Browser malware test shines light on IE8

Internet Explorer 8 has again thumped Firefox, Chrome and Safari in its ability to detect socially-engineered malware and phishing scams, according to research from NSS Labs.

The reports are available for download here and here.

In two weeks of live tests, Microsoft's browser caught socially engineered malware 81 percent of the time.

Firefox 3 and Safari 4 caught 27 and 21 percent of malware respectively, while Chrome 2 blocked seven percent and Opera 10 Beta blocked just one percent.

Firefox performed much better in phishing protection, tying first with IE8 around 80 percent.

Opera 10 averaged at 54 percent phishing protection, Chrome 2 26 percent and Safari 4 just two percent, the research found.

Firefox 3.5 crashing issues prevented it from being tested reliably. "We were able to manually verify that the protection was identical between versions 3.0.11 and 3.5," NSS said.

The results were based on 12 days of 24x7 testing, performed every four hours. There were over 69 discrete test runs, with new malware URLs added in each run to test how the browsers perform against the emergence of threats.

"Every two hours we find another couple of hundred [malicious URLs to potentially add to the tests]," NSS president Rick Moy told iTnews.

"We do this every two hours for a period of 12 days and show the protection level [of each browser] at any two hour period.

"What we're able to see over a period of time is how consistent a vendor's product is."

This round of tests were based on 608 URLs that were known to be malicious.

Moy - a self-confessed user of "multiple browsers" - believed the results should make IT users potentially think twice about their browser choice. Many of the browsers that performed poorly in the tests were favoured by the IT community.

"When we did the first test, there were a few outspoken folks who asked, how could it be that Microsoft is offering better security than Google or Apple?"

"These people were clouded by a ‘religion' of sorts," Moy said.

"I'm not saying everyone go switch to IE8, but consumers and IT Pros should consider the data.

"For quite a while the non-Microsoft vendors have enjoyed a bit of a halo effect. That time is over."

The result is a major win for Microsoft which has been promoting its investment in security in recent months.

"I think for one they [Microsoft] are taking [the threat] quite seriously and spending money and resources," Moy said.

"The other vendors were not interested in discussing their products with us and most of them didn't return calls, or were not very ‘collaborative' shall we say. So that's an indicator.

"It will be hard for vendors to remain competitive if they don't seriously attack the problem."

But NSS was careful not to overstate the role of the browser developer in detecting live malware and phishing threats.

"Browsers give users another free layer of protection against socially engineered malware, in addition to endpoint protection products, and should not be considered a replacement for antivirus programs," the report concluded.

Lack of cooperation among test subjects was an issue, Moy said, because the results had the potential to conflict with their marketing.

This was particularly the case with NSS Labs' tests of antivirus packages, the results of which are due out within weeks.

Vendors that achieved poor results often tried to discredit or undermine the tests or claim they were a result of sub-optimal configuration of their products.

"Basically antivirus vendors' main goal is to discredit tests that make them look bad," Moy said.

"They want to reserve an excuse for the testing, which is their general strategy."

He continued: "Two years ago we had 20 products come into our lab and for about 70 percent of them the reports stayed private because the vendors didn't like the answers.

"What's interesting is 80 percent of those people have continued to work with us on private consulting and testing to make their products better.

"[Our business model] hasn't been the best for us financially. We'd make a lot more money if we had an easier test."

NSS has been criticised in the past for its URL sample size and for its ties with Microsoft, after the first round of browser tests came out within a day of the launch of IE8 - complete with mention in the launch press release.

Not all test subjects had been uncooperative. Moy said Microsoft and IBM were among the companies that had engaged NSS to conduct "internal testing" of their products.