Chrome 90% Less Secure Than IE Against Malware

NSS Labs, a independent security research and testing organization has released its 2013 Browser Security Comparative Analysis.  The analysis shows that IE10 blocks more socially-engineered malware than any other browser.  Technologies built into IE10 such as SmartScreen and Application Reputation are partially responsible for IE10’s effectiveness against malware.  Independent research now shows that IE10 black 99% of malware and has fewer vulnerabilities than any other browser on Windows.

IE10 uses multiple levels of protection to deliver the most secure browser to users:

Protection from socially-engineered attacks

By imitating or compromising trusted web sites, malware authors try to trick users into sharing personal information or downloading and executing malicious software.  To help protect users from these socially-engineered attacks, Microsoft uses a combination of URL filtering and application reputation.  SmartScreen URL filtering and Application Reputation provide the best protection available against malware attacks.

Protection from attacks on web sites

Even “good” web sites can sometimes have security vulnerabilities that can allow malicious sites to steal your data or perform actions as if they were you.  Internet Explorer helps protect you with the XSS Filter, which automatically prevents certain types of attacks and makes it easier for Web sites to secure themselves with Declarative Security features, like IE10’s support for the HTML5 Sandbox.

Protection against attacks on the browser or operating system

Automatic updating ensures that you have the latest updates installed.  This protects you against security issues that have already been fixed.  Internet Explorer 9 added significant memory protection features to make it harder to exploit certain types of vulnerabilities, which were enhanced in IE10.  We also added a new layer of protection in IE10 called Enhanced Protected Mode.

 

NSS labs also showed the IE10 block more ‘real-world attacks’ than any other browser. NSS used over 96,000 test cases over a 28 day period to create the following graph:

image_1B9989EC

Malware Block Rate by Browser, according to NSS Labs (May 2013)

The chart shows that Google’s Safe API to block malicious URLs, used by Chrome, Firefox, & Safari, only has a ~10% success rate!  Chrome only protects users after the malicious software is downloaded, and with only a small warning.  In contrast IE10 blocks the software before it is downloaded. IE10‘s SmartScreen URL alone blocks more than Chrome, if you add in Application Reputation we’re looking at over a 99% rate of effectiveness.

Only four pieces of all malware were able to bypass IE10’s multiple layers of protection.  On other hand, 2 out every 10 attacks could bypass Chrome’s protections and 9 out of every 10 attacks could bypass Firefox and Safari’s protections.

Other analyst reports from the Secunia Vulnerability Review 2013 and Symantec’s 2013 Internet Security Threat Report show that Internet Explorer has far fewer security vulnerabilities than other browsers too:

Web Browser

Secunia Advisories

Common Vulnerabilities and Exposures (CVEs)

Vulnerabilities

Internet Explorer

10

40

41

Google Chrome

28

293

291

Mozilla Firefox

21

164

257

Software Vulnerabilities, according to the Secunia Vulnerability Review 2013

These results are inline with the independent US NIST National Vulnerability Database, which tracks all software vulnerabilities.

Each additional browser you install leaves you open to additional vectors of attack.  I believe IE has come a long way since the IE6 days, and I currently use IE10 as my primary browser.  For those of you still skeptical of IE, I suggest giving it another try.  For those of you that need an ad-blocker try turning on ActiveX filtering in combination with IE10’s built-in tracking protection lists; it blocks most stuff for me.

What are you using as your primary browser? Let us know in the comments below.

Source: NSS

About the author  ⁄ Suril Amin

Suril is a scientist, journalist and obsessive Microsoft observer. He holds an advanced degree in Biotechnology with minors in Biochemistry, Microbiology, and Molecular Biology. Send him tips on twitter: http://www.twitter.com/surilamin

  • Gustav Christensson

    Here are my statistics:
    IE – 10 seconds to start.
    Chrome – 3 seconds.
    Chrome is 70% faster.

    • LPHeadstrong

      Gotta go with speed logic!

      • Gustav Christensson

        Exactly. I have Antivirus programs for the virus, I don’t need IE.

    • Rikkirik

      Idiocracy from an idiot

    • AK_91

      Not sure which IE you are using but IE 10 on my PC launches under 2 secs. And I get similar launch speed for Firefox and Chrome

      • Gustav Christensson

        I tried again. It took 25 seconds to start and to load the MSN homepage. I had to walk through a ton of pop-ups and there are 5 toolbars above my page. That’s my experience.

        • AK_91

          Are you using IE6 by any chance? And why the hell do you have 5 toolbars above your page? I use IE10 on Win8 and never had any issues, loads under 2secs and runs smooth. That being said I use Firefox for daily use as IE doesn’t support addons like Adblock Plus, etc.

    • sam

      Faster getting infected you mean?

      • Gustav Christensson

        Not really. Faster to open, Sam.

    • reKitab

      Nice, you get you malware served faster then:(

    • DoctorSnyder

      lol

    • h3man

      In the “tools” menu activate ActiveX filtering and under “manage add-ons” add some tracking protection. I use EasyPrivacy and Fanboy Adblock List.
      Now run your tests again. My IE10 starts in under 2 seconds.

      • freeman

        So what your saying is to get IE to run as fast as chrome you have to turn off activeX plugins/extensions and block half the page.

        • h3man

          ;) at least you are one of the few on the internet who can read and understand postings.
          But what is your solution to chromes ram problem? When I have 15 tabs open its night and day between IE10 and Chrome.

          • freeman

            I don’t have any problems with RAM, but then I have an I7 running off SSD’s and 16gb RAM so I wouldn’t.

            As far as memory consumption goes Firefox is the one too use in machine with low spec’s. However the single threaded nature of Firefox means one bad page and the browser has had it. IE isn’t any better than Chrome when it comes to memory usage. This is the price for multi-process tabs which give more security and better stability.

            If you must run so many tabs on lower spec machines then you should look into TooMany tabs on the chrome store. It allows tabs to be suspended etc. I haven’t personally used this extension I don’t need it, but I know of people who use it.

            My recommendation would be to buy more RAM. Its one of the most cost effective ways to improve machine performance. RAM is cheap.

            You also know that Chrome will run faster if you disable extensions and run incognito mode.

    • frankwick

      You’ve got a system issue. Both IE10 and Chrome launch in under two seconds on my i5.

      • Gustav Christensson

        No idea. Might be all the toolbars. Great job that they don’t exist on Google Chrome.

    • DigTheNoise

      IE 10 launches on mine around “thousand and one” … so about a second.

    • techieg

      Well, good for you to base usability based on speed alone. But on the other hand many tests have also shown IE10 be much faster. I would rather fly from a more secure airport than one that is simply faster but less secure.

      • Gustav Christensson

        Consider this: There are so many toolbars available for IE, toolbars that might be unsafe in their own way. Yes, I know about the Extensions and that they might be unsafe. But here, I download Google Earth and find myself with 20 more toolbars in IE, being “reccomended choices”.

        • AK_91

          you can uninstall them?????

          • Gustav Christensson

            Ain’t got no time for that.

    • guest

      Awesome display of faulty logic and generally off topic response.

  • Rikkirik

    Time and time again security research and testing organisations have proved that IE10 to be the most secure browser ever, which is understandable, given the fact that they cater to businesses and enterprise. Chrome is trash. In my house, my Kingdom, there will never be a Chromebrowser.

  • freeman

    An example of more misleading posts. NSS is an independent research company that may well be true but previous versions of this report was sponsored by Microsoft. That’s not independent at all maybe you should correct that error.

    “The test is conducted independently by NSS; it is commissioned by the product team to independently measure the protection of SmartScreen,” – Microsoft

    The other problem is the tests are very focused and URL blocking social-engineered malware is a very narrow field. This report does not “does not evaluate browser security related to vulnerabilities in plug-ins or the browsers themselves” -NSS in a previous version of this report.

    Then of course the list of test URLs are unknown, not published as part of the report. So there is no independent verification of the results at all and its impossible to do so.

    The we should look at http://en.wikipedia.org/wiki/Comparison_of_web_browsers#Vulnerabilities

    Got to the bottom to see unpatched security vulnerabilities and see every version contains an unpatched security hole. That’s before you visit a page. IE 8 has an unpatched extremely critical publicly known security hole.

    Microsoft should stop funding dodgy irrelevant reports and shift it to development teams to build a decent browser.

    • Trolls are tools

      It’s not an error to state they’re an independent research company when they’re in fact an independent research company. And just because someone sponsors a study, doesn’t mean the results aren’t legitimate. Indeed, because they’re independent – see there’s that word again in case you still haven’t figured out what it means – their reputation is their main asset. So there’s good reason to think they wouldn’t jeopardize that by doing a dodgy study just to please a particular customer. If you don’t like their study’s methodology, do your own. Nobody is stopping you. And your strawman argument that money used on studies like these could better be used in the product, like it’s some sort of either or at the scale we’re talking about, is of course patently ridiculous.

      • freeman

        Being paid to do a report by a company who’s product is involved in the report means you are not independent. Whats more alarming is that this link has not been published in the latest report. In hte same manner the Accuvant report which concludes chrome is the most secure is not independent as its sponsored by Google.

        While non independent reports can still be legitimate this can only be determine by scrutiny and peer review.However since NSS Labs have yet to publish their test data this is impossible. Pretty much its just pseudoscience. They did not show how they can get a test set of 150,000 sites from millions and then further narrowed that down to a tiny test set of less than 500 in earlier tests.

        Its widely accepted that layered security is the best. Yet this report does not even mention it. Firefox’s noscript, chromes sandboxing and safaris antivirus integration. We don’t know what the state of these was in the test, not mentioned.

        So as for NSS Labs reputation that’s been brought into question by a lot of people so that’s out the window.

        So lets get to the money on this scale of thing. Since Microsoft can spend a large chunk of money on whats nothing more than perverted marketing material and ignored the over 50 day in public domain extremely critical hole in IE 8, or a 10 year old non critical security hole in all versions of IE, clearly it is a choice of either or.

        • Trolls are tools

          No it doesn’t. It simply means they have to be especially diligent to ensure that outside party doesn’t influence their methodology or results. And you’ve shown ZERO evidence they did otherwise. So your assertions of bias are just idle speculation. Further, since you’re a demonstrated troll, there’s good reason to think *you’re* independent or objective in your criticism.

          “However since NSS Labs have yet to publish their test data this is impossible. Pretty much its just pseudoscience.”

          Once again you show your abject lack of logic and objectivity. Since you self-admit to having not seen the data or methodology, you have no basis for concluding it’s “pseudoscience”.

          “So as for NSS Labs reputation that’s been brought into question by a lot of people so that’s out the window.”

          Any idiot can question them w/o offering proof. And you did. That reflects on you, not them.

          “So lets get to the money on this scale of thing. Since Microsoft can spend a large chunk of money on whats nothing more than perverted marketing material and ignored the over 50 day in public domain extremely critical hole in IE 8, or a 10 year old non critical security hole in all versions of IE, clearly it is a choice of either or.”
          How much did they spend commissioning this study? What % did that represent of their overall IE spend? We’ve already established that you have no basis for concluding this study is flawed and therefore the result perverted, yet here you are repeating it as if it were fact. It seems more likely it’s simply the kneejerk conclusion of a demonstrated MS hater. And what you omitted from your stupid comment about one or two specific outstanding bugs being proof it’s an either/or for MS, in addition to having no ability to tell us what % of their overall budget this study represented, is the fact that meantime MS did fix hundreds of others.
          So do us all a favor and stop embarrassing yourself.

          • Trolls are tools

            *you’re* independent > you’re not independent

          • freeman

            You call me a ‘troll’ yet I haven’t resorted to childish name calling. Maybe you should look up ad hominem fallacy.

            Unlike you I understand the term pseudoscience and I have read the report. How do I know you don’t or haven’t, well I have seen the methodology its well documented in the report you would have know this if you read it. Only the test data is missing resulting in a lack of peer review. This is the fact that makes it pseudoscience. Without the ability to peer review this study makes it no better than a self serving press release funded by Microsoft.

            “This is a vendor-funded paper, and in these cases, the vendor is going to drive the methodology [of the testing],”
            -Vikram Phatak, the chief technology officer of NSS Labs

            Then when question he claimed “There’s a reason why we don’t do that anymore.”

            Of course in response to Phataks criticism of Accuvant equally paid for (by Google) research, secruity researcher Chris Valasek was able to respond that they published no only the paper and test tools but also the data for peer review.

            Accuvant concluded “overall browser security needs to be considered when attempting to compare browsers from a security standpoint. Drawing conclusions based solely on one category of protection, such as blacklisted URL statistics, doesn’t give a valid perspective on which browser is most secure”

            Phataks quotes alone call into question Nss Labs Microsoft paid research. The burden of proof isn’t on me but the researchers making the claims and all research is published so it can be questioned. That’s the point.

            It doesn’t matter what the overall IE spend was compared to paid for research that cannot be peer reviewed. Its still money (even if its only $1) and resources that would have been better spent on making IE a better product.

            Now the authoritarianism rears its ugly head. Question anything Microsoft do and your a hater. Sorry I question things I intend to use or are using with the hope they improve the product. Dodgy marketing campaigns or paid for research should be and deserved to be called out for what they are.

  • The Protector

    I use google chrome and I GUARANTEE 100% that it is safer than ie10 from viruses and malware.

    But then again I do run it on Linux Mint.

  • Harry

    Surely this not the SAME NSS who told us that IE8 was the safest, then IE9, and now IE10……….

    Next they will be telling us the moon is made of cheese

    These “independent” studies always set my BS Alarm off.

  • FateStayNight

    I won’t use chrome to do online banking ever.