Microsoft talks more about IE10 security features

In May, NSS Labs issued the results of its study of web browsers in terms of blocking malware. It showed Microsoft's Internet Explorer 10 blocking 99.96 percent of all malware during their test period, which was a much better percentage than Chrome or Firefox. Today, Microsoft went over some of the features in IE10 that helps it stop malware and other security issues along with the results of another security report.

The official IE blog states that for stopping direct malware attacks via websites, IE10 uses a combination of SmartScreen URL filtering and Application Reputation features. For websites that are normally trusted but become infected by malware, IE10 users can use the XSS Filter that is made to fight off these kinds of exploits. Finally, IE10 has more memory protection features and its Enhanced Protected Mode.

Microsoft cites another third party security report, the Secunia Vulnerability Review 2013, to show IE10 is better than its competitors in offering safer PC Internet browsing. The report claims that IE10 had just 10 Secunia Advisories and 41 vulnerabilities, compared to 28 advisories in Chrome and 28 in Firefox. In terms of vulnerabilities, Secunia said that Chrome had 291 and Firefox had 257.

Of course, Microsoft is about to release the first public preview of IE11 next week for Windows 8 users as part of the Windows 8.1 update.

Source: Microsoft | Image via Microsoft

Report a problem with article
Previous Story

Ashton Kutcher's Steve Jobs biopic gets first trailer; Aug. 16th release date

Next Story

Another leaked iPhone 5S photo confirms dual LED flash?

26 Comments

View more comments

sjaak327 said,
This merely confirms what we already knew. The safest browsing experience on Windows is called IE.

WHAT A RELIEF!

IE10 is also relatively new compared to the others, so of course it'll have few vulnerabilities reported. Performance on any machine I've ever used is still much slower then either Firefox or Chrome.

Firefox 21 has 0 vulnerabilities reported! (Can you sense the sarcasm?)

IE10 is also relatively new compared to the others, so of course it'll have few vulnerabilities reported. Performance on any machine I've ever used is still much slower then either Firefox or Chrome.

Firefox 21 has 0 vulnerabilities reported! (Can you sense the sarcasm?)

Since this analysis was over the same time period for all browsers (2013) this shouldn't matter.

Then let's compare all other versions of IE over that period, because there are still a LOT of people on older version. For this to hold water, that would make sense.

Doesn't make sense from the point of view of understanding what the current development process is like, only makes sense if you are desperate to find something, anything, to bludgeon MS over the head with. People on old browsers, are the ones to blame, and web sites that don't use standard html, MS has no part in it.

If you look at the actual CVE database, you'll see that IE fared rather well compared to the others. 2012 for example it was still the lowest of the big three.. IE (all versions) at #46, Firefox at #2 and Chrome at #1. All-time reported vulnerabilities (1999-2013), IE is at #6, Chrome at #4 and Firefox at #2. Still prefer Firefox myself but if you're just going off of vulnerabilities, IE has the better record.

J_R_G said,

Since this analysis was over the same time period for all browsers (2013) this shouldn't matter.


Add to it that IE10 still has components originating out of IE6.
It isn't the newest browser, its actually the first and oldest graphical browser.

For those that don't know, if you use IE10 on Win 8, you can go into internet options, advanced, and check 'enable enhanced protected mode'. This will run the browser in x64 mode, which enables things like better memory protection against exploits with x64 ASLR (memory randomization), and enables the more hardened metro app sandbox for IE, called AppContainer. Most plug-ins don't work in x64 (flash does), however you will get prompted to run a tab in 32-bit mode if IE detects an incompatible plug-in on a page you load. Also enabling 'ActiveX filtering' in the safety menu will help, IE won't run any ActiveX plug-ins until you click the blue circle with the line through it in the address bar and select 'turn off ActiveX filtering for this site.'

There's also an addon whitelist in the local security policy so

Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the local computer.Windows Components/Internet Explorer
Policy Setting Comment
Do not allow users to enable or disable add-ons Enabled
Windows Components/Internet Explorer/Security Features/Add-on Managemen
Policy Setting Comment
Add-on List Enabled
Add-on List
{BDEADEF5-C265-11D0-BCED-00A0C90AB50F} 1
^ the guid for the addon found in its more info link in addon management

Policy Setting Comment
Deny all add-ons unless specifically allowed in the Add-on List

J_R_G said,
For those that don't know, if you use IE10 on Win 8, you can go into internet options, advanced, and check 'enable enhanced protected mode'.

There is a secondary security feature within IE10 that I personally love. Having the Protected Mode turned on in the Internet zone, and not having it turned on for the Trusted Zone, while running Internet Explorer as Other User. It isolate the browser from your normal user session via Run As, and then only sites you add to your trusted sites can read/write to the system clipboard.

No other browser or internet facing app I've encountered actually blocks clipboard rights for sites I don't trust. Mind you, it only works this way when you Run as Other User. Running it under your normal user context doesn't secure the clipboard either way.

Edited by ITFiend, Jun 23 2013, 4:52am :

Also, you could go through Internet Options -> Security Settings and enable Protected Mode for all zones, including the Trusted Sites zone.

A protected mode bypass isn't needed by the vast majority of users.

it's nice that MS talks about security (never enough of it)
but it would be nice to actually gain also some features ...
cause HTMl5test http://html5test.com/results/desktop.html and CSS4test http://css3test.com/
shows clearly why 'the other browsers' brags about 'more stuff supported'
atm. even IE11 looks pathetic ...
and worst is , the slower MS adds features the harder is it for everyone to adopt them
(as it usually means trash IE users alltogether)

These figures are a useless comparison because Chrome and Firefox are open source and so it's much easier to find vulnerabilities in them. If MS want to throw these numbers around they should publish the IE10 source code and give it six months and then see what their figures look like.

Cryton said,
These figures are a useless comparison because Chrome and Firefox are open source and so it's much easier to find vulnerabilities in them. If MS want to throw these numbers around they should publish the IE10 source code and give it six months and then see what their figures look like.
Doesn't matter: Google and Firefox have also a higher chance if finding an exploit, but also higher to patch the exploit. This fixes your statement.

Northgrove said,
I was just thinking this. Very often, outside sources are involved in analyzing their code. With IE, there's no code to even analyze.

This is a good thing no? Isnt the OSS community always screaming that its better to have open source rather then closed source?
hahaha.

The new version of Internet Explorer 10 versus an 2-3 version older of Chrome and Firefox.

It sounds a fair comparison. /s

Brony said,
It sounds a fair comparison. /s

Look at the statistics over the years. Since 2005, IE hasn't been the worst offender when it comes to vulnerabilities.

Brony said,
The new version of Internet Explorer 10 versus an 2-3 version older of Chrome and Firefox.

It sounds a fair comparison. /s

Mmm? Chrome 26 and Firefox 19 are the latest stable releases, isn't that fair? Beside, they are both from February/March 2013, where IE10 is from August 2012 (RTM date). So, how is that not fair?

Studio384 said,
Mmm? Chrome 26 and Firefox 19 are the latest stable releases, isn't that fair? Beside, they are both from February/March 2013, where IE10 is from August 2012 (RTM date). So, how is that not fair?
Whoops, I mean this:

Mmm? Chrome 26 and Firefox 19 are the newer than IE10, isn't that fair: they are both from February/March 2013, where IE10 is from August 2012 (RTM date). So, how is that not fair?

Studio384 said,
Mmm? Chrome 26 and Firefox 19 are the latest stable releases, isn't that fair? Beside, they are both from February/March 2013, where IE10 is from August 2012 (RTM date). So, how is that not fair?

The latest Firefox not-beta is Firefox 21 and the latest Chrome is Chrome 27.
And if Internet Explorer is left behind then it is not a Firefox or Chrome problem. Microsoft decided to tied iexplorer with the os.

When vulnerabilities are found in Chrome and Firefox they are usually patched within a week. With IE some vulnerabilities have taken years to patch (the cursor flaw was a great example of this). Even to this day, unless a vulnerability is really serious Microsoft usually don't release a patch until patch tuesday.

More vulnerabilities may be found in Chrome and Firefox but I find their practises to be more sensible with regards to fixes than those Microsoft use.

Commenting is disabled on this article.