Internet Explorer 10 Provides Safer Browsing

Internet Explorer 10 Provides Safer Browsing

  • Comments 2
  • Likes

Last month NSS Labs, an independent security research and testing organization, released its Browser Security Comparative Analysis that shows Internet Explorer 10 blocks more socially-engineered malware than any other browser on Windows with its SmartScreen and Application Reputation technologies. But SmartScreen and Application Reputation are only one piece of how Internet Explorer 10 protects Windows customers. Internet Explorer 10 includes significant advancements in security to help keep you safer as you browse the Internet. Backed by third-party evidence, Internet Explorer 10 not only blocks over 99% of malware, but also has fewer software vulnerabilities than other browsers on Windows.

To get this level of protection, IE10 follows multiple security strategies to better protect people on the Web, including:

Protection from socially-engineered attacks

By imitating or compromising trusted web sites, malware authors try to trick users into sharing personal information or downloading and executing malicious software. To help protect users from these socially-engineered attacks, Microsoft uses a combination of URL filtering and application reputation. SmartScreen URL filtering and Application Reputation provide the best protection available against malware attacks.

Protection from attacks on web sites

Even “good” web sites can sometimes have security vulnerabilities that can allow malicious sites to steal your data or perform actions as if they were you. Internet Explorer helps protect you with the XSS Filter, which automatically prevents certain types of attacks and makes it easier for Web sites to secure themselves with Declarative Security features, like IE10’s support for the HTML5 Sandbox.

Protection against attacks on the browser or operating system

Automatic updating ensures that you have the latest updates installed. This protects you against security issues that have already been fixed. Internet Explorer 9 added significant memory protection features to make it harder to exploit certain types of vulnerabilities, which were enhanced in IE10. We also added a new layer of protection in IE10 called Enhanced Protected Mode.

How secure is Internet Explorer 10? There are various ways of measuring this, but one widely-accepted way is to assess how well browsers perform against real-world attacks. We can also look at the number of software vulnerabilities, as a measure of engineering quality. Let’s look at each briefly.

Real-World Attacks

Last month’s report on socially-engineered malware by NSS Labs used over 96,000 test cases involving live malware across a 28-day period. It showed that Internet Explorer blocks more real-world attacks than other browsers. This is not surprising, as Microsoft originally released SmartScreen five years ago and continues to evolve protections like Application Reputation.

image

Malware Block Rate by Browser, according to NSS Labs (May 2013)

This chart shows that Chrome, Firefox, and Safari all use Google’s Safe Browsing API to block malicious URLs at about a 10% success rate. Most of Chrome’s protection comes after users have downloaded malicious software, in the form of a warning. By comparison, Internet Explorer 10’s SmartScreen URL filtering alone blocks as much as Chrome—and when Application Reputation is added, IE10 blocked over 99% of malware. For a user, this is very important. It’s safer to block malware before it’s downloaded versus warning someone after the fact.

Put differently, only four pieces of malware out of a thousand bypassed Internet Explorer’s protections. For Chrome, about two out of ten attacks would have relied on other protection like antivirus software. For Firefox and Safari, nine out of a ten attacks would need to be stopped elsewhere. This is a great example of why the security principle of "defense in depth" is important. Every system has multiple layers of security—but how much do you trust the other layers to catch what your browser might miss?

Quality of Engineering

The Microsoft Secure Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements, while reducing development cost. Internet Explorer—like other Microsoft products—is developed using SDL best practices to decrease security vulnerabilities. How does Internet Explorer fare, when looking at the quality of security engineering? Analyst reports like the Secunia Vulnerability Review 2013 and Symantec’s 2013 Internet Security Threat Report show that Internet Explorer has far fewer security vulnerabilities than the competition.

Web Browser

Secunia Advisories

Common Vulnerabilities and Exposures (CVEs)

Vulnerabilities

Internet Explorer

10

40

41

Google Chrome

28

293

291

Mozilla Firefox

21

164

257

Software Vulnerabilities, according to the Secunia Vulnerability Review 2013

These results agree with the US NIST National Vulnerability Database, which tracks all software vulnerabilities. Of course not all these vulnerabilities may be prone to attack, but this is a good proof point for the success of the Secure Development Lifecycle process and the high quality of Internet Explorer engineering in protecting people from vulnerabilities.

Safer Browsing

Your browser is the first line of defense in keeping you safe on the Web. Internet Explorer 10 was designed with security in mind, and third-party reports like those from NSS Labs and Secunia show that IE10 provides industry-leading security for Windows customers. If you’re looking for a web experience that is fast, fluid and safer, try Internet Explorer 10 for Windows.

 

--Fred Pullen

Senior Product Marketing Manager, Internet Explorer

2 Comments
You must be logged in to comment. Sign in or Join Now
  • -- I agree with your observation that fragmentation is an issue. But I would argue that the root problem is Windows fragmentation. It seems perfectly reasonable to only support a browser on OS editions from the past 5-6 years. But, as we all know, many Windows customers continue to cling to older versions (e.g. XP), probably due to a variety of factors (old hardware, distaste for changes in newer Windows versions, cost, disinterest). I think the effort should be towards getting customers onto the latest Windows version, rather than trying to support ancient Windows versions with IE.

    I have a suspicion (ok, maybe paranoid) that IE's competitors (especially Google) go out of their way to support XP because it hurts Microsoft. In doing so, they support the mindset that there's nothing wrong with continuing to use a 12-year old OS, both depriving Microsoft of an upgrade license sale and contributing to Windows fragmentation.

  • xpclient
    50 Posts

    IE's main problem is fragmentation. Each version leaves out one older OS, while others browsers have no problem supporting it.