyyy (1901940) | more than 2 years ago | (#37684526)

XD WIN!!!!!

If only it werent for the inaccuracies... (4, Insightful)

LordLimecat (1103839) | more than 2 years ago | (#37684074)

It might have been informative. Seriously, when you accuse Chrome of not meeting the requirement,
"Does the browser help protect you from websites that are known to distribute socially engineered malware?"
when google's anti-malware service is the basis for at least two browsers, and predates IE's effort by at least a year (probably more like 2), it sort of hampers your credibility.

Re:If only it werent for the inaccuracies... (0)

MightyMartian (840721) | more than 2 years ago | (#37684154)

Hey, what the hell. It's Microsoft. They've spent the last quarter century lying about other companies' products.

Re:If only it werent for the inaccuracies... (1)

LordLimecat (1103839) | more than 2 years ago | (#37684290)

It apparently gets better. They ding chrome for these as well:
Does the browser automatically block insecure content from secure (HTTPs) pages?
(Even though Chrome does in fact warn you of this. Props to MS, though, they HAVE warned about this since IE6-- though Im pretty sure IE9 does NOT block it automatically).

And this...
Does the browser have the ability to restrict an extension or a plugin on a per site basis?
Even though I am unaware of IE havign that capability, while chrome has had it for a very long while now-- you can do JS, plugins, images, whatever you want, on a per-site basis.

And this
Does the browser benefit from Windows Operating System features that protect against structured exception handling overwrite attacks?
Ok, now youre not even TRYING to hide your bias. How about this:
Is your browser now, or has it ever been, among the first two browsers owned at the yearly Pwn2Own?
I think that should be -10 points, and would put Firefox, Chrome, and Opera squarely on top. Can we get a nice "X" graphic next to IE9 for that one?

Re:If only it werent for the inaccuracies... (1)

tepples (727027) | more than 2 years ago | (#37684400)

Does the browser automatically block insecure content from secure (HTTPs) pages?
(Even though Chrome does in fact warn you of this. Props to MS, though, they HAVE warned about this since IE6-- though Im pretty sure IE9 does NOT block it automatically).

Even if Chrome warns the user, I guess what they're saying is after the page has loaded, it's too late. Any passive eavesdropper can see which included resources you've downloaded over an unencrypted connection.

Re:If only it werent for the inaccuracies... (2)

swillden (191260) | more than 2 years ago | (#37685098)

Does the browser automatically block insecure content from secure (HTTPs) pages? (Even though Chrome does in fact warn you of this. Props to MS, though, they HAVE warned about this since IE6-- though Im pretty sure IE9 does NOT block it automatically).

Even if Chrome warns the user, I guess what they're saying is after the page has loaded, it's too late. Any passive eavesdropper can see which included resources you've downloaded over an unencrypted connection.

Chrome doesn't download the unencrypted resources unless you tell it to. The warning pops up and asks you if you want to download the insecure pieces or not.

Re:If only it werent for the inaccuracies... (2)

PickyH3D (680158) | more than 2 years ago | (#37684320)

Although I realize it's not very cool to mention, reports would suggest otherwise: block rate [nsslabs.com] .

Of course, the report uses Chrome 12, so it's about a week old.

Re:If only it werent for the inaccuracies... (2)

LordLimecat (1103839) | more than 2 years ago | (#37684638)

Even if we were simply to pretend that those stats mean that IE9's blocking is 9x as effective as Chrome's (which is one heck of an allowance), that has nothing to do with Microsoft's claim. Chrome DOES provide a mechanism for filtering malware URLs, in direct contradiction to their claim.

Im not saying IE9 sucks or that chrome is superior or any of that, Im simply marveling at their gall in making completely false statements with no compunctions.

Re:If only it werent for the inaccuracies... (1)

Barsteward (969998) | more than 2 years ago | (#37684388)

I went there with Opera 11.51 and it couldn't give me a score - is that good? :o)

This just in... (1)

GoNINzo (32266) | more than 2 years ago | (#37684078)

Actually, their site doesn't even work with Chrome 15.x on Linux. So I think my browser is securing me pretty darn well.

This just in, all our competition sucks, news at 11.

Re:This just in... (1)

c++0xFF (1758032) | more than 2 years ago | (#37684664)

This just in, all our competition sucks, news at 11.

On the other hand, what surprised me was the download links for Chrome, and Firefox on the browser comparison page.

The only thing that would have surprised me more would have been links to the Chrome [google.com] and Firefox [mozilla.org] security features.

Metro UI? (1)

black3d (1648913) | more than 2 years ago | (#37684080)

Goddamn that site hurts my eyes. Looks very similar to the Metro UI.

Re:Metro UI? (1)

Sperbels (1008585) | more than 2 years ago | (#37684138)

Actually...it does kind of hurt. Weird.

Re:Metro UI? (1)

Toonol (1057698) | more than 2 years ago | (#37684888)

It doesn't scroll right, either. If your window doesn't hold it all vertically, no scroll bars appear. At least in Firefox. You have to increase your browser size to see it all.

There's more than just malware (0)

Anonymous Coward | more than 2 years ago | (#37684094)

for reasons not to choose IE. IE9 may be better than earlier versions, it also breaks on more stuff than ever before...

Big deal! (0, Flamebait)

Wowsers (1151731) | more than 2 years ago | (#37684110)

So what about Microsoft's claims. Is Internet Exploder 9 standards compliant? I tested a design in IE8 and ONLY IE managed to screw up CSS drop down menu, needing Javascript to get around the stupid IE bug. Meanwhile Firefox, Chrome, Chromium, Opera and Safari in Win, Linux and iPad all render properly.

Nobody cares about Microsoft's claims if they can't even be bothered to fix BASIC rendering bugs, it's 2011 not 1990. That's why Microsoft are losing to the competition.

Re:Big deal! (-1)

Anonymous Coward | more than 2 years ago | (#37684136)

Not even three sentences before you're fucking dumb. You ask if IE9 is standards compliant, then bitch about IE8. Are you retarded?

Rephrased: "Should I buy Windows 7?" (1)

tepples (727027) | more than 2 years ago | (#37684334)

Please allow me to rephrase it in a slightly less retarded manner: "I run Windows XP, whose latest available version of IE (that is, IE 8) has problems X, Y, and Z. I am considering IE 9, but if I were to try it for myself, I would first have to buy a copy of Windows 7. Is IE 9 worth the price of Windows 7?"

Re:Big deal! (0)

Anonymous Coward | more than 2 years ago | (#37684230)

So what about Microsoft's claims. Is Internet Exploder 9 standards compliant? I tested a design in IE8 and ONLY IE managed to screw up CSS drop down menu, needing Javascript to get around the stupid IE bug. Meanwhile Firefox, Chrome, Chromium, Opera and Safari in Win, Linux and iPad all render properly.

Nobody cares about Microsoft's claims if they can't even be bothered to fix BASIC rendering bugs, it's 2011 not 1990. That's why Microsoft are losing to the competition.

IE9, while not perfect it is more standards compliant and more secure than previous versions.

Re:Big deal! (2)

jonbryce (703250) | more than 2 years ago | (#37684706)

IE9 is much better than previous browsers. It gets 100% in the acid 3 test, but it still ignores <q>tags</q>.

Re:Big deal! (2)

Rhodri Mawr (862554) | more than 2 years ago | (#37685084)

The Acid 3 test was revised and now all of the major browsers get 100%. It is no longer relevant.

i i got was... (1)

johnsnails (1715452) | more than 2 years ago | (#37684166)

We do not have any data for your browser, so we can’t give your browser a score. SEE HOW OTHER BROWSERS SCORED >

Ultra safe browser (0)

Anonymous Coward | more than 2 years ago | (#37684172)

Is there something that just runs something like the Unix "strings" command on the page, and then greps out the tags? That should leave just the text. OK, you'd have to gzip chunked HTML and deal with a few other low level details to get the text. Maybe this is already built into Lynx; but having a Lynx-like mode as the default, with an option to enable some tags... that'd be inherently very secure, as opposed to running around and putting out fires.

A billion versus a few million? (1)

angel'o'sphere (80593) | more than 2 years ago | (#37684234)

If a billion IE users browse the web and 100 million Chrome users do the same, sure ... it is not unlikely that IE blocks more malware.

Admitted, that was a lame joke ...

However, if MS had not slept and ignored security the last 25 years, we had not that much malware, or had we?

They didn't get my browser right!!! (0)

Anonymous Coward | more than 2 years ago | (#37684248)

They thought Firefox 4 with noscript on Ubuntu was Firefox 7!

Of course they do (1)

king_grumpy (1685560) | more than 2 years ago | (#37684258)

I'd be more inclined to read a story entitled "CompanyX says their new product is crappier than the competition and far worse than the previous release".

What Does That Even Mean? (1)

EXTomar (78739) | more than 2 years ago | (#37684264)

What these guys are touting is IE9's "SmartScreen" protection which claims to "block 99% of phishing" so I am pondering what that even means. I wonder how many of those "phishing" exploits actually work if a user activates them on Firefox, Chrome, etc. It also doesn't appear to take into account platforms where activating the page on something like a non-Windows platform Android device with Chrome breaks because it can't handle or support what the attack wants.

I am for a more intelligent IE9 so I'm happy for SmartScreen but I also wouldn't oversell it. There is value in blocking a questionable web page. There is value in simply not allowing what the questionable web page wants to activate as well.

Re:What Does That Even Mean? (1)

tepples (727027) | more than 2 years ago | (#37684640)

What these guys are touting is IE9's "SmartScreen" protection which claims to "block 99% of phishing" so I am pondering what that even means.

It uses heuristics to determine whether a site is hosting a phishing attempt. However, like all heuristics, it does have some false positives, and Microsoft's page about SmartScreen for web site owners [microsoft.com] makes a few recommendations that the smallest web sites might not be able to handle properly:

If you ask users for personal information, use Secure Sockets Layer (SSL) certification with a current server certificate issued by a trusted certification authority.

True, StartSSL offers free certificates, but a certificate isn't the most expensive part of deploying TLS (formerly SSL). One needs a dedicated IP for each TLS site. Ordinarily, budget web hosts load upwards of a thousand domains onto a single IP address using name-based virtual hosting. There is an extension called SNI to allow TLS to work with name-based virtual hosting, but IE for Windows XP and Android Browser for Android 2.x don't have SNI. This, combined with the scarcity of IPv4 addresses, makes it significantly more expensive to deploy HTTPS on sites that aren't yet popular enough to need a dedicated server.

There's no actual tests run (0)

Anonymous Coward | more than 2 years ago | (#37684270)

The site gave me results awfully quick, I didn't hear the computer grinding or anything. Which is when someone pointed out this doesn't check browsers at all. Use Opera and it gives no score. Use Opera with a spoofed header though, and it'll give the results of different browsers (Opera disguised as IE gives you 4/4), leading me to think it's just sniffing the browser and spitting out results. So we just have to take their word that their own research is correct, which is far-fetched.

I looked at some other site that tests browser security, which actually does stuff. The quick scan warned me about outdated plugins. Haven't tried comprehensive yet, but I'm betting it's more reliable than Microsoft's trash browser-report is: https://browsercheck.qualys.com/

severely damaging to test credibility (2)

v1 (525388) | more than 2 years ago | (#37684316)

when you don't allow users to run your test on some of your competition's offerings, such as Safari.

All they're trying to do is say "We're the best (in this carefully chosen group)" Of course they're going to win that argument. Even a catbox smells nice if you're only allowed to compare it with a hog shed.

Now I'm not out to smear the other offerings they did include, but even leaving out one significant competitor from your test is more than enough to raise reasonable doubt as to how your product really stacks up against all your competition.

Re:severely damaging to test credibility (0)

Anonymous Coward | more than 2 years ago | (#37684644)

Especially given that depending on the extensions and your particular setup, you score much higher. By their own measurements and my setup, my Firefox 3.6, rather than being 1.5, is instead a 3.5 on their scale and possibly much higher depending on how it goes. In fact Firefox would do better than IE if it had a sandbox or ran in protected mode.

Re:severely damaging to test credibility (1)

Dhalka226 (559740) | more than 2 years ago | (#37684920)

Is Safari a significant competitor?

I'm not trolling; I'm writing this comment on a Macbook Pro, so I'm not some rabid anti-Apple-ite nor am I a huge Microsoft supporter. But the first thing I did when I got this computer was to install Firefox, and later moved on to installing Chrome. Safari was opened once or twice, mostly to facilitate downloading the other browser.

In fact, while I admit that it is anecdotal and a small sample size, nobody I know of who uses a Mac uses Safari as their browser. That ranges from the highly computer literate (web developers and other programmers who are great with computers) to the semi-computer-literate (enthusiasts who enjoy them but often need help) to old-school salesmen at my dad's business (they can type, anything else they call somebody over for). If even Mac users don't seem to be using Safari, I doubt significant numbers of Windows users are.

Now admittedly, Safari probably gets a boost from use on iPhones, iPads, etc -- but those are different enough mediums that not including them in "who blocks more malware" tests is probably appropriate.

Don't get me wrong: I would have tested Safari, and I would have tested Opera for that matter, but I honestly don't see their exclusion as a huge deal. There are other things I would bring up as issues with the test before that.

Re:severely damaging to test credibility (0)

Anonymous Coward | more than 2 years ago | (#37684966)

when you don't allow users to run your test on some of your competition's offerings, such as Safari.

You really want to see Safari's score up there? The browser all readers of slashdot knows to be the weakest link and first to fall in past few years' hacking competitions.

Am I the only one? (0)

NIN1385 (760712) | more than 2 years ago | (#37684318)

Am I the only person who chuckled out loud upon reading this headline? I somehow doubt it.

Easiest way to score 4/4... (0)

Anonymous Coward | more than 2 years ago | (#37684322)

The easiest way to score 4/4 is to change your user-agent string to internet explorer on windows 7. Try it for yourself :)

Re:Easiest way to score 4/4... (1)

Psicopatico (1005433) | more than 2 years ago | (#37684822)

Correct.

Masked Opera's user agent as IE under Windows (and I'm under linux!) and.... tah-dah:

Your browser's
security score is:
4 out of 4

LOL

why are browsers blocking ? (0)

Anonymous Coward | more than 2 years ago | (#37684380)

isnt that the role of the firewall & os .... all browsers need to do is NOT open holes

Not even accurate with the 4 it does claim to test (1)

iridium213 (2029192) | more than 2 years ago | (#37684468)

"Does your browser provide a distinct warning when you download an application that is of higher risk but not yet confirmed as malware?" - X

Chrome does in fact ask me when I try to download potentially unsafe file formats (in my case, DMG files =) ), prompting me whether to keep or discard. Smoke and mirrors, and the same old FUD..

Unsafe files vs. unsafe file types (1)

tepples (727027) | more than 2 years ago | (#37684676)

Chrome does in fact ask me when I try to download potentially unsafe file formats (in my case, DMG files =) ), prompting me whether to keep or discard.

Chrome decides based on the file format. IE's filter is more fine-grained, deciding based on the reputation of a particular downloaded executable file (identified by its hash value?) or, in the case of a digitally signed executable, the reputation of its publisher. Microsoft's advice for building an application's reputation (source 1 [microsoft.com] ; source 2 [msdn.com] ) involves buying into the Authenticode CA racket, which can prove expensive for an individual student or hobbyist developer.

It's Microsoft. (0)

Anonymous Coward | more than 2 years ago | (#37684662)

When was the last time that Microsoft released any benchmarks that weren't shown to have been artificially cooked to favor IE over all other browsers?

Yeah, I thought so.

Hah! My browser blocks ALL malware (0)

Anonymous Coward | more than 2 years ago | (#37684722)

My browser is prohibited from accessing the 'net.
100% of malware is blocked.

Cool (0)

frisket (149522) | more than 2 years ago | (#37684742)

...Roger Capriotti hopes people will choose IE9...

Cool, so there's an IE9 for Ubuntu Linux now? Where do I find the .deb?

IE 9 in Windows 7 in VirtualBox in Ubuntu (1)

tepples (727027) | more than 2 years ago | (#37684880)

First you set up VirtualBox, despite that it's tainted crap according to a Linux developer [slashdot.org] . Then you buy a copy of Windows 7 and install it into VirtualBox. Voila: IE 9 for Ubuntu.

Because... (1)

Zuriel (1760072) | more than 2 years ago | (#37684820)

...malware is written to standards, so IE won't run it properly.

Can't trust this site (1)

Artifex (18308) | more than 2 years ago | (#37684968)

Says my Firefox 7 only rates a 2, and says I should try ie9, and helpfully gives me a link.
But the link is to the Windows version. I'm on a Mac!
Clearly it doesn't actually have the resolution to know, much less tell me, how Firefox 7 for OS X ranks.

Site is fake, not tests are run (5, Informative)

Derling Whirvish (636322) | more than 2 years ago | (#37684976)

The site is fake and does nothing other than tell you to use IE9. It determines your user agent and responds based on the result. It does not run any security tests against your browser. When I go the the site with IE9 I get a score of 4 of 4. When I go to it with Firefox 8 I get a 2 of 4 score. When I switch my user agent in Firefox 8 with the user agent switcher add-on to report I am using IE9 and go to the site using Firefox 8, I get a score of 4 of 4.

So they're using social engineering... (1)

sten ben (1652107) | more than 2 years ago | (#37684990)

So they're using social engineering to do a cross corporate hijacking of your browser choice. Nice one

Pretty dang funny... (1)

sigmabody (1099541) | more than 2 years ago | (#37685006)

There's some humor on the page for browser features, if you're using a browser without Flash installed/enabled. The #1 "bad" item is Dangerous Downloads, just to the left of the prompt to download/install Flash. I lol-ed.

Malicious Website Content! (2)

znerk (1162519) | more than 2 years ago | (#37685008)

Get Adobe Flash player
This page requires Flash Player version 10.2.0 or higher.

My browser only scored a 2 out of 4, yet was able to keep me from seeing most of the malicious content on the linked page.

NoScript and AdBlockPlus, thank you.

My browser: 1
Microsoft FUD: 0

Moving along, now... so much more internet to see, so little time.

Really ? (0)

Anonymous Coward | more than 2 years ago | (#37685014)

National Cyber Alert System

                            Technical Cyber Security Alert TA11-284A

Microsoft Updates for Multiple Vulnerabilities

      Original release date: October 11, 2011
      Last revised: --
      Source: US-CERT

Systems Affected

          * Microsoft Windows
          * Microsoft .NET Framework
          * Microsoft Silverlight
          * Internet Explorer
          * Microsoft Forefront Unified Access Gateway
          * Microsoft Host Integration Server

Overview

      There are multiple vulnerabilities in Microsoft Windows, .NET
      Framework, Silverlight, Internet Explorer, Forefront Unified Access
      Gateway, and Host Integration Server. Microsoft has released
      updates to address these vulnerabilities.

Yes, but... (1)

Livius (318358) | more than 2 years ago | (#37685052)

Microsoft says a lot of things.

It doesn't rate Opera either, but (4, Interesting)

Eadwacer (722852) | more than 2 years ago | (#37685056)

When I went there with my Opera browser, it said it couldn't rate it. So I used Opera's site preferences to lie to the site and tell it I was using IE (version unspecified). I then got a rating of 4/4. So even a fake IE is better than none.

This "feature" should be weighted more heavily... (1)

fostware (551290) | more than 2 years ago | (#37685080)

"Does the browser extend the sandbox such that it cannot read data from parts of the system that it doesn’t have access to?"

Umm IE9 fails miserably in this regard.

Oh, and where's the "Does the browser help protect you from websites that are *NOT* known to distribute socially engineered malware?"

At least let me run a test to prove how secure my browser really is, instead of just checking the browser agent.

Easy upgrade (0)

Anonymous Coward | more than 2 years ago | (#37685156)

Switch the user agent to IE9 and get a 4 score!

Now stop chmod +xing stuff that still gets through (0)

Anonymous Coward | more than 2 years ago | (#37685168)

Does MSIE still chmod +x whatever files it saves? Abstaining from doing that, should take care of whatever malware still gets through the cracks.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>