August 19th, 2009

IE8 outperforms competing browsers in malware protection -- again

Posted by Dancho Danchev @ 6:16 am

Categories: Anti Virus, Apple, Botnets, Browsers, Exploit code, Firefox, Hackers, Malware, Microsoft, Mozilla, Pen testing, Phishing, Research, Spam and Phishing

Tags: Malware, Microsoft Internet Explorer, Web Browser, IE8, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security, Dancho Danchev

A recently released study by NSS Labs is once again claiming that based on their internal tests, Microsoft’s Internet Explorer 8 outperforms competing browsers like Google’s Chrome, Mozilla’s Firefox, Opera and Apple’s Safari in terms of protecting their users against “socially engineered malware” and phishing attacks.

Not only did IE8 top the chart, but also, the rest of the browsers have in fact degraded their “socially engineered malware” and phishing block rate in comparison to the results released by the company in the March’s edition of the study.

How objective is the study? For starters, it’s Microsoft-sponsored one. Here’s how it ranks the browsers:

Socially engineered malware block rate:

• Microsoft Internet Explorer v8 - 81% block rate
• Mozilla Firefox v3 - 27% block rate
• Apple Safari v4 - 21% block rate
• Google Chrome 2 - 7% block rate
• Google Chrome 2 - 7% block rate

Phishing attacks block rate:

• Microsoft Internet Explorer v8 - 83% block rate
• Mozilla Firefox v3  - 80% block rate
• Opera 10 Beta - 54% block rate
• Google Chrome 2 - 26% block rate
• Apple Safari v4 - 2% block rate

What is “socially engineered malware” anyway? Basically, it’s the direct download dialog box that appears on a, for instance, scareware or Koobface video page spoofing Facebook’s layout, like the one attached. using “socially engineered malware” as a benchmark for malware block rate isn’t exactly the most realistic choice in today’s threatscape.

And even if it is, some pretty realistic conclusions can be drawn by using some internal traffic statistics from Koobface worm’s ongoing malware campaigns. The Koobface worm, one of the most efficient social engineering driven malware, is a perfect example of how security measures become obsolete when they’re not implemented on a large scale. The stats themselves:

- MSIE 7 - 255,891 visitors - 43.33%
- MSIE 8 - 189,380 visitors - 32.07%
- MSIE 6 - 76,797 visitors - 13.01%
- Javascript Enabled - 585,374 visitors - 99.13%
- Java Enabled - 576,782 visitors - 97.68%

What does this mean? It means that with or without the supposedly working “socially engineered malware” block filter using a modest sample of several hundred URLs, the Koobface botnet is largely driven by MSIE 7 users. The irony is that the previous edition of the study dubbed IE7 a browser which “practically offers no protection against malware” with the lowest block rate achieved back than - 4%.

Just like the previous edition of the study, this one also excludes the notion that client-side vulnerabilities (Secunia: Average insecure program per PC rate remains high; Secunia: popular security suites failing to block exploits) continue contributing to the “rise and rise” of web malware exploitation kits. By excluding client-side vulnerabilities, the study isn’t assessing IE8’s DEP/NX memory protection, as well as omitting  ClickJacking defenses and IE8’s XSS filter, once pointed out as a less sophisticated alternative to the Firefox-friendly NoScript.

Socially engineered malware is not the benchmark for a comprehensive assessment of a browser’s malware block rate. It’s a realistic assessment of the current and emerging threatscape combined with comprehensive testing of all of the browser’s currently available security mechanisms, a testing methodology which I think is not present in the study.