Internet Explorer 9’s dual-pronged approach to blocking access to malicious URLs—SmartScreen Filter to block bad URLs, and Application Reputation to detect untrustworthy executables—provides the best socially engineered malware blocking of any stable browser version, according to NSS Labs’ latest report. Internet Explorer 9 blocked 92 percent of malware with its URL-based filtering, and 100 percent with Application-based filtering enabled. Internet Explorer 8, in second place, blocked 90 percent of malware. Tied for third place were Safari 5, Chrome 10, and Firefox 4, each blocking just 13 percent. Bringing up the rear was Opera 11, blocking just 5 percent of malware.
The study only looked at sites that depended on tricking users into installing malicious software; anything that used browser flaws to run wasn’t included in the test. The focus was also exclusively on malware targeting European users, though Internet Explorer 9 has also scored highly in other tests by the company with a global purview. The URLs visited were harvested from spam e-mails, instant messages, and social network posts.
The essentially identical performance of Firefox, Safari, and Chrome is because they use the same source data for their URL blacklisting: Google’s Safe Browsing system. Some differences in lag were noticed—Firefox appeared to block bad URLs a little quicker than the other browsers—but overall performance was the same. Opera uses a service operated by anti-virus vendor AVG. Though it scored poorly, its 5 percent nonetheless represents an improvement on the zero percent it used to achieve, prior to integration of that feature. Opera was also substantially slower at blocking sites, averaging 48 hours to block, rather than 13 hours for the other browsers.
Internet Explorer’s SmartFilter URL scanner yielded substantially better results than the other browsers tested. The Application Reputation feature then picked up any malicious executables that the URL scanner didn’t trap. This shows the potential value of the Application Reputation feature; applications earn reputation by being downloaded regularly. An executable that nobody else has ever downloaded has no reputation at all, and so Internet Explorer 9 warns about the file. This means that its behavior is the reverse of the other filtering options in both Internet Explorer and other browsers: they default to permitting access to unknown URLs (as to do otherwise would break the majority of the Internet), only blocking locations that appear problematic. Application Reputation defaults to blocking.
Though this clearly bolsters Internet Explorer’s safety, it comes at a cost, in the form of false positives. Unsigned and unusual downloads generate a warning, even for harmless programs. A Microsoft add-on for Visual Studio fell foul of this problem, for example. Even with the false positives, Microsoft’s approach appears to be more secure.