IE 9 Beats Other Browsers at Blocking Malicious Content 235
Orome1 writes with an article in Net Security. From the article: "Microsoft's Internet Explorer 9 has proved once again to be the best choice when it comes to catching attacks aimed at making the user download Web-based malware. This claim was made by NSS Labs in the recently released results (PDF) of a test conducted globally from May 27 through June 10 of the current year, which saw five of the most popular Web browsers pitted against each other. Windows Internet Explorer 9, Google Chrome 12, Mozilla Firefox 4, Apple Safari 5, and Opera 11 were tested with 1,188 malicious URLs — links that lead to a download that delivers a malicious payload or to a website hosting malware links."
Re:And who paid for this study? (Score:5, Informative)
http://www.thetechherald.com/article.php/200912/3268/Can-you-trust-the-NSS-Labs-report-touting-the-benefits-of-IE8 [thetechherald.com]
So apparently they tested IE8 and thought it was awesomesauce. Uhm, ok... I thought IE8 wasn't completely terrible but I wouldn't say it was good. That link seems to think NSS might be a microsoft shill. But ok, I like to be open minded. Let's keep looking. Going down the first page of my google search:
Firewall Vendors Challenge Findings of NSS Labs Report | PCWorld
Haavard - Malware report from NSS Labs manipulates statistics?
Google Responds to NSS Labs Browser Security Report | News
A recent test by NSS Labs gave a near-perfect score to Internet Explorer 9 beta and very poor marks to Chrome and other browsers.
So uhm... yeah... at first glance, I'd say treating them with some skepticism seems more than warranted here.
Re:If you block everything, your score is 100% (Score:2, Informative)
Finally! A legitimate complaint about the study. I was beginning to doubt we could do anything other than beat our chests and say "MS BAD!" Kudos to you!
Re:Who paid? (Score:5, Informative)
Citation please? Actually don't bother, because the statement is impossible to support with any amount of evidence.
2008: http://www.favbrowser.com/firefox-browser-with-the-most-disclosed-vulnerabilities/ [favbrowser.com]
2009: http://tech.blorge.com/Structure:%20/2009/11/09/firefox-leads-in-browser-vulnerabilities/ [blorge.com]
2009: http://www.computerworld.com/s/article/9140582/Firefox_flaws_account_for_44_of_all_browser_bugs [computerworld.com]
You can also query Secunia for vulnerabilities. With the new version number scheme and ultra-fast previous versions retirement (where you are left vulnerable if you don't upgrade immediately), you'll have to grok the numbers somewhat. Basically count the *unique* CVEs affecting all FF versions since -say FF3.5. Do the same for IE8&9. You will not like the result.
Firefox is the only major browser that openly reports vulnerabilities so of course it is going to have the highest publicly countable number.
BS. All the major vendors are obligated to report vulnerabilities through Mitre. All browser vulnerabilities are assigned unique CVEs.
And even if you had an accurate count of known vulnerabilities from the other vendors, known vulnerabilities hardly equates to total vulnerabilities, even less so when every vulnerability is counted as equal to every other one.
If you consider a set of browsers which must be assumes to receive an equal amount of scrutiny (IE,FF,Chrome), if one browser year after year comes out with most vulnerabilities, surely that does say something about code quality.
Re:Who paid? (Score:4, Informative)
Secunia specifically states [secunia.com] "The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products."
Some companies, especially those with closed-source browsers, may not disclose all vulnerabilities they fix. The number of vulnerabilities fixed also doesn't take into account how severe the vulnerabilities are, or how long it took the vendor to patch them. Which would you rather use, a browser that has ten small vulnerabilities, all patched within days of being discovered, or a browser that has one severe vulnerability that has not been patched in months?