December 16, 2015 11:30 am

Evolving Microsoft SmartScreen to protect you from drive-by attacks

Microsoft SmartScreen, integrated with Microsoft Edge, Internet Explorer, and the Windows operating system, has helped protect users from socially engineered attacks such as phishing and malware downloads since its initial release in Internet Explorer 7. With URL reputation checks and Application Reputation protection, SmartScreen has protected users from billions of web-based attacks in the last 8 years. Over time, SmartScreen has expanded its scope from phishing attacks and socially engineered malware to also include warnings for deceptive advertisements and support scam sites.

Today, we’re happy to announce that with the latest Windows 10 updates, we’ve extended SmartScreen to include protection from drive-by attacks in Microsoft Edge and Internet Explorer 11.

What is a drive-by attack?

Drive-by attacks are malicious web attacks that tend to start on trusted websites, targeting security vulnerabilities in commonly used software. What’s more, they often don’t require any user interaction – so there’s nothing to click, nothing to download – and infection is usually invisible.

Drive-by attacks make use of services known as exploit kits (EKs) to scale effectively. These are tools that first check your PC for software vulnerabilities (tracked publicly as CVEs) and then try to exploit them. The vulnerabilities can be either newly discovered ones – also known as 0-days – or ones that have already been fixed in popular software. Over the past year, we’ve seen EKs moving faster to target vulnerabilities in apps with available patches, while also exploiting 0-day vulnerabilities more frequently as well.

Graph showing recent time-to-exploit trends: EKs are moving faster to target vulnerabilities in apps with available patches, while also exploiting 0-day vulnerabilities more frequently.Given this trend, users have less time to update to a secure state and can no longer rely on staying patched as a reliable EK defense.  Fortunately, Microsoft has cultivated a broad set of data from sources like Microsoft Edge, Internet Explorer, Bing, Defender and the Enhanced Mitigation Experience Toolkit (EMET) to be able to see these attacks as they emerge, and to turn this information into the intelligence that powers SmartScreen drive-by protection in the browser.

This cross-company data intelligence effort is unique since it brings together information not just about the browsing experience or web infrastructure, but also about behavioral telemetry from across the Windows operating system. This can help us to detect potential attacks in progress and detect emerging threats.

To illustrate how this works, let’s look at a specific case study.  Last December, as part of the development of this new SmartScreen capability, multiple Microsoft data sources including Defender and EMET picked up a new set of exploit attacks targeting millions of users through a network of malicious ads displayed on popular sites. The threat, broadly referred to as the HanJuan EK, was detected by SmartScreen’s exploit intelligence systems.  As we dug into the data, we discovered the attack was actually leveraging a new 0-day exploit in Adobe Flash player, meaning that SmartScreen intelligence systems were detecting this attack even before it was identified as a new 0-day exploit.  We reported the issue privately to Adobe (CVE-2015-0313) and a patch was developed and shipped.

With SmartScreen drive-by protection, these types of threats may be prevented before a user is infected, even if a patch isn’t yet available.

How has SmartScreen evolved to help me?

Unlike existing SmartScreen protection from socially engineered attacks, drive-by attacks need to be detected and prevented before any web content is parsed and rendered. To avoid impacting browsing performance, SmartScreen helps protect against drive-by attacks by using a small cache file created by the SmartScreen service. This cache file is periodically updated by your browser to help keep you protected and to ensure that calls to the SmartScreen service are only made if we believe there’s a high probability of malicious content on a page.

If SmartScreen determines that a website is potentially malicious, you’ll see a red warning and the content won’t render in either Microsoft Edge or Internet Explorer 11 on Windows 10.

Screen capture showing a Microsoft Smartscreen "Unsafe website" warning in Microsoft Edge

Microsoft SmartScreen warning

SmartScreen also has the ability to warn you about potentially malicious frames, such as unsafe ads. In the past, unsafe frames on a page would result in a full-page warning, even if the webpage hosting the content was safe. Now, SmartScreen can show you warnings for only the frames that are found to be malicious, letting you continue to interact with the rest of the page.

Screen capture showing a Microsoft Smartscreen "Unsafe content" warning on a malicious frame in Microsoft Edge

Microsoft SmartScreen frame warning

You can expand the More Information link on the SmartScreen warning page to report a site as safe to Microsoft or to bypass the warning – though we highly recommend that you don’t bypass it. For warnings shown in frames, you can click the Unsafe Content badge in the address bar for the same options

Note: All existing SmartScreen settings and controls (including Group Policy) apply to SmartScreen’s new drive-by attack protection.

Is there anything else I can do?

When drive-by attacks target vulnerabilities that have already been fixed in popular software, your browser, or your operating system, it’s vital that you install security updates when they become available.

Additionally, if you find a site that you think is unsafe, you can report it to Microsoft using:

  • Microsoft Edge on Windows 10. Tap or click the More menu, choose Send feedback, and then choose Report unsafe website.
  • Internet Explorer 11 on Windows 10. Tap or click the Tools button Illustration of tools icon in Internet Explorer 11, point to Safety, and then choose Report unsafe website.

We’re excited about these improvements and look forward to hearing your feedback! If you have any questions, please don’t hesitate to reach out to us @MSEdgeDev on Twitter or in the comments below.

– Jasika Bawa, Program Manager, OS Security
– Ryan Colvin, Senior Program Manager, SmartScreen

Join the conversation

  1. Thank you!

    But Microsoft, you really, really, REALLY need to get rid of the yellow smiley face for feedback in Internet Explorer 11. It makes the browser seem like it’s infected (my boss asked me this when I was doing a presentation using IE11 on Windows 10).

    Please get rid of the horrendous yellow smiley face on the top right corner of IE11. It’s okay to include a built-in Feedback system, but you should hide it under the “Settings” context menu. Don’t make a dedicated icon for it.

    Thanks.

  2. So. is it only on windows 10 with the new enhanced SmartScreen abilities?
    And when I update to the latest update of windows 10, does it pop up with both windows or is this just a feature that will just be scene if it happens. Also what causes edge to choose between a Full page block compared to just a iFrame or frame block?

    • I don’t know how many people rely on a browser or other built-in measures for their internet security. I’ve used 3rd party security software for the past few years: AVG, Kaspersky, Bitdefender, etc. and imagine I’m pretty typical in that regard. Great as having a secure browser is, it’s my understanding that using 3rd party software requires disabling any other security software on your computer. Making Edge secure might be great users who find paying around $60 p.a. too much for security, but for people like me it doesn’t really mean much. I’m just waiting for Edge to start being usable with plug-ins before I consider using it as a daily browser.

  3. Is there a test website to check that SmartScreen working correctly? I tested downloading the Eicar test file, but SmartScreen didn’t prevent the file from downloading.

  4. While reporting website “as safe”, the directing page at smartscreen feedback doesn’t offer an option to report “as safe”. Only 2 options are provided which are to report “as unsafe”

    Edge Browser
    Windows 10

  5. As a developer, I am hoping to see if there are any tools to help us understand why a webpage might be listed. I currently have a single page on a domain that is being blocked by “SmartScreen”. A visual review doesn’t raise any concerns. Bing’s Webmaster Tools is reporting the page (that specific page) as clean. A scan by Sucuri is showing the page clean. A review of other blacklists using URL Void is not returning any other sites that believe this page is infected. We have submitted the site using the regular web tool, but we have no idea what the turn-around time might be. My client has a large event in just a few days with an increase in their traffic right now. Thanks for your time!

    • Hi Brian – sorry for the delay in replying. If you are getting warnings from SmartScreen, the best thing to do is report them as soon as possible. There’s a link you can use right in the warning message (under more information) or you can click the Unsafe Content badge in the address bar. If you identify yourself as the site owner, you can include your contact information in a message to the SmartScreen team so they can contact you directly as necessary. Most issues don’t take too long to resolve.

  6. This feature also produces FALSE POSITIVES that can injure the traffic to a website. Avast Safe Browser, Securi, Wordfence, Kaspersky, Norton, Chrome, Safari all show a site is clean but your product still shows the site as infected and blocks it in Edge. Weeks after users have reported IT IS SAFE, Edge still shows it as infected.

    • Juile – If you are getting warnings from SmartScreen, the best thing to do is report them as soon as possible. There’s a link you can use right in the warning message (under more information) or you can click the Unsafe Content badge in the address bar. If you identify yourself as the site owner, you can include your contact information in a message to the SmartScreen team so they can contact you directly as necessary.

  7. So how do we turn off smartscreen? The switch does not seem to work. I have the browser in a sandbox, disconnected from the internet and it takes ages to load each page. There are lots of TCP SYN-requests to websites I never requested, even when I set the start page to about:blank. This is not very useful for selenium testing. Are you sending my page to a filter so you can also see what I am browsing, eventhough smartscreen is turned off?

  8. I also have an issue with SmartScreen Defender: no way to report a downloaded file as safe… Where is the “Report as Safe” option now ? When opening “More Information”, there is no such a choice.