Microsoft's IE 8 Effective at Blocking Phishing, Malware, Report Says

Microsoft's Internet Explorer 8 is more effective at blocking both phishing sites and socially engineered malware than Firefox, Safari and other browsers, say two new reports from NSS Labs. Microsoft is pushing its community to upgrade from Internet Explorer 6 and 7 to the new browser, which it says can offer better security and features, even as users continue to use the older applications. Once the dominant browser, the Internet Explorer franchise has lost ground in recent months to open-source Firefox.

Microsoft's Internet Explorer 8 Web browser is effective at blocking both phishing sites and socially engineered malware, according to two new NSS Labs reports. In turn, this has led Microsoft to push for its users to upgrade to the new browser from IE 6 and IE 7, which a significant portion of the community continues to use.

During a 14-day test period, NSS Labs, an independent online security-testing organization, found that the mean block rate for phishing for Internet Explorer 8 stood at 83 percent, versus 80 percent for Firefox 3, 54 percent for Opera 10, 26 percent for Chrome 2, and 2 percent for Safari 4. In the final report issued by the group, Firefox and Internet Explorer 8 were in a virtual dead heat when it came to blocking phishing URLs, given that NSS Labs' margin of error was 3.96 percent.

It should be noted that the NSS Labs testing was sponsored by Microsoft. In comments posted online, NSS Labs president Rick Moy suggested that Microsoft's security engineering team had originally commissioned the study, whose results were then picked up by Redmond's marketing department for use. However, a number of sources online, including Ars Technica and The Tech Herald, feel that Microsoft's sponsorship could have introduced a biased element into the study.

The testing also found that Internet Explorer 8 needed an average of 4.96 hours to add a requested phishing URL to its block list, while Firefox 3 took 5.24 hours and Opera 10 Beta needed 6.19 hours. The mean time for a browser to block a site was 16.43 hours, a number exceeded in testing only by Safari 4, which needed an average of 54.67 hours to put a site on its block list.

"Since phishing sites have an average lifespan of only 52 hours (just over 2 days) it is essential that the site is discovered, validated, classified and added to the reputation system as quickly as possible," the report noted in its conclusion. "A good reputation system must be both accurate and fast in order to realize high catch rates."

"The developers at both Microsoft and Mozilla clearly understand this relationship and respond quickly to block new phishing sites," the report added.

The other July report issued by NSS Labs, which tested how well a Web browser could protect against socially engineered malware, found that Internet Explorer 8 had somewhat more of a statistical advantage over Firefox and the other browsers.

In testing, which took place over 12 days and involved 69 test runs with fresh new malware URLs, Internet Explorer 8's mean block rate for socially engineered malware was 81 percent, versus Firefox at 27 percent and Safari 4 at 21 percent. Chrome 2 came in at 7 percent, followed by Opera 10 at 1 percent.

According to Amy Barzdukas, general manager of Internet Explorer, the numbers from the NSS Labs testing suggest that, despite support continuing to be offered for older versions of Microsoft's browser, upgrading to Internet Explorer 8 could help end-users combat a variety of security threats.

"Our goal is certainly to move consumers as quickly as possible from IE 6," Barzdukas said in an interview with eWEEK. "The onus is on us to do a better job to make people understand the benefits of being on a modern browser, and specifically IE 8. And the key to that is security."

"With IE 8 we added the blocking capability; we're blocking 20 percent more malware than in the past," Barzdukas added. "That is one thing we want to tell users of IE 6 who might be experiencing a -good enough' situation, and they're not aware of reasons to upgrade."

Despite growth in the numbers of people using Internet Explorer 8, a number of end-users have continued to utilize the 8-year-old Internet Explorer 6. A survey by Digg, a content-sharing Web site, found that 10 percent of its community continues to use IE 6, either because they have no administrator access to their PCs running Windows XP, or else because "someone at work says I can't."

In an interview, Bazdukas suggested that Microsoft had been paying attention to the landscape, adjusting some features of Internet Explorer 8 accordingly.

"One of the things we were able to put into IE 8 was process isolation with tabs," Bazdukas said. "One of the competitors had the ability to restore your session; another separated tabs; we did both."

"The focus was really on what people actually do in the browser, so we had the advantage of 40-50 million users who entered into the telemetry data," Bazdukas added. "We looked at things like: If someone is doing a copy command in browser, what are they most likely to do next?"

The responsiveness on the features front is perhaps more necessary than ever; the Internet Explorer line has seen its market share corrode in the short term, with a July report by StatCounter finding that Internet Explorer 6, 7 and 8 collectively owned 55 percent of the browser market compared to Firefox's 27.73 percent - a noticeable drop for Microsoft from 2008, when Internet Explorer had 78 percent of the browser market and Firefox had 18.2 percent.

While one might assume that falling market-share would make Microsoft less leery of a potential antitrust case, Internet Explorer 8 will include an update that makes the choice between the browser and its rivals more explicit for end-users. Rolled out as part of Aug. 11's Patch Tuesday, the browser now presents users with an upfront choice to either stick with IE 8 or migrate to another browser; however, those with Internet Explorer already set as their default browser will not see this screen.

Microsoft had trouble with the Department of Justice over the integration of Internet Explorer into Windows 98 in the late 1990s, and today still faces issues with EU's antitrust commission over the addition of the browser to Windows. Earlier this summer, Microsoft proposed issuing a browser-free version of its upcoming Windows 7 to the EU, but has come around to offering the same version of Windows 7 there as the rest of the world.

Editor's Note: This story has been updated with mention of Microsoft's sponsorship of the NSS Labs study.