IE10 is the safest web browser in one way; checkmate!

Subject: Editorial, General Tech | May 16, 2013 - 12:45 PM |
Tagged: web browser, Malware, IE10

If you consider your browser security based solely on whether it will allow you to manually download a malicious executable: IE10 is the best browser ever!

Rod Trent over at Windows IT Pro seems to believe this when NSS labs released their report, "Socially Engineered Malware Blocking". In this report, Internet Explorer blocked the user from downloading nearly all known malware (clarification: all known malware within the test). Google Chrome came in second place with a little less than 17% fail rate and the other browsers were quite far behind with approximately a 90% failure rate.

View Full Size

Based on that one metric alone, Rod Trent used a cutesy chess image to proclaim IE the... king... of the hill. Not only that, he suggests Safari, Opera, and Firefox consider "shuttering their doors." After about a decade of Internet Explorer suffering from countless different and unique vectors of exploitation, now is the time to proclaim a victor for attacks which require explicit user action?

Buckle in, readers, it's a rant.

Firstly, this reminds me a little bit of Microsoft Security Essentials. Personally, I use it, because it provides enough protection for me. Unlike its competitors, MSE has next to no false positives because almost ignores zero-day exploits. The AV package drew criticism from lab tests which test zero-day exploits. Microsoft Security Essentials was ranked second-worst by this metric.

Well, time to shutter your doors Micr... oh wait Rod Trent lauded it as award-winning. Huh...

But while we are on the topic of false positives, how do you weigh those in your grading of a browser? According to the report, and common sense, achieving pure success in this metric is dead simple if you permit your browser to simply block every download, good or bad.

If a 100% false positive acceptance rate is acceptable, it is trivial to protect users from all malicious download. With just a few lines of code, Firefox, Safari, and Opera could displace Internet Explorer and Chrome as the leaders of protection against socially engineered malware. However, describing every download as "malicious" would break the internet. Finding a balance between accuracy and safety is the challenge for browsers at the front of protection technology.

-NSS Labs, "Socially Engineered Malware Blocking"

A browser that is capable of blocking malware without blocking legitimate content would certainly be applause-worthy. I guess time will tell whether Internet Explorer 10 is able to walk the balance, or whether it will just be a nuisance like the first implementations of UAC.

OK, Google did actually release exactly one native Windows application at Google I/O: It's called Android Studio, an application that helps developers create apps that run on Android, Google’s answer to Windows. But don’t worry, Microsoft fans: Internet Explorer (IE) flags the Android Studio download as potential malware.

-Paul Thurrott, Windows IT Pro

Ah crap... that was quick.

Now to be fair, Internet Explorer 10 and later have been doing things right. I am glad to see Microsoft support standards and push for an open web after so many years. This feature helps protect users from their own complacency.

Still, be careful when you call checkmate: some places may forfeit your credibility.

May 16, 2013 | 01:20 PM - Posted by Victor (not verified)

I Like IE10 and I like their default privacy settings. But I hate that it does not remember what web sites I had open when I have to reboot. The reopen last session works about 30% of the time. This and the speed improvements I have seen in Firefox are making go back to Firefox as my main browser.

May 16, 2013 | 01:47 PM - Posted by Scott Michaud

As for default privacy settings... I am *not* a fan of setting Do Not Track as true by default.

It is not an enforced privacy standard, is it (edit: er, I mean, "it is") a web developer tool. Us web developers now cannot trust it.

Imagine, for example, that I am designing a website like Craig's List where I could sort entries based on geography and past entries viewed. With DNT:

True: Disable this by default.

False: Enable this by default

Undecided: Ask the user and maybe mention for them to update their DNT settings.

... if IE10 and other browsers send "true" by default, I now need to ask everyone which annoys users... possibly into going elsewhere. I, as a web developer, am hurt. The egregious offenders will just treat everyone like crap regardless of DNT settings anyway.

May 16, 2013 | 04:07 PM - Posted by Victor (not verified)

Valid point Scott.
However, when I add apps to my phone or tablet I have to authorize the app to use my location.

Now, can the web site or app get the information any way without my approval? Apps coming from a store I assume not. Web sites I do not know.

I would prefer to authorize sites like PCPer to have the information they need. And block all the trash sites that I land on when searching for something that have no value but try to catch click revenue.

Thanks for the feedback.

May 16, 2013 | 09:24 PM - Posted by Scott Michaud

Well, it depends. DNT doesn't actually do any of that. It just sends a signal to the website which can do what it wishes with it.

Now, there are many other privacy options which DO have direct impact -- like accessing Geolocation WebAPI, blocking third-party cookies, and so forth. Yes, those have meaningful privacy implications for the user.

The Do Not Track setting, specifically, does nothing except tell the site: "Hey, please do this". It really is just a tool for a web designer to create an experience that different types of users will enjoy. Some people like more relevant content, some people like more anonymity; DNT suggests which is which on a per-user basis.

Unfortunately people don't realize that... especially with Microsoft grandstanding the protocol on completely invalid grounds to look good.

May 16, 2013 | 03:06 PM - Posted by Anonymous (not verified)

I hid the update for IE10 on my computer, I am tired of IE updates breaking my printer add-ons! I have internet security software that is doing this security job! Who knows what metrics M$ is collecting with IE10, or IE9 for that matter, M$'s only intrest in protecting my privacy, is shutting out any competition, so M$ can collect and sell all of those jucy metrics themselves! And then M$ rams TIFKAM onto its OS, to force PC owners into a perpetual APP store, and the transition to the walled garden is complete, M$ gets all the jucy metrics and 30% off the top, hell M$ wants more than just the closed ecosystem, M$ wants the whole damn world!

May 16, 2013 | 09:07 PM - Posted by aps (not verified)

Not updating IE10? not sure how smart that is - even if you don't use. It's hard to tell how much of it is browser and how much is part of the system.

May 17, 2013 | 05:34 AM - Posted by Anonymous (not verified)

I'll keep IE9, for now, But I do not expect that the printer's OEM will ever bother to update the add-ons that IE10 breaks! I am sure of one thing, I will be dual booting windows 7 and some Linux distro, I just have to do my homework, as to which Linux distro that I choose, I wish that there was a laptop Wiki, with entries for most laptop makes and models, where computer users could post info about their laptops, such as: are there drivers for Linux available for the laptop, are the graphics drivers updateable or do the laptop's OEMs have that locked down, bugs and defects, and the users satisfaction with the laptop, etc!

May 18, 2013 | 09:24 PM - Posted by praack

never been an ie fan before, use it always for work (no choice), for home usually use chrome, used to use firefox- will keep looking and trying.

though it is nice that microsoft is trying a bit better, i have never been a fan of using one company as author of the full stack of products.

not even sure why - maybe a bit obstinate over the years...

May 18, 2013 | 10:07 PM - Posted by Anonymous (not verified)

i won't IE bash, its silly.

its just a web browser, they all have their quirks

May 19, 2013 | 12:31 AM - Posted by db87

Do Not Track is dead. There are some websites that deliberately won't work (at-least some functionality) as they losing financial income by Do Not Track users.

Internet websites are free but Do Not Track is damaging incomes for website owners.

Instead use Ghostery, for the end-user the same effect but this way all websites will work.

May 19, 2013 | 01:05 AM - Posted by Scott Michaud

???

Do Not Track is just an HTTP header flag. The website is free to ignore it, if desired.

It does not cause a loss of "financial income". For properly designed websites, DNT increases revenue because:

  1. The site is more comfortable to implement new tracking features for consenting users
  2. The site will be able to retain more privacy-focused users by tayloring an equivalent experience for them, without (or with less) tracking.

As I've been saying, consider it a web developer tool -- not an end-user privacy control. It is just for websites to automatically survey users and help them balance implementing new features (monetization or even functional) without creeping out and consequentially losing users.

May 20, 2013 | 03:00 PM - Posted by db87

"Do Not Track" has quite some history and controversy.
Do Not Track was invented to protect the end-user privacy but today "Do Not Track" can be bypassed or ignored and the bad start has provoked some websites to take measurements against 'do not track' users. Off course proper implementation of the Do Not Track request is possible but damage is all ready done in the past...

Do Not Track doesn't guarantee the end-user anything and can in some rare cases decrease website compatibility.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.