Microsoft's Internet Explorer 8 rated tops among five browsers tested by NSS Labs for effectiveness in protecting against malware and phishing attacks—though NSS Labs acknowledges Microsoft paid for the tests.
Nevertheless, the test process, which lasted over a two-week period in July at the NSS Labs in Austin, evaluated the browsers based on access to live Internet sites and in theory could be duplicated elsewhere. Apple Safari 4, Google Chrome 2, Mozilla Firefox 3, and Opera 10 beta were evaluated as being behind Microsoft IE 8 when it comes to browser protection against phishing and malware, mainly because Microsoft was deemed more speedy and comprehensive in delivering updates about known phishing and malware to the user's desktop browser.
Time is of the essence to use the browser as protective cover, one of the two NSS Labs reports issued Thursday notes. The report cites an Anti-Phishing Working Group estimate that more than 47,000 unique attacks occurred in the second half of 2008 with an average lifespan of 52 hours.
The test was based on 593 validated URLs. “The average phishing URL catch rate for browsers over the entire 14-day test period ranged from 2% for Safari 4 to 83% for Windows Internet Explorer 8,” the test report states. “Internet Explorer 8 and Firefox 3 were the most consistent in the high level of protection they offered.”
Firefox 3, which boasted 80% effectiveness in the phishing test, finished just behind IE 8's 83%. Coming in at third was the Opera 10 beta at 54%, followed by Chrome 2 at 26% and Safari 4 at 2 % in terms of mean block rate for phishing.
“Google Chrome's overall catch rate of 26% was below average,” the “Web Browser Security: Phishing Comparison Comparative Results” report concludes. “We expected better results given the fanfare about Google's SafeBrowsing initiative . Additionally, a third-party (Firefox) was able to utilize Google API to achieve significantly better protection than Google's own browser.”
In the testing for how well each of the five browsers provide protection against socially-engineered malware—defined as a Web page link that leads directly to a ‘download' that delivers a malicious payload whose content type would lead to execution—Microsoft was also found to perform the best.
In a test based on 608 potentially malicious URLs, IE 8 achieved an 81% mean block rate for socially-engineered malware, while Firefox 3 logged in at 27%, Safari 4 at 21%, Chrome 2 at 7% and Opera 10 beta at 1%. On average, 197 new validated URLs were added to the test each day, more or less depending on “criminal activity levels” as malicious URLs quickly rolled in and out of use.
IE Explorer 8, which calls its protection mechanism SmartScreen , did best for protecting against socially-engineered malware in what was called the “zero hour” timeframe when a malicious URL was spotted by blocking 51% of the time. By the fifth day of the known malicious URL, IE 8 was blocking 91% of the time, Firefox 3 24%, Safari 4 22% , Chrome 2 14% and Opera 10 beta 1%.
The report titled “Web browser Security: Socially Engineered Malware Protection Comparative Results 2nd Edition,” points out that browser protection relies on two main functional components:
“an in-the-cloud reputation-based system which scours the Internet for malicious websites and categorizes content according” by adding it to a black or white list, or assigning a ‘score,' depending on the vendor's approach, which might be automated or manual or a combination of both.
“The second functional component resides with the Web browser and requests reputation information from in-the-cloud systems about specific URLs and then enforces warning and blocking functions.”
Rick Moy, president of NSS Labs, says IE is continuing to improve its protection against cybercriminals based on a comparison with previous tests. The four other browsers in the tests generally “underperformed,” he notes, with the exception of the Firefox browser phishing scores.
Moy says the Web browser is often viewed in terms of its potential vulnerabilities but it should also be looked at as “a potential layer of security.”