IE9 decimates competition at malware prevention

The latest NSS Labs report is in, and the findings show that Internet Explorer completely dominates all other browsers when it comes to preventing socially engineered malware. For those that aren’t aware, socially engineered malware is a form of malicious software that attempts to trick users into installing it, and thanks to Internet Explorer 9’s SmartScreen URL filtering the browser prevents 92% of it; and up to 100% when you include Application Reputation to filer untrustworthy executables.

Internet Explorer 8 also does well in this arena, blocking 80% of all socially engineered malware. Other browsers look just shameful in comparison: Safari 5, Chrome 10 and Firefox 4 (the latest browsers at the start of Q2 2011) managed to block just 13% of the malware, with Opera 11 performing even worse and filtering just 5%.

Safari, Chrome and Firefox all perform the same due to all browsers using Google’s Safe Browsing URL blacklisting system, whereas Opera relies on an AVG-powered service. Not only is Opera the worst browser at preventing this type of attack, but it also is the slowest, averaging 48 hours to block a new malicious site versus 13 hours for the other browsers in the test.

The socially engineered malware used in the NSS Labs report came from instant messages, spam emails and dodgy social network posts; the malware was also targeted at European users, as Eurostat mentioned that nearly 33% of EU users were victims of malware infections in 2010. Also, while the report does reveal Internet Explorer 9 is the best at preventing unwanted malicious software from being installed, it comes at the cost of a higher-than-average false positive detection rate, something that would infuriate a lot of advanced users.

Image courtesy of NSS Labs

Report a problem with article
Previous Story

Report: Microsoft in talks with Twitter over Bing search deal

Next Story

Steam announces new game download improvements

82 Comments

Commenting is disabled on this article.

I would not trust the results as obviously MS is going to inflate the results thus the actual numbers are far lower then what they claim. if a non MS fanboy were to do the same tests then i would trust that as it would not be biased.

Gaara sama said,
If that is truth so why they always security update for Internet Explorer?

Is this a serious question? There's security updates for every browser and web accessible app there is. Derp.

FrozenEclipse said,

Is this a serious question? There's security updates for every browser and web accessible app there is. Derp.


It is a serious question. There are people who genuinely believe security patches are a sign of a poor browser, and would much rather see weekly "updated versions" of IE (9.0.1, 9.1.17, etc.) they have to download and install.

This is simply because, in spite of the chromepuffs insisting version numbers don't matter, updating them--even if for nothing more than security patches--FEELS like you have newer, shinier software. Meanwhile, stand-alone security patches are just 'fixing holes' in the same old aging browser you've had installed all along.

It's entirely about perception.

I hope Microsoft will start creating a real add-on infrastructure with IE10. Sure there are add-ons now but those are mostly just search alternatives, they don't really change functionality.

Microsoft is known to be a platform company. Almost all products they create are platforms that developers can use and they have good reputation in supporting developers. While browsers start to become a very important platform right now, it's crazy that MS isn't really joining the game.

How can you trust Microsoft's IE9 if Microsoft can't take care of their security site which has been hacked last week serving porn links from internal search results ?

alexalex said,
How can you trust Microsoft's IE9 if Microsoft can't take care of their security site which has been hacked last week serving porn links from internal search results ?

Name one web server brand that hasn't been hacked. And it wasn't even a proper hack, just a fancy version of search poisoning and was quickly fixed, versus the alternatives which are much worse at letting data leak out. Considering the track record, trust them pretty well thanks.

FYI...
M$ paid for this "study", just as they paid for the one in 2010, when [surprise!] they came up on top.
The "best" doing their "finest" work... again. ;-(

v1ewer said,
FYI...
M$ paid for this "study", just as they paid for the one in 2010, when [surprise!] they came up on top.
The "best" doing their "finest" work... again. ;-(

Perhaps you should have read the report first:
http://www.nsslabs.com/assets/...2_2011_browsersem_FINAL.pdf

"This report was produced as part of NSS Labs' independent testing information services. Leading vendors were invited to participate fully at no cost, and NSS Labs received no vendor funding to produce this report."

sbrads said,
http://ieaddons.com/
What a useless bunch of IE9 addons. I'll stick to Firefox 5 with Kaspersky IS 2012 for the malware stuff.

Then make your own add-ons. I'm perfectly fine with what is available. Plus these are only the official ones that have landed on that site.

gzAsher said,
Opening WordPress Panel in IE9 (fully updated) shows you this http://www.postimg.com/42000/photo-41726.jpg. Clicking on browse happy takes you to browsehappy.com
By the way, logging in to the same WordPress Panel using Chrome of Firefox did not throw up the red box.
Works fine for me in IE9. That should only be showing up if you are on IE6 since they dropped support for IE6

Equalizer said,
Works fine for me in IE9. That should only be showing up if you are on IE6 since they dropped support for IE6
What part of "fully updated" did u not understand. Or that looks like IE6 icon to you? Troll

wahoospa wrote "It's the person behind the keyboard that has to make the right decisions."

Agree 100%. Me, my wife, and mother-in-law all use Windows 7,with IE9 mainly used. I make sure widows update is run, and they kept getting "fake antivirus", while I have had no problems. I finally put Malware Bytes' AntiMalware on their computers, fully licensed so it will auto-protect. So far so good now.

James

"malware used in the NSS Labs report came from instant messages, spam emails and dodgy social network posts"
I don't do instant messaging, I delete all unknown spam emails, and I sure as heck don't go to any social networks. So I assume most any browser would then be safe.
It's the person behind the keyboard that has to make the right decisions.

"The latest NSS Labs report is in"
You can get just about any results you want in a lab to make something look either good or bad.

SmartScreen in IE8 and IE9 is great but the app reputation for all downloads is a cant-turn-off-annoyance shoved down the throat of advanced users who know what they are downloading.

I would lilke to compare this to IE6, so I could convince my company to move from IE6 as a standard company browser

WAR-DOG said,
I would lilke to compare this to IE6, so I could convince my company to move from IE6 as a standard company browser

IE6? that's just funny and painful They should try to turn the number 180°

WAR-DOG said,
I would lilke to compare this to IE6, so I could convince my company to move from IE6 as a standard company browser

It's one thing updating from IE6 at home, but at an Enterprise level it can be extremely difficult.

WAR-DOG said,
I would lilke to compare this to IE6, so I could convince my company to move from IE6 as a standard company browser

That is easy IE6 had 0% protection mechanisms. So it is 'make up a number' divided by 0...

WAR-DOG said,
I would lilke to compare this to IE6, so I could convince my company to move from IE6 as a standard company browser

Moving to IE9 to be "safe" from social engineering, but let other malware in ?

WAR-DOG said,
I would lilke to compare this to IE6, so I could convince my company to move from IE6 as a standard company browser

IE6 on XP I'm guessing. One problem, IE9 is not supported on XP.

"a form of malicious software that attempts to trick users into installing it"
Are people really that easily tricked into installing things...? Surely common sense is the key to preventing infection.

RagBacker said,
"a form of malicious software that attempts to trick users into installing it"
Are people really that easily tricked into installing things...? Surely common sense is the key to preventing infection.

Novice users don't have that common sense.

RagBacker said,
"a form of malicious software that attempts to trick users into installing it"
Are people really that easily tricked into installing things...? Surely common sense is the key to preventing infection.

Yes, I'm afraid so.

This is a good thing because your average user isn't aware that there are alternatives to IE, or even know what a "browser" is for that matter. So for lack of a better term, it needs to be idiot proof.

Meanwhile tech savvy people can stick with their firefox, chrome and opera, because they're knowledgeable enough to know what NOT to do, without a browsers help. I've used Opera for years and haven't been infected once.

daPhoenix said,
http://www.networkworld.com/ne...r-slams-microsoft-over.html

http://www.simplysecurity.com/...9-malware-blocking-results/

"In our test, IE9 achieved a less than 10 percent success rate for malicious URL blocking. So, while we cannot comment on the exact methodology used in Microsoft's own tests, we have to agree with Sophos' questioning of the rather surprising results Microsoft published."

Yeah.

Different tests. This is specifically about socially engineered malware. Also, those graphs showing TrendMicro blocking 100% of threats seems quite dodgy

This report focused on URLs chosen to be of significant threat to EU users and followed the same Live Testing methodology as the global tests conducted in Q1 2009, Q3 2009, Q1 2010 and Q3 2010 (http://www.nsslabs.com/browser-security).

The question for me is whether the source of the chosen URLs happens to be the same as Microsoft's source.

Unfortunately this is just propaganda to try and make IE look good. The reality is IE9 and other versions are just as vulnerable to malware as ever. If users have any kind of desire to be safe, IE is the last browser they should use.

daPhoenix said,
http://www.networkworld.com/ne...r-slams-microsoft-over.html

http://www.simplysecurity.com/...9-malware-blocking-results/

"In our test, IE9 achieved a less than 10 percent success rate for malicious URL blocking. So, while we cannot comment on the exact methodology used in Microsoft's own tests, we have to agree with Sophos' questioning of the rather surprising results Microsoft published."

Yeah.

this test is about malicious infections. Web browsers are not antiviruses / antiexploits, although IE7/8/9's sandbox on vista/7 does a good job at blocking most browser/plugin exploits from operating! it doesn't detect exploits, but it breaks their malicious behavior (even exploits in flash player or adobe reader plugin!) by preventing them to write anything outsite the sandbox.
So, even if IE doesn't detect (i.e: by displaying a warning message) a drive-by download attempt from a malicious site, it should not work on IE7/8/9/vista/7 anyway.

NSS Labs' test is about phishing (either fake bank sites, or sites tricking the user into downloading and executing malwares), something IE's smartscreen filter seems very good at filtering.

Microsoft_Bob said,
Unfortunately this is just propaganda to try and make IE look good. The reality is IE9 and other versions are just as vulnerable to malware as ever. If users have any kind of desire to be safe, IE is the last browser they should use.

you obviously have no idea about what you're talking about!

IE7/vista has been the first sandboxed browser (since 2006), and IE8 the first to fully implement ASLR. And since then, even firefox/opera/safari are still not sandboxed (firefox 4.0 wasn't even fully ASLR protected)!

so, I would rather trust IE on vista/7 than trust a browser that is not sandboxed at all, especially since IE also sandboxes risky plugins like flash player and adobe reader, preventing most 0day exploits from infecting your machine/user profile (and yes, you could be infected by a 0day flash player flaw if you run opera, even though no hacker will target the flaws in opera itself due to its sub 1% market share)

Btw, IE has had far less security flaws than firefox or chrome, contrary a to some popular beliefs (check the stats on secunia if you don't believe me!)

In its timespan, IE8 had less than 100 security flaws in 2.5 years , whereas firefox 3.5 (which have been released months after IE8) have had more than 160 security flaws in 2 years (and the count is stopped since firefox 3.5 isn't supported anymore. Since its release, firefox 3.6 had 120 flaws).

Microsoft_Bob said,
Unfortunately this is just propaganda to try and make IE look good. The reality is IE9 and other versions are just as vulnerable to malware as ever. If users have any kind of desire to be safe, IE is the last browser they should use.

Troll fail.

link8506 said,
this test is about malicious infections.

Topic is "IE9 decimates competition at malware prevention", which would encompass "all malware" rather than just a very small subsect of it, being the socially engineered one.

daPhoenix said,

Topic is "IE9 decimates competition at malware prevention", which would encompass "all malware" rather than just a very small subsect of it, being the socially engineered one.

no browser can detect malwares/exploits. That's the job of an antivirus, not the job of an url/hash filtering system like smartscreen.
However, IE9's sandbox does a great job blocking 0day flaws in IE itself or flash player.

Firefox/opera/safari on the other hand do nothing to prevent the user from being infected if a flaw in flash player or in the browser itself is exploited...

Microsoft_Bob said,
Unfortunately this is just propaganda to try and make IE look good. The reality is IE9 and other versions are just as vulnerable to malware as ever. If users have any kind of desire to be safe, IE is the last browser they should use.

so then you try to make IE *look bad* just because you dont like it? it even has ActiveX filtering BUT everything is vulnerable at wrong hands... and even with good hands, people should have antimalware/antivirus/antispyware to protect them or now you can be without it for just using firefox or opera or well just not using IE?
yeah right, i bet anyone would be safer that way. i didnt know firefox and opera and chrome and safari were anti malware products. thanks for the info /s

but oh well....

Microsoft_Bob said,
Unfortunately this is just propaganda to try and make IE look good. The reality is IE9 and other versions are just as vulnerable to malware as ever. If users have any kind of desire to be safe, IE is the last browser they should use.

Fail at life.

Microsoft_Bob said,
Unfortunately this is just propaganda to try and make IE look good. The reality is IE9 and other versions are just as vulnerable to malware as ever. If users have any kind of desire to be safe, IE is the last browser they should use.

Microsoft_Bob, stop trolling. You're randomly posting troll replies on comments you're not even reading.

trogenda said,
IE is really a good browser. To be the best, it requires to have chrome-like add-ons and full browser sync.

I do agree that to beat the competition, it needs addon support, but I'm also glad that it doesn't because it'd be a nightmare to support (as in technical support).

trogenda said,
IE is really a good browser. To be the best, it requires to have chrome-like add-ons and full browser sync.

And chrome-like speed...

Alastyr said,

And chrome-like speed...

Did you even test IE9? It's as fast as Chrome and Firefox and even faster with handling HTML5 intensive sites

trogenda said,
IE is really a good browser. To be the best, it requires to have chrome-like add-ons and full browser sync.

This isn't even the first post in the past month I have come across where people talk about IE not having add-on support.

Unless there is some reality or specific add-on that people are talking about, IE has had add-on support going back to 1995.

IE9 still as add-on support, or I find it strange Microsoft would maintain a web site dedicated to them.... http://ieaddons.com

What do you consider 'full' browser sync? Is the qualifier 'full' to demonstrate some strange quirk? IE has had various forms of Favorites and setting 'sync' abilities going back to 1996.

(Back then, it was an easier feature to provide via MSN and Windows before Microsoft had arbitrary restrictions they had to adhere to, which is why they were behind several web storage and drive syncing features that had to be 'removed' from Windows thanks to the Anti-Trust case and the EU. If you look back, you use to be able to map online storage directly using several methods, but specifically Web Folders that used WebDav. After Anti-Trust, this was a no-no.)

However, as for IE 'syncing' on Win7, this is accomplished via 'Live Mesh' included in Live Essentials.

*Side note about online storage and 'syncing'*

Microsoft wanted to use the roaming profiles technology from NT, that goes back to the early 90s, and promote it to a base Windows feature for non-corporate individuals using their online server systems. Sadly the anti-trust stuff, stopped this, as technology needed an online server store, and was going to use MSN, back when it was an Online Forum and Internet service.

Stuff like this tends to make IT people that were in the 'know' back then twitch, as a generation of progress was killed, and in this example, it is only with Windows 8 and Microsoft being set free of some of the anti-trust crap will 'end users' finally get features they should have had 11 years ago.

It also makes myself twitch when I hear people complain that Microsoft didn't do this or didn't do that without realizing they legally couldn't, and often wanted to implement most of the stuff people complain about.

Even things that Google gets 'kudos' for, like GDocs, was something that was privately implemented and designed to be implemented by Microsoft around 2000. There were going to be MSN based Sharepoint technologies and people would be able to access and edit Word, Excel and Powerpoint documents in a browser. (Funny that it wasn't until the anti-trust crap was lifted that Microsoft was able to finally offer this technology 10 years later.)

thenetavenger said,

This isn't even the first post in the past month I have come across where people talk about IE not having add-on support.

Unless there is some reality or specific add-on that people are talking about, IE has had add-on support going back to 1995.

IE9 still as add-on support, or I find it strange Microsoft would maintain a web site dedicated to them.... http://ieaddons.com

What do you consider 'full' browser sync? Is the qualifier 'full' to demonstrate some strange quirk? IE has had various forms of Favorites and setting 'sync' abilities going back to 1996.

(Back then, it was an easier feature to provide via MSN and Windows before Microsoft had arbitrary restrictions they had to adhere to, which is why they were behind several web storage and drive syncing features that had to be 'removed' from Windows thanks to the Anti-Trust case and the EU. If you look back, you use to be able to map online storage directly using several methods, but specifically Web Folders that used WebDav. After Anti-Trust, this was a no-no.)

However, as for IE 'syncing' on Win7, this is accomplished via 'Live Mesh' included in Live Essentials.

*Side note about online storage and 'syncing'*

Microsoft wanted to use the roaming profiles technology from NT, that goes back to the early 90s, and promote it to a base Windows feature for non-corporate individuals using their online server systems. Sadly the anti-trust stuff, stopped this, as technology needed an online server store, and was going to use MSN, back when it was an Online Forum and Internet service.

Stuff like this tends to make IT people that were in the 'know' back then twitch, as a generation of progress was killed, and in this example, it is only with Windows 8 and Microsoft being set free of some of the anti-trust crap will 'end users' finally get features they should have had 11 years ago.

It also makes myself twitch when I hear people complain that Microsoft didn't do this or didn't do that without realizing they legally couldn't, and often wanted to implement most of the stuff people complain about.

Even things that Google gets 'kudos' for, like GDocs, was something that was privately implemented and designed to be implemented by Microsoft around 2000. There were going to be MSN based Sharepoint technologies and people would be able to access and edit Word, Excel and Powerpoint documents in a browser. (Funny that it wasn't until the anti-trust crap was lifted that Microsoft was able to finally offer this technology 10 years later.)

I did not say that IE does not have add-on support. I said it should have chrome-like add-ons. Chrome has wide variety off add-ons. Would you please find me a free AdBlock and full browser sync add-on (so I never loose my browser data, not just bookmarks). If you can, I swear to god I will never use chrome on my laptops and desktops. I dont even mention about others like tabcloud, google docs viewer, built in pdf viewer etc.

I really like how IE9 is faster and better looking. The new features are amazing. But if Microsoft can't figure out a way for these lacking features, it will continue to loose market share.

Edited by trogenda, Jul 16 2011, 12:01pm :

FMH said,

IE9 is fastest in sunspider JavaScript test.

Too bad it takes longer to start up, and takes even longer to display that initial page. Very annoying. I don't notice as bad in IE9, but IE8 was bad about that.

rob.derosa said,
Hm, dangerous to say that it blocks 100%, surely. Isn't this why domestos only kills 99.99% of germs?

They're not saying it blocks 100% of all malware, just 100% of the test sample malware from the farmed URLs. Even so, when you look at how it works, it's quite possible it does block 100% of malware, as the reputation based blocking will block anything that is not commonly downloaded, and I think malware servers tend to randomly name files if I'm not mistaken, whereas legit downloads use static names. Of course, the next argument is false positives, and yes there are some, but of the several dozens of downloads I've done in IE9 I think I only got 2 or 3 false positives from the reputation based blocker.

J_R_G said,

They're not saying it blocks 100% of all malware, just 100% of the test sample malware from the farmed URLs. Even so, when you look at how it works, it's quite possible it does block 100% of malware, as the reputation based blocking will block anything that is not commonly downloaded, and I think malware servers tend to randomly name files if I'm not mistaken, whereas legit downloads use static names. Of course, the next argument is false positives, and yes there are some, but of the several dozens of downloads I've done in IE9 I think I only got 2 or 3 false positives from the reputation based blocker.

Thanks for the clarification, should have read..

J_R_G said,
They're not saying it blocks 100% of all malware, just 100% of the test sample malware from the farmed URLs. Even so, when you look at how it works, it's quite possible it does block 100% of malware, as the reputation based blocking will block anything that is not commonly downloaded, and I think malware servers tend to randomly name files if I'm not mistaken, whereas legit downloads use static names. Of course, the next argument is false positives, and yes there are some, but of the several dozens of downloads I've done in IE9 I think I only got 2 or 3 false positives from the reputation based blocker.
+1 for making good points. Reputation based blockers are stupid.

I am going to stick with Firefox + NoScript + Request Policy for now though.

Jebadiah said,
+1 for making good points. Reputation based blockers are stupid.

I am going to stick with Firefox + NoScript + Request Policy for now though.

You do realize that IE9 has NoScript and Request Policy functionality. The NoScript is not the same, as you have to manually flip the setting on/off for sites, but it is there.

thenetavenger said,

You do realize that IE9 has NoScript and Request Policy functionality. The NoScript is not the same, as you have to manually flip the setting on/off for sites, but it is there.

Who cares? Some people just don't like IE, and I'm one of them. I use IE for a couple of sites I need it for, but I'm sticking with Firefox and sometimes Chrome when I feel frisky.

farmeunit said,

Who cares? Some people just don't like IE, and I'm one of them. I use IE for a couple of sites I need it for, but I'm sticking with Firefox and sometimes Chrome when I feel frisky.


That's kind of weird, though, isn't it? "Just don't like" it? No matter how much it improves, or if it some day out performs every other browser on the platform? Just out of principle? Even if some huge scandal pops up and it turns out Chrome secretly installs a ChromeOS shell over Windows and Firefox has been using all those memory leaks to run a dark net or something absurd like that, you'll just switch to Opera, because you "just don't like" IE?

That's...enormously childish.

Joshie said,
That's...enormously childish.

That's personal preference. IE could deposit money in my checking out every time I launch it and I'd still prefer Firefox just because that's what I find much better suited for my needs. Calling somebody childish though just because they like something different.. now that's childish.

Jen Smith said,

That's personal preference. IE could deposit money in my checking out every time I launch it and I'd still prefer Firefox just because that's what I find much better suited for my needs. Calling somebody childish though just because they like something different.. now that's childish.

Except it's not about personal preference. Did you just read my post and find something to disagree with, or did you actually read the thread of discussion leading up to it? It quite literally went like this:

1) Established by article that IE (out of the box) has better malware prevention than Firefox (out of the box)
2) "Firefox + A + B = a better choice than IE"
3) "But IE has A + B." Ergo, if IE>Fx, IE + A + B > Fx + A + B (we learned this in gradeschool)
4) "Who cares?" <--actual quote

Personal preference is a great reason for choosing rice over potatoes, or Honda over Toyota. Personal preference is, after all, what many of us fall back to when all other comparisons just don't yield significant enough differences to guide a decision. But the instant you qualify your decision by listing FACTORS behind it (A + B), you're taking the stance that REASONING brought you to this decision. Taking that stance, and then saying nobody cares if the reasoning isn't actually sound, makes you look like your initial argument was insincere and just cobbled together to get out of a conversation you didn't feel like having. Ergo, childish.

Now, I REALLY held your hand through that one. If it still goes over your head, I'm sorry. As a fellow J-name, I'd hate to feel like you simply couldn't grasp my point, but if you don't, there's little else I can do except rewrite this entire post differently worded. But MAN that would be a waste of time.

Joshie said,
Except it's not about personal preference. Did you just read my post and find something to disagree with, or did you actually read the thread of discussion leading up to it? It quite literally went like this:
*snip*
But MAN that would be a waste of time.

Yes, I did happen to read the entire thing. Your long winded speech aside, I'm still referring to your comment about bashing the other guy's choice because after all that.. he still doesn't care. You can rationalize it all you want, but if he doesn't care.. well then he doesn't care. Personal preference. End of story. Drawing this into some petty forum drama is childish. If you want to go to the original point about IE's security and running in a sandbox, chalk me up in the "so what" category too. Install a proper sandbox environment and you can run any program in a sandbox. Including Firefox. Sort of like a chroot jail on steroids. I can hold your hand through that one too if you prefer.

Also, that little rant of yours.. also childish.