Defending The Kingdom

According to one study, anyway.

A recently released report claims that Internet Explorer 8 (IE8) is more than twice as effective at blocking malware sites than its nearest rival.

According to NSS Labs, which conducted the Microsoft-sponsored study, IE8 blocked 69% of the 492 malware-distributing Web sites that were included in the survey data. Mozilla’s Firefox, meanwhile, blocked only 30% of those same sites.

That the study was paid for by Microsoft doesn’t help its credibility (check out some of the complaints that are cropping up), but it’s worth considering as a single data point.

I consider browser security to be a crucial pillar of overall system security at this point. Malware infected sites, which can include otherwise trustworthy sites that have been hacked, are becoming fairly common.

Curious about the web’s most dangerous search terms?

The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky.

What makes a webpage dangerous?

• Risky downloads—Downloadable files that contain viruses, spyware, or adware or make unrelated
  changes to the downloading computer
• Browser exploits—Also known as a driveby download, this type of malicious code enables viruses,
  keystroke loggers, or spyware to install on a consumer’s computer without consent and/or knowledge
• Email practices—Registration forms and other sign-ups that result in high volume email, highly
  commercial email or both. We also test for difficultly unsubscribing.
• Phishing—Scam sites that try to trick visitors into believing the site is legitimate
• Excessive popups—Sites that engage in aggressive popup behavior or display large numbers
  of popups
• Linking practices—Sites that aggressively link to other red- or yellow-rated sites

The report, by McAfee, mentions that hacking for profit has overtaken hacking for fame. I suspect that is why we no longer worry about viruses that will wipe our hard drives clean — the tactic is attention-getting, but is unlikely to be profitable to anybody. Today, viruses that collect information about our computing habits and personal lives are the primary threats.

Internet Explorer 8 is now available for download and the first reviews look good. Here’s one:

…both speed and security are seriously better in IE8…The most significant effort involves expanding IE’s detection efforts past its current ability to identify phishing sites. The browser can now also flag suspected or known malware sites, or sites attempting to infect visitors with malware. The need for SmartScreen is great; during development, Barzdukas says, Microsoft found that infectious sites outnumbered phishing sites by a charming 10:1.

And, for this reviewer at least, IE8 passes the very important mom test:

In our tests, the detection was effective, correctly jumping on sites we knew to be infected with various bits of feral code. The warning we received, designed to support that second goal of protecting users from themselves, was perhaps even more effective than a harried tester would have liked — if the browser sees that you’re headed for a site already known to be problematic, it throws up a bright-red page warning you to turn back to your home page or inviting you to get more information. What you can’t do is easily go anywhere else; there’s no “OK” button to click. That design choice may have been a bit unnerving for a reviewer, but I’m personally planning to install the browser on my mother’s machine for that feature alone.

In September 2007, I wrote that “IE7 seems consistently to have more unpatched vulnerabilities than does Firefox”. Worse, Internet Explorer owned the more serious vulnerabilities.

That’s still true. According to Secunia, Internet Explorer 7 has 27 security vulnerabilities, ten of which remain unpatched. Firefox has 23 security vulnerabilities, nearly as many as Internet Explorer, but only three of them are unpatched.

Microsoft has made IE7 far more secure than the previous incarnation of the browser, but it looks like the Firefox can’t be caught.

In a previous post, a friend and reader asked some great questions. I answered about half of them here. Here’s round two:

1) You have mentioned a couple times data about Firefox and IE’s security vulnerabilities and patches. Could you explain what a security vulnerability constitutes in simple to understand terms? What exactly is vulnerable? Are these vulnerabilities constantly changing and being patched? At what rate?

A browser is a piece of software that interprets the languages of the internet and displays them in a way mere humans can understand. Clever coders can sometimes induce browsers to interpret a particular web language in a way that is harmful to you. For example, malicious code on a website may tell a browser to download and install a virus without telling you. Of course, browser companies (like Mozilla and Microsoft) usually try to eliminate these vulnerabilities when they are discovered.

Also, browsers can have important and well-travelled connections to a computer’s vital file systems (Internet Explorer 6 was famous for this). Imagine two paths into a file system, one of which is guarded by stern-looking toughs and another where old friends are waved through. Some badware programs have found that they can sometimes sneak in the second door if they hide under the cloak of an old friend of the guards.

As with all other security threats, browser vulnerabilities are constantly changing as attackers develop new techniques and defenders try to counter them. Each browser manufacturer patches vulnerabilities at different rates, and new threats pop up as the relative success rates of different techniques like phishing, trojans, keyloggers, viruses, and spyware shift.

2) I use Ad-Aware, Spybot, and Avast Anti-virus as you suggest. I was wondering what you recommend to do when problems are caught. There are usually options (though labeled differently) for Doing Nothing, Quarantining, Deleting, and Repairing. Are any of these options better than others, why or why not?

I like to repair infected files when possible and quarantine them when it’s not. Quarantining is, in my view, preferable to deleting for the same reason the death penalty is often eschewed in favour of a lengthy prison sentence: sometimes the prosecutor is wrong. Quarantining, like imprisoning, lets you correct mistakes when they happen, meaning you get back a file that is probably useful rather than dangerous.

3) I thought you might comment on social networking sites (Facebook, Myspace, etc.) security risks. I’ve heard in conversation with friends that quite a bit of private data can be gleaned off of what people decide to post on public sites. Is this true? What should people be able to post without compromising their security but still being able to participate in an online community?

Beyond the obvious (don’t post your SSN, etc.), there isn’t much I can say. Security and convenience almost always have to be traded against each other, and each person has to decide for herself where to start and end. If you really like sharing information on social networking sites, you might be better off protecting yourself by frequently monitoring your credit reports (the topic of an upcoming post), making sure your bank statements don’t have funny charges on them, and changing your passwords frequently.

4) I was specifically wondering about photographs and writing that you post in public spaces on the internet. Is their a security threat in these being stolen and used for monetary gains? Is it legal for people to take such information? When you post writing or photos is their any sort of laws that copyright what you post in your name? Does the website hosting you gain any ownership of the data?

Sure, people can take your photos and words and use them inappropriately, but it is illegal for them to do so in many countries. The US Copyright Office has a FAQ section on copyright that is worth reading. They say, “Copyright exists from the moment the work is created. You will have to register, however, if you wish to bring a lawsuit for infringement of a U.S. work.” I don’t think a web host gains any ownership over the data you store with them, but you may want to research this carefully if it’s important to you.