March 24, 2009, 3:56 PM — A recently released report claims that Internet Explorer 8 (IE8) is more than twice as effective at blocking malware sites than its nearest rival.
According to NSS Labs Inc., which conducted the Microsoft-sponsored study, IE8 blocked 69% of the 492 malware-distributing Web sites that were included in the survey data. Mozilla Corp.'s Firefox, meanwhile, blocked only 30% of those same sites.
"I was surprised that IE8 did as well as it did," Rick Moy, the president of NSS Labs, said in an interview Tuesday. "But Microsoft has put a lot of effort into security in IE8."
NSS tested six Windows-based browsers -- IE8 RC1, Firefox 3.0.7, Safari 3, Chrome 1.0.154, Opera 9.64 and IE7 -- against so-called "socially engineered" malware: Sites that dupe visiting users into downloading attack code. Typically, the download is disguised, often as an update to popular software such as Adobe's Flash Player.
The tests did not include sites that attack browsers without any user interaction, an increasingly common tactic by hackers who often infect legitimate sites with kits that try a number of different exploits in the hope of compromising an unpatched PC.
To defend against the kind of malware sites that NSS tested, browser makers have been adding anti-malware features to their software. Mozilla, for example, added malware site blocking to Firefox 3.0, which shipped last June.
All browsers that include such a tool -- or anti-phishing tools, which operate in a similar fashion -- rely on a "blacklist" of some sort. The list, which includes known or suspected malware sites, is used to display warnings before a user reaches a site, but after the URL is typed in.
The other browsers trailed IE8 and Firefox in NSS' tests. Apple Inc.'s Safari, for example, blocked 24% of the malware sites, even though Version 3.2 doesn't have an explicit anti-malware tool. Moy said he believed that Safari's anti-phishing tool, which Apple added in November 2008, may have triggered the blocks, since many phishing sites also distribute malware if they're unable to trick users into giving up their identity information through other tactics. "Or maybe Apple started seeding its [anti-phishing] list with malware sites before it launched the beta of Safari 4," Moy said.
NSS started its tests just days after Apple released Safari 4's beta, and was unable to switch out the production browser for the beta on short notice. "And most people are using [Version] 3 anyway," he added.
Google Inc.'s Chrome came in at fourth place, blocking only 16% of the malware sites, said Moy. In fact, Chrome gave NSS some trouble, since its initial protection, while "commendable," faded over time. NSS tested each browser against the sites every two hours for 12 days, and as time went on, Chrome caught fewer and fewer malware URLs. NSS manually rechecked the results to make sure a bug had not cropped into the testing process, but concluded that Chrome does worse over time. "I was surprised that Google dropped off like it did," said Moy.
The two bottom browsers, Opera 9.64 and IE7, were essentially useless at stopping their users from visiting bad sites, catching just 5% and 4%, respectively. "[They] provided virtually no protection against malware," said the NSS report.
Microsoft was the sole sponsor of the test, Moy acknowledged, adding that having just one funding source was unusual for his company. "It wasn't exactly a comfortable feeling, but I think it was all pretty above board. They were very hands off."
Even though John Pescatore, Gartner Inc.'s top security analyst, noted that NSS has a solid reputation in testing circles, he cautioned against reading too much into the report. "You do have to look at the results of this with a jaundiced eye," he said Tuesday.
Pescatore also questioned whether the numbers reflected how browsers -- and more importantly, browser users -- really work. "For IE7 and Firefox, in real world use, we don't see any major difference in their security performance," he said. "If you look at how Firefox 3.0 is really used, and how IE8 is used, and the typical user, I don't think there's going to be a tremendous difference in blocking malware sites. They use very similar databases."
In fact, Firefox, Chrome and Safari all turn to the same source for their blacklist: Google's SafeBrowsing API. Moy wasn't able to completely explain why, if that's the case, the three browsers' scores were so different in the NSS tests. He did, however, speculate that while each browser pings Google's blacklist, they handle the information differently, and may add or subtract from it using their own algorithms.
"The implementation [of SafeBrowsing] is different in Firefox than the others using it," Moy said.
The NSS report can be downloaded from the company's Web site ( PDF download). NSS has also scheduled a Webinar for March 31 at 10 a.m. PT, during which it will outline its results. Users can register for the session on the NSS site.