This comes from a recent Network World article: Microsoft IE 8 shines in Web browser security test
Alright, if you even read the first paragraph of the article, you’ll find that MS paid for the test, so right away some folks will discredit the whole thing, although many of those same folks have no problem with tests that other folks pay for – at least it’s done by a 3rd-party research outfit and not by the vendor (in this case us). My main point here, however, isn’t to extol the virtue of IE8 over other browsers, or even to cast aspersions on some of the ones who didn’t do very well, but rather to point out a couple of “read between the lines” thoughts in line with some of the threads that I focus on in this blog – one of the main ones being that Microsoft “gets” security, as well as the underlying value of our focus on security at the platform level, the Secure Development Lifecycle thing. So, please read the last couple of paragraphs even if you choose to skip the next few sections around the specifics of the test.
Before we go on, let’s do a quick review of some of the highlights of the article (titled "Web browser Security: Socially Engineered Malware Protection Comparative Results 2nd Edition").
The tests were done over a two-week period in July at the NSS Labs in Austin. They evaluated what are generally considered the top 5 browsers: Internet Explorer 8, Apple Safari 4, Google Chrome 2, Mozilla Firefox 3, and Opera 10 (beta). The tests were done based on access to live Internet sites and, in theory, could be duplicated elsewhere. In the end, IE 8 was evaluated as the best when it comes to browser protection against phishing and malware, mainly because Microsoft was deemed more speedy and comprehensive in delivering updates about known phishing and malware to the user's desktop browser. This is important because time is of the essence in this area, as a report from the Anti-Phishing Working Group estimates that more than 47,000 unique attacks occurred in the second half of 2008 with an average lifespan of 52 hours.
Here’s some more details around the test. It was based on 593 validated URLs. "The average phishing URL catch rate for browsers over the entire 14-day test period ranged from 2% for Safari 4 to 83% for Windows Internet Explorer 8," the test report states. "Internet Explorer 8 and Firefox 3 [80%]were the most consistent in the high level of protection they offered." Opera 10 achieved only 54%, followed by Chrome 2 at 26% and Safari 4 at 2 % in terms of mean block rate for phishing. The Network World article even pointed out that the report stated: "We expected better results given the fanfare about Google's SafeBrowsing initiative." Also, IE was found to perform the best in testing for how well each of the five browsers provide protection against socially-engineered malware—defined as a Web page link that leads directly to a ‘download' that delivers a malicious payload whose content type would lead to execution.
In another test based on 608 potentially malicious URLs, IE 8 achieved an 81% mean block rate for socially-engineered malware, while none of the other even topped 30%, and Chrome and Opera were <10%. On average, 197 new validated URLs were added to the test each day, more or less depending on "criminal activity levels" as malicious URLs quickly rolled in and out of use.
IE Explorer 8, with its “SmartScreen” protection mechanism, did best for protecting against socially-engineered malware in what was called the "zero hour" timeframe when a malicious URL was spotted by blocking 51% of the time. And the report goes on to note that “By the fifth day of the known malicious URL, IE 8 was blocking 91% of the time, Firefox 3 24%, Safari 4 22% , Chrome 2 14% and Opera 10 beta 1%”.
So now, for the reason behind why I chose to blog about this. Again, it really wasn’t just to “plug” IE8, I’m sure no one is going to change their default browser based on this one test, especially since they/you can choose to downplay this info given that the test was MS-sponsored. BUT, what I want to point out (the “between the lines” info) is that this represents further evidence of the effectiveness of Microsoft’s focus on security (which has been going on for some years now). I’ve mentioned in previous posts that MS has a world-wide, world-class security (anti-malware) threat research and response system. You can find out more about this at: Microsoft Malware Protection Center Portal – in fact, I highly encourage you to do this if you’re not already familiar with it (please read the “Who we are and what we do” section on the home page if nothing else). This system’s protection capability is shared across all of our platform products. So, what you may not know is that this “ecosystem”, if you will, which is helping to provide you with top-of-the-line anti-phishing in our browser is also the same technology and infrastructure that helps secure and protect your email and data (Forefront as well as the consumer-oriented security technologies). Moreover, you may not have known that our system is easily the equivalent, and I would make the case even better, than any of the other “major security vendors” out there, and that’s why you should seriously consider using our business as well as consumer-oriented security products. Back to the matter at hand, as far as I know, none of the other browser vendors has this kind of resource going for them, so hopefully you see, and believe, that IE 8 isn’t winning in this area by “smoke and mirrors” (as I’m sure many will claim), but rather by leveraging Microsoft’s huge investment in and focus on security. As you may recall, I’ve said it before, and I’ll say it again, Microsoft IS a great bet around security these days – heck, even one of the most maligned features of Vista (UAC) actually provided significantly improved security and protection (and indirectly reliability) over its predecessors. And, most of you are aware that our Windows servers are successfully supporting infrastructures, like our very own and much of DoD, that require the highest levels of security and access control possible (and, of course, it’s all the same platform).
Thus, I close by pointing out I hope you found the IE 8 test interesting, not so much from a browser compete perspective (although that would be OK by me), but, as further indication and proof of what I’ve been trying to help you understand and be able to articulate, which is that the Microsoft platform is the one I think you (and your customers) should bet on as we all move into an ever more challenging era of computing on the security front.
See also: IE8 reaches 80 million malware blocks