Subject: Editorial, General Tech | May 16, 2013 - 03:45 PM | Scott Michaud
Tagged: web browser, Malware, IE10
If you consider your browser security based solely on whether it will allow you to manually download a malicious executable: IE10 is the best browser ever!
Rod Trent over at Windows IT Pro seems to believe this when NSS labs released their report, "Socially Engineered Malware Blocking". In this report, Internet Explorer blocked the user from downloading nearly all known malware (clarification: all known malware within the test). Google Chrome came in second place with a little less than 17% fail rate and the other browsers were quite far behind with approximately a 90% failure rate.
Based on that one metric alone, Rod Trent used a cutesy chess image to proclaim IE the... king... of the hill. Not only that, he suggests Safari, Opera, and Firefox consider "shuttering their doors." After about a decade of Internet Explorer suffering from countless different and unique vectors of exploitation, now is the time to proclaim a victor for attacks which require explicit user action?
Buckle in, readers, it's a rant.
Firstly, this reminds me a little bit of Microsoft Security Essentials. Personally, I use it, because it provides enough protection for me. Unlike its competitors, MSE has next to no false positives because almost ignores zero-day exploits. The AV package drew criticism from lab tests which test zero-day exploits. Microsoft Security Essentials was ranked second-worst by this metric.
Well, time to shutter your doors Micr... oh wait Rod Trent lauded it as award-winning. Huh...
But while we are on the topic of false positives, how do you weigh those in your grading of a browser? According to the report, and common sense, achieving pure success in this metric is dead simple if you permit your browser to simply block every download, good or bad.
If a 100% false positive acceptance rate is acceptable, it is trivial to protect users from all malicious download. With just a few lines of code, Firefox, Safari, and Opera could displace Internet Explorer and Chrome as the leaders of protection against socially engineered malware. However, describing every download as "malicious" would break the internet. Finding a balance between accuracy and safety is the challenge for browsers at the front of protection technology.
A browser that is capable of blocking malware without blocking legitimate content would certainly be applause-worthy. I guess time will tell whether Internet Explorer 10 is able to walk the balance, or whether it will just be a nuisance like the first implementations of UAC.
OK, Google did actually release exactly one native Windows application at Google I/O: It's called Android Studio, an application that helps developers create apps that run on Android, Google’s answer to Windows. But don’t worry, Microsoft fans: Internet Explorer (IE) flags the Android Studio download as potential malware.
Ah crap... that was quick.
Now to be fair, Internet Explorer 10 and later have been doing things right. I am glad to see Microsoft support standards and push for an open web after so many years. This feature helps protect users from their own complacency.
Still, be careful when you call checkmate: some places may forfeit your credibility.
Subject: General Tech | February 1, 2013 - 01:00 PM | Jeremy Hellstrom
Tagged: irony, microsoft, IE10, blocker toolkit
It could only have been an unintentional slip that the verification that IE10 for Win7 is coming down the piped was that a tool was released to block the installation. The Internet Explorer 10 Blocker Toolkit will prevent Windows Update from installing IE10 automatically, which would signal a change from Microsoft's usual way of introducing a browser. Remember Beauty of the Web, the site used to distribute new Internet Explorer versions before they arrived as an automatic update? The blocker toolkit is nothing new, most versions of IE which did not come with the OS coexisted with a toolkit to allow sysadmins to prevent updates to the new browser before they could test it fully. We've been waiting about 9 months now for IE10 on Win7 and from what The Register and other sites say it will be worth upgrading when it arrives ... someday.
"Microsoft has dropped a strong hint that the long-awaited version of Internet Explorer 10 for Windows 7 might actually ship soon – ironically, by releasing a tool that blocks installation of the browser on users' PCs."
Here is some more Tech News from around the web:
- Liquid Image Torque HD Video Goggles Review @ TechwareLabs
- Netgear WNDR4700 Centria review: multi-functional router with hard disk @ Hardware.info
- Wintek starts trial production on thin-film type touch screen lamination line @ DigiTimes
- 'Silent but deadly' Java security update breaks legacy apps - dev @ The Register
- The Uncertain Age of Steam on Linux @ Linux.com
- An In-depth Look at Steam for Linux @ Techgage
- Rumored Console Specs Comparison – Microsoft Durango vs Sony Orbis @ hardCOREware
Subject: General Tech, Mobile | November 9, 2012 - 12:51 PM | Jeremy Hellstrom
Tagged: win8 mobile, win8, IE10
We already know that Windows 8 essentially has two versions of IE10, the one you launch from Metro and the one you launch from the desktop with the desktop launched version possessing more features. Today Microsoft detailed (to some extent) what IE10 will be like on Win8 powered phones. They told The Register that the mobile version will not support inline video, multi-track HTML5 audio, drag-and-drop APIs, pinned websites and other features available on the full version. However thanks to the presence of hardware acceleration for graphics the majority of the graphical features you want will be supported by the phone OS. Check out more here.
"SOFTWARE HOUSE Microsoft has detailed the differences between its Internet Explorer 10 (IE 10) web browser for Windows 8 and Windows Phone 8 ahead of the release of the mobile operating system (OS) in the US today."
Here is some more Tech News from around the web:
- RIM good for secret jobs: BlackBerry 10 cleared for Restricted data @ The Inquirer
- Intel to slip future Xeon E7s, Itaniums into common socket @ The Register
- Ninjalane Podcast – Enthusiast Gaming Keyboards and Holiday Shopping Season
- Oh dear... I've bought an iPhone 5 @ The Tech Report
- NETGEAR R6300 Gigabit Wi-Fi Router @ Benchmark Reviews
- Adobe Reader 0-day exploit surfaces on underground bazaars @ The Register
- NVIDIA Mirrors Qualcomm's Hot Streak With Earnings Surprise of Its Own @ DailyTech
- TSMC sees orders returning for its 28nm process @ DigiTimes
- Hard drive prices remain high one year after Thailand flooding @ The Tech Report
- Netduino gets a huge upgrade @ Hack a Day
- Linus Torvalds Focuses His Keynote On Community Participation. Literally. @ Linux.com
- Win 16GB ADATA XPG Xtreme Series 2133MHz 16GB Memory @ Kitguru
Subject: General Tech | September 9, 2012 - 04:19 PM | Scott Michaud
Tagged: Malware, IE10, flash
Recent statements from Microsoft show that they are not afraid to wait a little bit before shipping patches with their bundled Flash in Internet Explorer 10. The issue is more contained than is let on by Ars Technica – but also raises a bigger security issue for all of us at all times.
By far the worst enemy for security is complacency.
I often pick on Apple for their security practices. They are perceived as being secure despite their horrendous record of handling security updates – delaying a critical patch for privately disclosed vulnerabilities until after its reveal at Blackhat because Apple could not devote the programmer to the task.
That mentality has been everywhere – from Sony to Microsoft in the Windows XP era to Macromedia & Adobe.
In this case the issue is that Microsoft has been delaying updates to the built in copy of Adobe Flash preinstalled with Internet Explorer 10. Once a patch has been released attackers are able to figure out what the patch fixes and potentially exploit it for those who have yet to update. There are quite a few subtle caveats with this story which need to be discussed before opinions are made.
... Relatively speaking...
First and foremost – Flash support on the Metro-based Internet Explorer 10 is limited to a whitelist. Flash is not exposed to websites which have not been flagged by Microsoft as safe and requiring backwards compatibility with Flash.
Websites become compromised all the time. Should one of the whitelisted websites get attacked it could become forced to serve a Flash applet to its users. The delay between Adobe and Microsoft patching dates gives the attackers a window to exploit all IE10 users until the whitelisted website notices. Attacks like these are very commonplace recently.
As an aside – there is quite a bit of confusion over Internet Explorer 10 on the desktop. According to the RTM evaluation it appears as though the only way to update Flash for Internet Explorer is through Windows Update even when not using the Metro browser. The whitelist is also in effect for Windows on the desktop although it seems like users are able to add their own exemptions. It appears like user-set exemptions is unique to the desktop version of IE.
It is disconcerting to see a platform become complacent to potential security issues intentionally. To be fair it is entirely possible that Google Chrome could have similar issues as they too handle Adobe Flash integration. Unlike IE10, Google Chrome does allow you to disable the built in Flash and manage your updates directly from Adobe although the process is far too complicated for most users.