A recently released report claims that Internet Explorer 8 (IE8) is more than twice as effective at blocking malware sites than its nearest rival.

According to NSS Labs, which conducted the Microsoft-sponsored study, IE8 blocked 69% of the 492 malware-distributing Web sites that were included in the survey data. Mozilla’s Firefox, meanwhile, blocked only 30% of those same sites.

That the study was paid for by Microsoft doesn’t help its credibility (check out some of the complaints that are cropping up), but it’s worth considering as a single data point.

I consider browser security to be a crucial pillar of overall system security at this point. Malware infected sites, which can include otherwise trustworthy sites that have been hacked, are becoming fairly common.

The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky.

What makes a webpage dangerous?

• Risky downloads—Downloadable files that contain viruses, spyware, or adware or make unrelated
  changes to the downloading computer
• Browser exploits—Also known as a driveby download, this type of malicious code enables viruses,
  keystroke loggers, or spyware to install on a consumer’s computer without consent and/or knowledge
• Email practices—Registration forms and other sign-ups that result in high volume email, highly
  commercial email or both. We also test for difficultly unsubscribing.
• Phishing—Scam sites that try to trick visitors into believing the site is legitimate
• Excessive popups—Sites that engage in aggressive popup behavior or display large numbers
  of popups
• Linking practices—Sites that aggressively link to other red- or yellow-rated sites

The report, by McAfee, mentions that hacking for profit has overtaken hacking for fame. I suspect that is why we no longer worry about viruses that will wipe our hard drives clean — the tactic is attention-getting, but is unlikely to be profitable to anybody. Today, viruses that collect information about our computing habits and personal lives are the primary threats.

…both speed and security are seriously better in IE8…The most significant effort involves expanding IE’s detection efforts past its current ability to identify phishing sites. The browser can now also flag suspected or known malware sites, or sites attempting to infect visitors with malware. The need for SmartScreen is great; during development, Barzdukas says, Microsoft found that infectious sites outnumbered phishing sites by a charming 10:1.

And, for this reviewer at least, IE8 passes the very important mom test:

In our tests, the detection was effective, correctly jumping on sites we knew to be infected with various bits of feral code. The warning we received, designed to support that second goal of protecting users from themselves, was perhaps even more effective than a harried tester would have liked — if the browser sees that you’re headed for a site already known to be problematic, it throws up a bright-red page warning you to turn back to your home page or inviting you to get more information. What you can’t do is easily go anywhere else; there’s no “OK” button to click. That design choice may have been a bit unnerving for a reviewer, but I’m personally planning to install the browser on my mother’s machine for that feature alone.

In September 2007, I wrote that “IE7 seems consistently to have more unpatched vulnerabilities than does Firefox”. Worse, Internet Explorer owned the more serious vulnerabilities.

That’s still true. According to Secunia, Internet Explorer 7 has 27 security vulnerabilities, ten of which remain unpatched. Firefox has 23 security vulnerabilities, nearly as many as Internet Explorer, but only three of them are unpatched.

Microsoft has made IE7 far more secure than the previous incarnation of the browser, but it looks like the Firefox can’t be caught.

1) You have mentioned a couple times data about Firefox and IE’s security vulnerabilities and patches. Could you explain what a security vulnerability constitutes in simple to understand terms? What exactly is vulnerable? Are these vulnerabilities constantly changing and being patched? At what rate?

A browser is a piece of software that interprets the languages of the internet and displays them in a way mere humans can understand. Clever coders can sometimes induce browsers to interpret a particular web language in a way that is harmful to you. For example, malicious code on a website may tell a browser to download and install a virus without telling you. Of course, browser companies (like Mozilla and Microsoft) usually try to eliminate these vulnerabilities when they are discovered.

Also, browsers can have important and well-travelled connections to a computer’s vital file systems (Internet Explorer 6 was famous for this). Imagine two paths into a file system, one of which is guarded by stern-looking toughs and another where old friends are waved through. Some badware programs have found that they can sometimes sneak in the second door if they hide under the cloak of an old friend of the guards.

As with all other security threats, browser vulnerabilities are constantly changing as attackers develop new techniques and defenders try to counter them. Each browser manufacturer patches vulnerabilities at different rates, and new threats pop up as the relative success rates of different techniques like phishing, trojans, keyloggers, viruses, and spyware shift.

2) I use Ad-Aware, Spybot, and Avast Anti-virus as you suggest. I was wondering what you recommend to do when problems are caught. There are usually options (though labeled differently) for Doing Nothing, Quarantining, Deleting, and Repairing. Are any of these options better than others, why or why not?

I like to repair infected files when possible and quarantine them when it’s not. Quarantining is, in my view, preferable to deleting for the same reason the death penalty is often eschewed in favour of a lengthy prison sentence: sometimes the prosecutor is wrong. Quarantining, like imprisoning, lets you correct mistakes when they happen, meaning you get back a file that is probably useful rather than dangerous.

3) I thought you might comment on social networking sites (Facebook, Myspace, etc.) security risks. I’ve heard in conversation with friends that quite a bit of private data can be gleaned off of what people decide to post on public sites. Is this true? What should people be able to post without compromising their security but still being able to participate in an online community?

Beyond the obvious (don’t post your SSN, etc.), there isn’t much I can say. Security and convenience almost always have to be traded against each other, and each person has to decide for herself where to start and end. If you really like sharing information on social networking sites, you might be better off protecting yourself by frequently monitoring your credit reports (the topic of an upcoming post), making sure your bank statements don’t have funny charges on them, and changing your passwords frequently.

4) I was specifically wondering about photographs and writing that you post in public spaces on the internet. Is their a security threat in these being stolen and used for monetary gains? Is it legal for people to take such information? When you post writing or photos is their any sort of laws that copyright what you post in your name? Does the website hosting you gain any ownership of the data?

Sure, people can take your photos and words and use them inappropriately, but it is illegal for them to do so in many countries. The US Copyright Office has a FAQ section on copyright that is worth reading. They say, “Copyright exists from the moment the work is created. You will have to register, however, if you wish to bring a lawsuit for infringement of a U.S. work.” I don’t think a web host gains any ownership over the data you store with them, but you may want to research this carefully if it’s important to you.

It’s been about six months since I last posted about browser security. I reported then that Internet Explorer 7 had overcome many of the security vulnerabilities that plagued IE6 for so many years. I even said that IE7 should be considered as secure as Firefox until more data became available. So, what does the data say now?
IE7 is still vastly better than IE6. For those who prefer Internet Explorer, but haven’t yet upgraded to the newest version, wait no longer.

Despite IE7′s advances over it’s predecessor, however, some differences between IE7 and Firefox are beginning obvious. IE7 seems consistently to have more unpatched vulnerabilities than does Firefox. As of today, Secunia, a security consultancy, is reporting that IE7 has 10 unpatched vulnerabilities, almost twice as many as Firefox.

Moreover, IE7′s worst flaw is rated “Highly critical”, while Firefox’s worst is rated “Less critical”. Unfortunately for Internet Explorer, its trouble with more and more severe vulnerabilities is more habit than fluke. Every time I have checked Secunia’s vulnerability reports on the two browsers over the last six months, the general trend has not changed. At this point, it is clear that Firefox typically has fewer security flaws, and the flaws it has are not as serious as those of Internet Explorer.

Unfortunately, the statistics package I use is not sophisticated enough to tell me which version of each browser people are using. So, one of the questions I have is this. How many of you still use Internet Explorer 6? If you use IE6, It’d be great if you’d leave a brief comment on why you use it, and, more specifically, why you use it even though its security is awful.

For those who prefer Internet Explorer over other browsers, try upgrading to IE7. It’s a tremendous security improvement over version 6 and it may be especially important to upgrade as Microsoft puts more of its security efforts toward IE7, leaving IE6 users relatively unsuported and vulnerable.

However, I was (and still am) hesitant to fully endorse Internet Explorer. Fixes for Internet Explorer have traditionally been much slower in coming than they have been for rival browsers, including Firefox. This may be the case, now, too.

Security report today and 19 days ago

Today, Secunia’s website says that Internet Explorer has 8 vulnerabilities, 6 of which remain unpatched. For comparison, Firefox has 6 vulnerabilities, 3 of which remain unpatched.

What does this mean? Well, the figures above need to be contrasted with what I wrote 19 days ago:

Firefox is affected by 5 security vulnerabilities, 4 of which remain unpatched, whereas Internet Explorer is affected by 6 vulnerabilities, 4 of which remain unpatched.

Thus, in the last 19 days, Firefox has gained one vulnerability and fixed two. Over the same period, Internet Explorer has gained two new vulnerabilities and has not fixed these or any of the previously known vulnerabilities.

I don’t want to make too much of this just yet. It could be that we caught Internet Explorer on a bad week or that a bunch of its weaknesses will be patched in the next couple of days, making the difference between Internet Explorer and Firefox, at least in security terms, negligible once again. But we should all realize that if slow patching becomes a pattern with Internet Explorer 7, as it was with Internet Explorer 6, using it should be considered unsafe. I’ll update this topic when more evidence is available, one way or the other.

The security story so far

Firefox is, as ever, quite secure. The surprise is that Internet Explorer is now in the same league. This is a good thing for everyone who uses the internet, no matter what browser you use. This is because those using safer browsers are lower infection risks to others on the internet. Just as you hope that your neighbours and coworkers have enough sense to treat themselves quickly (and make themselves scarce!) when they have an infectious disease, you should hope that your fellow internet users do their best to keep themselves free of viruses, including using a safe browser.

If you’re wondering just how much catching up Internet Explorer 7 has done, consider this: as of 20 February 2007, Secunia, a security consultancy, reports that Firefox is affected by 5 security vulnerabilities, 4 of which remain unpatched, whereas Internet Explorer is affected by 6 vulnerabilities, 4 of which remain unpatched. This is somewhat surprising for those who have become accustomed to reports of Microsoft’s pathetic security efforts, especially browser related ones.

So, which do I recommend?

The data above indicates that Firefox and Internet Explorer are now on equal footing with respect to current security flaws. They both have 4 unfixed vulnerabilities (although there may be some as yet unknown vulnerabilities for either browser). On this criteria, you would be equally safe using IE and Firefox.

In that case, why haven’t I added a link to the Internet Explorer 7 download page on my sidebar, right next to the Firefox link? The answer is this: While I am wildly impressed at IE’s new security status, there is another consideration that prevents me from wholeheartedly endorsing it. This is the speed at which the Firefox and Internet Explorer browsers have historically been repaired when a new vulnerability was discovered. A story from TechWeb illustrates the point:

[Firefox's] open-source browser had a decided advantage over Microsoft’s on a time-to-patch criteria. Firefox rivals such as IE, Safari, and Opera were patched considerably faster in the first half of 2006 than they were in the last half of 2005, but Mozilla’s beat them all. IE, for instance, had an average window of exposure, the time between an exploit appearing and a fix released, of 9 days, while Mozilla patched in 1 day. (Safari’s window was 5 days, Opera’s was 2.)

Even though Internet Explorer 7 is vastly more secure than Internet Explorer 6, there is no indication that Microsoft has become faster at fixing vulnerabilities than previously. Thus, a user running Internet Explorer may be vulnerable for more days during a given year than a similar Firefox user even if the total number of vulnerabilities for each browser is the same. On these grounds, I would still recommend Firefox over Internet Explorer, but the issue isn’t nearly so urgent as it once was.

Bottom line: until evidence surfaces that shows one browser to be definitively more secure than the other, feel free to use whatever browser makes you happy.

According to CNET News:

Microsoft plans to automatically push Internet Explorer 7 to Windows XP users when the browser update is ready later this year.

IE 7 will be delivered in the fourth quarter as a “high priority” update via Automatic Updates in Windows XP…

The jury is still out on this one, but this bit of news is probably a good thing. IE7 should have fewer security flaws than IE6 (currently the most widely used browser), although it is unlikely that it will be as secure as competing browsers like Firefox, Opera, Netscape, or Safari.

This improves everyone’s security

While I don’t recommend Internet Explorer, the fact is that the majority of internet users are still browsing the web with it, and an improvement in this browser’s security will be good for everyone.

We’re all connected to each other on the internet, which means that your neighbour’s level of security affects your level of security. Individuals with weak security help to spread viruses, spam, and other scourges of the internet – a better Internet Explorer can help to minimize these dangers.

As more information becomes available, I will keep you updated on how the latest iteration of Internet Explorer stacks up with the other browsers in terms of security.