From the ‘Read The Fine Print‘ files:
A new Microsoft-sponsored study from NSS Labs is out with a finding that IE 8 is the most secure browser, when it comes to catching, socially engineered malware. The study however did not look at the security of the browser or related plug-ins (like Flash).
What is socially engineered malware?
According to the NSS report, they defined a socially engineered malware URL as, “a web page link that directly leads to a
‘download’ that delivers a malicious payload whose content type would
lead to execution.”
So for that type of scenario, NSS reported that IE 8 caught 81 percent of all threats. In contrast, Firefox 3 (they did their test prior to the final Firefox 3.5 release) only caught 27 percent while Google Chrome 2 caught 7 percent.
The interesting part of the Firefox 3 to Chrome 2 comparison, in my opinion, is the fact that both Firefox and Chrome use Google’s SafeBrowsing API. Firefox has been using Google’s API since the Firefox 2 release. In 2006, a Mozilla-sponsored study found that Firefox 2 was superior at catching phishing sites. Another 2006 study, sponsored by Microsoft found that IE 7 had the best anti-phishing filter.
So what’s my point?
No doubt Microsoft is investing in improving IE and its security
features. But when it comes to saying which browser is best for
security, it’s a slippery slope.
One particularly interesting
tidbit that I found in the NSS study is a disclaimer found as a
footnote at the bottom of the second page of the report.
Note:This study does not compare browser security related to vulnerabilities in plug-ins or the browsers themselves
That’s kind of a big deal, isn’t it?
Flash
has been a known route to exploitability. Specific browser issues in IE
8 led to an emergency out of band patch earlier this year. As well,
when it comes to the socially engineered malware description, in
Firefox even if the Google SafeBrowsing API didn’t block the download,
the user still has to click on the file to actually execute it. Most
Windows users should have anti-virus protection and that would
(hopefully) protect users.
For Linux users, .exe files don’t run so the risk is non-existent.
I
think the greatest risk continues to be the drive-by issue. Those are cases, where a user
doesn’t have to do anything (i.e click a file) to be at risk. I’d like
to see a non-partisan third party study that gives all the major
browser due diligence on that issue.
Article courtesy of InternetNews.com.