NSS Labs released their Web Browser Security report for Q3 2010 today.  The report is focused on testing the most widely used browsers against socially engineered malware.  It is important to note this test does not focus on vulnerabilities in the browser and attacks against the vulnerabilities.  Socially engineered malware are web links that are sent to users through email, instant messages and online advertisements that appear to be legitimate programs.  But, the actual file or site is a malicious program.  Socially engineered attacks are becoming a more prevalent attack vector with how much social media is evolving to become widely used by individuals and businesses.  Lately, attacks have been in websites such as Facebook, Twitter and various blog sites.

In this report, NSS labs ran the browsers through a gauntlet of malicious web sites to see how effective each browser’s protection fared in regards to end user safe browsing.  All major browsers include some type of protection functionality.  In fact, some of the browsers use the same technology but implement it in different ways.

The major browsers tested by NSS Labs were:

• Apple Safari 5
• Google Chrome 6
• Microsoft Internet Explorer 8
• Microsoft Internet Explorer 9 (beta)
• Mozilla Firefox 3.6
• Opera 10

The results of this test are quite staggering and I am pretty surprised.  Both Microsoft browsers truly surpassed any of the other browsers in the market.  In effectiveness in blocking a malicious site, Microsoft Internet Explorer 8 blocked 90% of the socially engineered malware.  Not to be outdone, Microsoft Internet Explorer 9 blocked 99% of the socially engineered malware.  The remaining browsers tested rated up to 19% effective against socially engineered malware compared to Microsoft’s Internet Explorer.

With Internet Explorer 9, Microsoft still includes the SmartScreen Filter.  The browser now boasts an additional layer of protection with the introduction of SmartScreen Application Reputation.

Microsoft is showing, with their current browser technologies, and their new browser technologies, that security for end user browsing is important to them.  I focus a lot on patching browsers to prevent attacks on user’s computers, but defending against socially engineered malware can be quite futile as the control is in the end user’s hands.

For Firefox, Chrome, Safari and Opera, I will be interested to see how they add functionality to catch up to Microsoft in this category.

The full NSS labs report can be found here.

More information on Microsoft’s SmartScreen features in Internet Explorer 9 can be found here. 

More information on Mozilla Firefox’s Anti-Malware screening can be found here. 

More information on Google Chrome’s Safe Browsing can be found here.

More information on Apple Safari’s Malware Protection can be found here.

More information on Opera’s Malware Protection and Extended Validation can be found here.

- Jason Miller