By Ron Grattopp ronaldg 001…..I ran across this report a while back and thought it might be a worthwhile thing to share with you.  One of my favorite all-time movie lines comes from the original Pirates of the Caribbean where the Commodore tells Jack Sparrow that he’s the worst pirate he’s ever heard of, to which Jack replies, “well, at least you’ve heard of me”.  So this is an effort to get some word out about how Microsoft does innnovate (although we don’t seem to get as much credit for it as some) and how we continue to focus on security, in this case to provide users the most secure browsing experience currently available even though you’ve likely not heard about the subject of this post.  For starters, here’s a couple of related links that you may want to check out (the first being the NSS Labs report).

Web Browser Security - Socially-Engineered Malware Protection (NSS Labs Report)
IE wins malware blocking tests (PCWorld article)
IE9 hammers rivals in download blocking test (TechWorld article)

Which do you think is the biggest malware threat today, socially- engineered (SE) or drive-by attacks?  Well, as far as I know there’s no definitive data proving one or the other; however, in their report on web browser security (link above), NSS states: “Socially Engineered (SE) Malware remains the most common security threat facing Internet users today. Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.”  (citing a 2010 conference report from http://www.virusbtn.com).

Even if you don’t agree that SE malware is the greater threat today, I think we all would agree that practicing “safe browsing” is something everyone should pay attention to.  Now, with that said, how many of you actively discuss this aspect of IT with your customers?  (a lot I hope)  What’s interesting to me is how many folks don’t seem to have browser security as a high priority and furthermore, how many folks are unaware of the relative “safety” of the various browser platforms, especially as it applies to protecting them from SE attacks.

So that brings me to this post and the need to highlight the findings in this report.  The PCWorld article above states: “The in-house reputation system used in Internet Explorer 8 and 9 is markedly superior at blocking social-engineering attacks than the Google equivalent used by Chrome, Firefox, Apple's Safari, an independent test by NSS Labs has found.” The NSS Labs test was presumably the first test of browser protection against SE malware, and was done targeting European malware URLs over 19 days in April 2011 (so it’s pretty current).  IE 8 achieved a mean block rate of 90 percent, leaving Chrome 10, Firefox 4 and Safari 5 in the dust at 13 percent each. 

So here’s where the title of this post came from, IE uses two embedded security technologies to perform it's magic, and I’m betting that only a handful of you, if any, are familiar with them.  One is Smartscreen URL Reputation filter, a cloud-based system that checks URLs against a master database – it’s present in both IE 8 and 9 and works essentially the same in both.  The kicker, however, is that IE 9 incorporates a second system, which is new and is known as SmartScreen Application Reputation filter, which, based on the findings of this test, provides a remarkably effective level of download block protection – in fact, in IE 9 with application filtering turned on, the results were a mean blocking rate of 100 percent prompting NSS Labs to state in the report that: “IE 9 with Smartscreen offers the best protection against socially engineered malware”.  Chrome, Firefox and Safari all use a different URL checking system, which previous NSS Labs tests have suggested is now falling somewhat behind.   So just when you thought that browser security was perhaps even or comparable across the various platforms, we find that Microsoft has, in fact, done something somewhat innovative here: as the report authors state: "The significance of Microsoft's new application reputation technology cannot be overstated. Application Reputation is the first attempt by any vendor to create a definitive list of every application on the Internet" and it’s dynamically created and maintained.  

Another interesting aspect of the test is that an extra but important dimension. 'average response time to block malware', was also tested which is basically the time it took each browser to add a problem site to the block list once it had been fed in to the test by NSS Labs.  Again, IE 9 with Application Reputation enabled gained a perfect score, adding a site without any delay, the only browser to manage such a feat.  Interestingly, however, without the Application layer, IE 8/9 had longer times than the rival browsers.  Block time is worth noting because it represents the window of potential exposure.

I should point out that a limitation of the report is that it only measures one dimension of the threat users face when using browsers, that of attacks where the user can be tricked – or 'socially-engineered' - into downloading malware as opposed to what are called 'drive-by' attacks that seek to exploit specific vulnerabilities in software and which require no user intervention.  But as I mentioned early on, some data suggests that SE malware is significantly more prevalent these days, so make of it what you will.  The bottom line is that Microsoft does innovate and provides one of the safest browsing experiences currently available, so that’s something you should make sure you and your customers know.

Cheers, as always,

Ron