A new Microsoft-sponsored study from NSS Labs is out with a finding that IE 8 is the most secure browser, when it comes to catching, socially engineered malware. The study however did not look at the security of the browser or related plug-ins (like Flash).
What is socially engineered malware?
According to the NSS report, they defined a socially engineered malware URL as, "a web page link that directly leads to a 'download' that delivers a malicious payload whose content type would lead to execution."
So for that type of scenario, NSS reported that IE 8 caught 81 percent of all threats. In contrast, Firefox 3 (they did their test prior to the final Firefox 3.5 release) only caught 27 percent while Google Chrome 2 caught 7 percent.
The interesting part of the Firefox 3 to Chrome 2 comparison, in my opinion, is the fact that both Firefox and Chrome use Google's SafeBrowsing API. Firefox has been using Google's API since the Firefox 2 release. In 2006, a Mozilla-sponsored study found that Firefox 2 was superior at catching phishing sites. Another 2006 study, sponsored by Microsoft found that IE 7 had the best anti-phishing filter.
So what's my point?
No doubt Microsoft is investing in improving IE and its security features. But when it comes to saying which browser is best for security, it's a slippery slope.
One particularly interesting tidbit that I found in the NSS study is a disclaimer found as a footnote at the bottom of the second page of the report.
Note:This study does not compare browser security related to vulnerabilities in plug-ins or the browsers themselvesThat's kind of a big deal, isn't it?
Flash has been a known route to exploitability. Specific browser issues in IE 8 led to an emergency out of band patch earlier this year. As well, when it comes to the socially engineered malware description, in Firefox even if the Google SafeBrowsing API didn't block the download, the user still has to click on the file to actually execute it. Most Windows users should have anti-virus protection and that would (hopefully) protect users.
For Linux users, .exe files don't run so the risk is non-existent.
I think the greatest risk continues to be the drive-by issue. Those are cases, where a user doesn't have to do anything (i.e click a file) to be at risk. I'd like to see a non-partisan third party study that gives all the major browser due diligence on that issue.
Article courtesy of InternetNews.com.