Chrome 90% Less Secure Than IE Against Malware

NSS Labs, a independent security research and testing organization has released its 2013 Browser Security Comparative Analysis.  The analysis shows that IE10 blocks more socially-engineered malware than any other browser.  Technologies built into IE10 such as SmartScreen and Application Reputation are partially responsible for IE10’s effectiveness against malware.  Independent research now shows that IE10 black 99% of malware and has fewer vulnerabilities than any other browser on Windows.

IE10 uses multiple levels of protection to deliver the most secure browser to users:

Protection from socially-engineered attacks

By imitating or compromising trusted web sites, malware authors try to trick users into sharing personal information or downloading and executing malicious software.  To help protect users from these socially-engineered attacks, Microsoft uses a combination of URL filtering and application reputation.  SmartScreen URL filtering and Application Reputation provide the best protection available against malware attacks.

Protection from attacks on web sites

Even “good” web sites can sometimes have security vulnerabilities that can allow malicious sites to steal your data or perform actions as if they were you.  Internet Explorer helps protect you with the XSS Filter, which automatically prevents certain types of attacks and makes it easier for Web sites to secure themselves with Declarative Security features, like IE10’s support for the HTML5 Sandbox.

Protection against attacks on the browser or operating system

Automatic updating ensures that you have the latest updates installed.  This protects you against security issues that have already been fixed.  Internet Explorer 9 added significant memory protection features to make it harder to exploit certain types of vulnerabilities, which were enhanced in IE10.  We also added a new layer of protection in IE10 called Enhanced Protected Mode.

 

NSS labs also showed the IE10 block more ‘real-world attacks’ than any other browser. NSS used over 96,000 test cases over a 28 day period to create the following graph:

image_1B9989EC

Malware Block Rate by Browser, according to NSS Labs (May 2013)

The chart shows that Google’s Safe API to block malicious URLs, used by Chrome, Firefox, & Safari, only has a ~10% success rate!  Chrome only protects users after the malicious software is downloaded, and with only a small warning.  In contrast IE10 blocks the software before it is downloaded. IE10‘s SmartScreen URL alone blocks more than Chrome, if you add in Application Reputation we’re looking at over a 99% rate of effectiveness.

Only four pieces of all malware were able to bypass IE10’s multiple layers of protection.  On other hand, 2 out every 10 attacks could bypass Chrome’s protections and 9 out of every 10 attacks could bypass Firefox and Safari’s protections.

Other analyst reports from the Secunia Vulnerability Review 2013 and Symantec’s 2013 Internet Security Threat Report show that Internet Explorer has far fewer security vulnerabilities than other browsers too:

Web Browser

Secunia Advisories

Common Vulnerabilities and Exposures (CVEs)

Vulnerabilities

Internet Explorer

10

40

41

Google Chrome

28

293

291

Mozilla Firefox

21

164

257

Software Vulnerabilities, according to the Secunia Vulnerability Review 2013

These results are inline with the independent US NIST National Vulnerability Database, which tracks all software vulnerabilities.

Each additional browser you install leaves you open to additional vectors of attack.  I believe IE has come a long way since the IE6 days, and I currently use IE10 as my primary browser.  For those of you still skeptical of IE, I suggest giving it another try.  For those of you that need an ad-blocker try turning on ActiveX filtering in combination with IE10’s built-in tracking protection lists; it blocks most stuff for me.

What are you using as your primary browser? Let us know in the comments below.

Source: NSS

Comments