Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Google Microsoft Security Technology

NSS Labs Browser Report Says IE Is the Best, Google Disagrees 205

adeelarshad82 writes "Independent testing company NSS Labs recently published a report on the ability of popular browsers to block socially engineered malware attack URLs. The test, funded by Microsoft, reported a 99 percent detection rate by Internet Explorer 9 beta, 90 percent by Internet Explorer 8, and 3 percent by Google Chrome. However, Google doesn't entirely approve of this report's focus and conclusions. According to Google not only didn't the report use Chrome 6 for the tests, the current version is Chrome 8; it also focused just on socially engineered malware, while excluding vulnerabilities in plug-ins or browsers themselves. Google defended its browser by claiming that it was built with security in mind and emphasized protection of users from drive-by downloads and plug-in vulnerabilities."
This discussion has been archived. No new comments can be posted.

NSS Labs Browser Report Says IE Is the Best, Google Disagrees

Comments Filter:
  • by eldavojohn ( 898314 ) * <eldavojohn@gm a i l . com> on Wednesday December 15, 2010 @03:26PM (#34565440) Journal
    From the response article:

    It's not clear why Microsoft and NSS Labs waited until December to release the results.

    Maybe it's like the last time this happened [microsoft-watch.com]?

    Furthermore, Moy said, the study started as a private test for Microsoft's engineering team, which was seeking to make internal improvements. "They decided to release it based on the positive results. Many of the test reports we write do not get released by vendors, but they do get used to improve products. So what does 'sponsored' mean in this case?"

    So you (internally) strike a deal to test your browser (but also your competitors') with an "independent company" that you pay to perform this service. You get to define the "success parameters" of the test. Then you get the results back and you fix everything. After that time spent fixing has passed, you release the report and add that you have fixed all the problems with your product. Unsurprisingly, you look really really good when this news hits. Since your competitor is not also paying NSS Labs, NSS has no reason to update the report to meet the latest and greatest version of browsers. Meanwhile you can decide if your competitor's browser performed inadequately enough or not for the report -- maybe you even select the success parameters afterward? Heck, you already waited to see if you could release the report.

    Independent? HA!

    • Re: (Score:3, Interesting)

      by Dan East ( 318230 )

      I know this isn't in the spirit of the other posts on this topic today, but I applaud MS for concentrating on security and the best interests of their end users. It's good to see they are taking these matters seriously as part of the product development process.

      That said, I still use Firefox, followed by Chrome, for browsing, but at least they are looking out for those stuck with IE simply because it ships with their OS.

      • by eldavojohn ( 898314 ) * <eldavojohn@gm a i l . com> on Wednesday December 15, 2010 @04:45PM (#34566688) Journal

        I know this isn't in the spirit of the other posts on this topic today, but I applaud MS for concentrating on security and the best interests of their end users. It's good to see they are taking these matters seriously as part of the product development process.

        Don't get me wrong, I'm always happy when security is improved -- even in the most hated of products by the most hated of companies. The problem I have is when marketing gets a hold of this and spins it to attack competitors, thereby improving the public perception of their own product. This could have all been avoided had Microsoft just kept the report internal like most of NSS Labs' customers. And doing so while comparing the latest IE9 to Chrome 6 and releasing that to the public as a 'current' report now ... well, that's what I have a problem with. If a Chrome user read that report as today's news they're going to think that it's been done with today's Chrome.

    • Re: (Score:3, Insightful)

      by WARM3CH ( 662028 )
      You have valid points, still Google didn't deny the results and in a sense, confirmed it. Read Google's response again: NSS says IE is better than Chrome in X, but hey, they didn't say Chrome is better at Y and Z. NSS didn't claim X covers everything related to security so bringing Y and Z to the discussion is just a move to draw attentions from X.
      • by DragonWriter ( 970822 ) on Wednesday December 15, 2010 @04:31PM (#34566496)

        You have valid points, still Google didn't deny the results and in a sense, confirmed it. Read Google's response again: NSS says IE is better than Chrome in X, but hey, they didn't say Chrome is better at Y and Z.

        I think you missed the other important part: "Also, the version of Chrome that NSS says all this about is two major versions behind the current stable release, while the version of IE they say is better is the current beta release."

        A more relevant comparison would be IE 8 to Chrome 8 (current generally release version of both version), or IE 9 to Chrome 9 (current publicly available pre-release version of each browser.)

        Perhaps someone should do a similar comparison, but using Chrome 9 and IE 6, instead...

        • I think you missed the other important part: "Also, the version of Chrome that NSS says all this about is two major versions behind the current stable release, while the version of IE they say is better is the current beta release."

          A more relevant comparison would be IE 8 to Chrome 8 (current generally release version of both version), or IE 9 to Chrome 9 (current publicly available pre-release version of each browser.)

          Perhaps someone should do a similar comparison, but using Chrome 9 and IE 6, instead...

          It's quite clear from the study that Chrome 6 was the most recent full release of the browser when these tests were performed in September. Don't forget that Google Chrome is on a six-week major release schedule. If the argument is that Google has made significant improvements in their defenses against socially-engineered attacks in the last three months, then okay, the study is no longer relevant. But have they done this? I haven't heard anything along those lines.

          • It's quite clear from the study that Chrome 6 was the most recent full release of the browser when these tests were performed in September.

            Which would (considering only the browser versions, and not the scope of the test and other issues that have been raised) have made the test valid, relevant, and meaningful, if the study compared it to the then-current general-release version of IE (IE 8), and was released at a time when that comparison was meaningful to the current market options.

            Don't forget that Goog

            • They did compare it to IE8. IE8 blew everything away except IE9 which did a bit better still. Seriously, it's right there in the summary.

              Microsoft, who was paying for the study and controlled the timing of its release for its own marketing purposes

              Do you honestly think they sat on it until it wasn't true and then released it? What would the point of that be? We'll probably be on a double-digits Chrome version by the time IE9 releases.

              Among other things, this is comparing malware lists that actually updates online in real-time, so strictly speaking it's out of date before the statistical analysis is even finished

    • You missed one other step. When the results DON'T show IE ahead, you just don't release them...

    • by geekoid ( 135745 )

      So they use the test to improve their browser until it's better then the others being test, then say it's the best.

      Well..good.

  • Huh? (Score:2, Insightful)

    by Anonymous Coward

    Google is complaining that a report on socially engineered attacks is only focused on socially engineered attacks? And they're whining that a study done back when Chrome 6 was the most recent release doesn't mention Chrome 8, which is currently the most recent release? Seriously?

  • Bad summary? (Score:3, Informative)

    by Anonymous Coward on Wednesday December 15, 2010 @03:32PM (#34565514)

    According to Google not only didn't the report use Chrome 6 for the tests where as the current version is Chrome 8...

    Should it be:

    According to Google not only did the report use Chrome 6 for the tests, whereas the current version is Chrome 8...

  • by TheL0ser ( 1955440 ) on Wednesday December 15, 2010 @03:35PM (#34565566)
    I'm well aware of what social engineering is, but what are "socially engineered malware attack URLs"? Those things that pop up in my inbox say "check out this picture of us!" with a link that looks like someone smashed their head on the keyboard?
    • Re:Attack urls? (Score:4, Informative)

      by ittybad ( 896498 ) on Wednesday December 15, 2010 @03:53PM (#34565822) Homepage
      Didn't you read the arti.... oh, wait. Slashdot. Right. From the article: "For clarity, the following definition is used for a socially-engineered malware URL: a web page link that directly leads to a download that delivers a malicious payload whose content type would lead to execution, or more generally a website known to host malware links. These downloads appear to be safe, like those for a screen saver application, video codec upgrade, etc., and are designed to fool the user into taking action. Security professionals also refer to these threats as “consensual” or “dangerous” downloads."
      • by tycoex ( 1832784 ) on Wednesday December 15, 2010 @04:40PM (#34566632)

        So basically, IE9 does a good job at protecting morons who download everything they see... from themselves.

        • Don't knock it... the number of scareware / fake virus scanner infections I have been cleaning recently from friends computers would suggest these attacks are becoming more frequent and harder to spot as malicious until it is too late...

          If IE9 is as good as they claim at stopping these then my steady supply of good single malt whisky will dry up, which is bad for me and bad for bot nets but good for everyone else...

  • As independent as a politician that accepts campaign contributions from AT&T or SEIU.

    • by kaizendojo ( 956951 ) on Wednesday December 15, 2010 @04:11PM (#34566110)
      ...Or posts on a site that promotes open source and LAMP stacks and images Bill Gates as a Borg. What I find interesting is how no one questions the monthly posts here about IE losing market share from a site (Net Applications) that only polls their own clients, but no one ever points that out.
      • I must have missed the part where Net Applications is a shill for Mozilla, Google, and/or Apple.

        The credibility issue here is with a Microsoft. A company that has been shown, time and again, that they're not above tweaking the facts (lying) about their products and their competitors' products. That, and the fact that they paid for this supposed bit of research.
  • Wai . . . What? (Score:3, Interesting)

    by rudy_wayne ( 414635 ) on Wednesday December 15, 2010 @03:38PM (#34565596)

    "Independent testing company NSS Labs . . . . . . . . . . The test, funded by Microsoft,"

    An "independent" test that was "funded by Microsoft". WTF? How is that independent?

    • It means they get paid whether they get the results Microsoft wants or not.

      • It means they get paid whether they get the results Microsoft wants or not.

        Which isn't really independent. I mean, if it was blind, such that Microsoft wouldn't know who was performing the test and couldn't retaliate against them by not paying them to do future tests if they didn't like the results of this one, then that would be independent.

        • That rationale is pretty weak.

          You're right that the results are questionable, absolutely 100% no dispute about that, but the nitpickery over the term 'independent' is overzealous, especially in the context that the same summary pointed out it was funded by Microsoft.

      • > It means they get paid whether they get the results Microsoft wants or not.

        Of course, since they are funded by MS, they only get released if MS feels like it.

        • Yep. That is, however, distinctly different from "paying to make the results what we want them to be".

          I'm only nitpicking the semantics here, not the questionable'ness of the data.

    • by geekoid ( 135745 )

      easily.

      If you own a bank and contract a team of professional to test your security. they are an independent company.

      Same thing here.MS paid a company not owned or affiliated with MS to conduct testing. It's a common practice.

  • Great example (Score:2, Insightful)

    by Anonymous Coward

    Looks like the test was a perfect example of social engineering.

  • by gman003 ( 1693318 ) on Wednesday December 15, 2010 @03:51PM (#34565790)
    Seriously. What were they even testing? I was under the impression that social engineering was a security flaw in the user, not in the application. Reading the report, it sounds like they were just testing the browsers' databases of known malware/phishing sites. Which, really, has little to do with the security of the browser itself.
    • by jfengel ( 409917 )

      I was under the impression that social engineering was a security flaw in the user, not in the application.

      It is, but you can't debug the user, so you have to compensate in software. I feel a lot better knowing that J. Random Grandma has something looking over her shoulder to tell her she really shouldn't be going to that site. Cuz once J. Random Grandma's computer is hacked, it starts sending spam to MY computer.

      Heck... I'm a software developer, and I've been known to screw up. Humans are buggy.

      So I really want software that does both. If IE is ahead in that area, good for them. Sending out a press release

    • by takowl ( 905807 )

      Little to do with the *code* security, yes. But it's got a lot to do with real-users-not-getting-viruses security.

      Seriously, everyone. I know it's sponsored by Microsoft, and I wouldn't be surprised if there's some dodgy selection of test URLs behind the scenes. But if these results are even in the right ballpark, then it's something that Google (and Mozilla, and Opera) really need to pay more attention to. Stop finding excuses to ignore it just because we don't like what it says. Go and try to find the met

    • by blueg3 ( 192743 )

      It has little to do with the theoretical security of the browser code, but it has a lot to do with the practical security of using the browser.

  • by GodfatherofSoul ( 174979 ) on Wednesday December 15, 2010 @03:54PM (#34565830)

    ...researchers discovered that hot supermodels would be most fulfilled in a relationship with Slashdot user GodfatherofSoul*.

    * This study funded by GodfatherofSoul

  • Remember when MS would always complain that their software would run better if only every updated. All viruses were the responsibility of the user who not install patches quickly enough. This was especially true for users that refused to upgrade IE. Of course we all wrote websites for specific versions of IE, so it was pretty impossible to upgrade until the web apps were rewrote web apps. Of course this does not hold a candle to the assertion that everyone was required upgrade fees to insure safety.

    So

  • "microsoft funded". Google could by rights fund a test of the current Chrome version against IE7/IE8 version from one or two years ago unpatched.

    They would have had to intentionally install a old version of chrome with a standalone installer, and prevent it from updating by circumventing google updater which silently updates chrome. Talk about stacking a test.
  • The test has an odd kind of validity; The foolish who choose Internet Explorer (instead of Firefox, Chrome, Safari or Opera) would be also the foolish victims of "Socially Engineered Malware". That is, the web browser for dupes protects its users from the same vulnerability which causes them to use it.

  • "The test, funded by Microsoft..."

    That told me everything I needed to know.
  • Running Windows 7 x64 Professional on my HP netbook. Surfing using Chrome with no plugins on reddit.com. Thousands of other people did as well with various other browsers (see reddit announcement [reddit.com]).

    It came in through an ad utilizing a Java exploit. I was only 1 minor release behind on updating my JRE. Since this incident and the 45 minutes it took me to get rid of the stupid thing, I now surf with Firefox + adblock + noscript addons. It's just not worth it. I used to be OK with ads and even clicked o
  • IE comes up on top.

    ......

    i mean, what we are supposed to even start thinking about this ...
  • Google defended its browser by claiming that it was built with security in mind and emphasized protection of users from drive-by downloads and plug-in vulnerabilities.

    I found this line to be quite disgusting. I am very pro google but the chrome team has continually ignored the need for NoScript. A browser without NoScript isn't secure in any way shape or form.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...