MS IE8, Google Chrome, Firefox 3.0.9 according to mrizos.

It was interesting to watch the videos of mrizos testing the 3 above mentioned browsers: they were tested on a machine without any AV, against 10 malicious URLs, and surprise IE8 somewhat had the best performance in terms of inbuilt security.
IE8 smart security filter has an inbuilt executable scanner stopping a lot of them (7/10), Chrome had the best performance in notifying you about the malicious sites (10/10) but won't do anything to stop executables (IMO logical as if it tells you that the site is malicious, you should not execute anything). Firefox was disappointing: it notified of malicious sites only on 3 instances out of 10, no warnings about executables.

I personally like Chrome's performance as they seem to index most malicious sites very quickly.

http://www.youtube.com/watch?v=wJBCrXdz4ew&feature=channel

 

I admit not watching the video. I am not convinced this is or should be the role of a browser.

 

Are you referring to stopping malware or notifying about malicious URLs? I think executables is definitively not a browser's job to analyse, but telling you whether it is malicious, why not.

 

Odd that Firefox would report malicious sites worse than Chrome as I would have assumed they should use the same database.

 

Why do you make that assumption?

 

If the assumption is correct, then there's possibly a time lag between the real time indexing from Google and transmitting data to Firefox, although even mrizos seemed surprised at Firefox poor performance in this type of test.

 

I ditched IE8 for Chrome recently, when much to my surprise, while using IE8, I went to a site somewhere and suddenly found the Windows Installer loading/running for no reason.... had to cancel it about 5 or 6 times to avoid whatever was about to happen. That's when I said goodbye to IE8, much as I did like it. Using Chrome now, and am happy.

 

I like Chrome a lot (I use it as my default browser, IE8 (64-bit) for some reasons can't be set as default ) but I was impressed at the addition of an executable scanner in IE8 which as pointed out by mrizos, it is very helpful to the average surfer who doesn't even know of the existence of other browsers. What I don't like in IE8, is the way it alerts you about malicious sites, not so obvious as with Chrome.

 

Regarding first post:
What is the definition of malicious? Besides, why should a browser inform you whether the site is malicious or not. You go there on your own choice, so it's entirely up to you.

Regarding above post:
I agree that the browser's job is not to analyze potentially malicious payload, which directly contradicts your other point - how can you know if a site contains malicious code unless you analyze it? An alternative approach is a database, but this is blacklisting and it's not an efficient way of handling things.

Cheers,
Mrk

 

People use all sort of applications or addons to tell them whether they land somewhere which might have some malicious effects: Webguards, WOT (which happens to be Firefox specific) and others which I can't remember. I don't see what is wrong with the browser warning me about a dangerous site. Now if you want to execute anything it is completely up to the user.

One doesn't always go somewhere by choice, surfing the internet you might start with a website that is clean and end up with another that might have been compromised (it's happening all the time)

I don't think you watched the videos, Chrome indexes malicious sites as they are reported infected, it tells you, whether it is an FP or for real it is up to you to go ahead or close the window. It won't try to stop you running an executable if any. IE8 on the other hand it will also try to analyse the executable (if any) and advise you according to to database presumably from Windows Defender and/ or One Care. I don't see what contradiction is there in all of this.

I know you are A Firefox aficionado, and I have used it for a long time. This is a test that I am reporting from a guy who is addressing average users and not specialists like you. MS has been constantly the target of security criticism especially about its own browser, and again they have done something about it: at the moment it seems to provide more protection to the average user than Firefox.

 

I think information has to be understood correctly before it is used.

You said in point A: browser does not analyze executables.
Point b: browser tells you the site is malicious.

If the browser does not analyze sites in real time, then it relies on an indexed database = blacklist = useless, out of date, pointless given the number of websites and how fast they change, prone to both FP and FN.

So we have three completely different methods of work at hand:

IE analyzes in real time, which is something you said browser should not do, plus it relies on installed anti-virus/anti-spyware on the local machine, which might not be there.
Chrome relies on an indexed database to warn the users.
Firefox also has optional Google database ... but let's argue it does nothing.

How can you compare when the three do different things regarding websites. If all uses method a or b or both, then you could compare the quality of real-time web code analysis or the quality of the database.

All this said, going to a site loaded with malicious code, what happens?

IE executes ActiveX, which makes it far more vulnerable.
Chrome, Firefox do not execute ActiveX.

So passive detection means little. What happens if you actually land on a site with malicious code, undetected by any method discussed?

There's a possibility of remote execution (drive-by), IE leads here due to its implementation and ActiveX usage.
There's a possibility of manual download by the user - nothing to be done here, the threat is equal anywhere everywhere.

So, if you use a non-IE browser, all you have to do is make sure you do not install crap yourself and problem solved, indexed database or not, active detections or not.

The idea of a browser warning you against sites is like anti-virus. A fairly futile model overall. It's up to users to make their choice what they do. No different than any other segment of life.

And to close it up:

IE does not provide more protection to the average user than Firefox. First, Firefox has Noscript, which defeats 100% site issues everywhere. Second, I want the browsers put to actual test. When you land on a site that has malware and is NOT detected, this is where the fun begins.

The problem is not with 100 missiles that never fire. The question is how do you fare against the one that does. Here, non-IE browsers fare much better, due to their implementation in the system, sandbox model, more robust security, and whatnot.

Cheers,
Mrk

 

@ Mrkvonic,

Your argument is more or less based around the outdated supposition that IE automatically executes ActiveX. Even if you're a Firefox aficionado and hate IE with a passion, please do take the time to do a bit of research before making these kind of claims based on knowledge that's 3-4 years old. I daresay you'd sound more credible if you don't argue with horribly outdated facts and uninformed opinions.

Besides, it's inconsequential whether blacklisting is efficient or otherwise. It's whether it succeeds in protecting the user. And at the moment IE and Chrome does that quite well relative to Firefox, which is a fact that you can't change simply by theorycrafting.

 

Interesting thread! Why? I do like this sort of discussions, because then, there I come in to the rescue and say:

Is an operating system suppose to offer security, as in be secure?

Please, do answer. Then, think if a browser should offer security, as well.

 

Its not for the browser to check if a site is safe or not.
nothing should excute without your permission.
if you use a non IE browser such as opera or firefox you pretty much stop all drive by downloads. if you visit a website and you get a prompt asking for admin rights or opening a third party program such as adobe its up to the user wither they allow that or not. if you visit a website that houses a fake antivirus program in IE it can do a drive by download. if you visit the same website in firefox,opera,chrome etc it will show a fake scan window saying you infected and then ask you to download a .exe file. in otherwords drive by downloads only seem to work with IE...

 

If it's not for the browser to check if something is malicious or not, then it is not for the browser to prevent anything. Simple.

A browser is meant for one thing only - allow people to "navigate" the web. Not to secure them.

The same way an operating system is meant to serve as a platform for other applications and to allow other applications to communicate with the hardware. Not to secure them.

An operating system is not meant to be secure. A browser is not meant to be secure.

I also don't understand why so many people, all over this years, have complained that Microsoft never made Windows offer security. They didn't, because its not the task of the O.S. But, if they haven't, they would lose business, I guess.

The same way with browsers.

The same way a browser isn't suppose to offer security. The same way an e-mail client isn't suppose. The same way PDF readers aren't suppose. Etc.

This vendors could say: Hey, we won't fix any "security vulnerabilities" in our applications, because... well... guess what? We don't develop security software!

So, lets all stop complaining about highly critical vulnerabilities, etc. It's useless.

Its up to the user whether or not to allow something to install, to get in the system.

 

For the people that continue to subscribe to this propaganda: evidence, please. I'm begging you.

 

May be go to WOT http://www.mywot.com/ and check out their sources for blacklisting. No reason to limit testing to watching Youtube videos. My favorite is http://hosts-file.net/ notice the warning... not that hard to find downloads not being detected by popular AVs but blocked by browsers and/or WOT. Blacklists are far from dead and they work.

The closest you will come to a drive-by-download in IE8 is crap playing on you going crazy and accepting anything to get rid of out of control browser. Works or such pages would not be there, like spam, phishing attacks - amazing but true. Visit any malware removal forum and take a look. Reason for many disasters is one click too much. First defense is browser so good MS also realized that.

 

Well, I can't compete with you, I'm also quoting somebodyelse's test.

Some websites have executables, others have redirects, different things, all malicious.

You probably under estimate Google's speed in just about anything they do.

I did not say what things should do or not do; there is an old saying that goes like this:the end justifies the means (obviously unacceptable when dealing with people).

I'm concerned about the results for the average user.

With all due respect this has nothing to do with activeX, but just malicious executables, proof is Firefox executed the same things that IE8 blocked.

We are talking about what happened in a test, not what might happen.

I'm glad we agree on something.

Are you talking to a Wilder's member, or to the average user?

I think here you are confusing real life, Wilders members, and average computers users, who don't care about anything pertaining to security.

NoScript serves no purpose at all: you may as well unplug your computer and go to bed. NoScript allows you to see crippled websites, the moment you allow the script it becomes the usual Russian roulette.

I have problems with ballistic metaphors, but let me reiterate that this was a simple test thrown at three browsers in a clean system with no AV.

 

Just to say that Firefox doesn't have NoScript! It's an extension provided by a third party.

Truth is, without that extension, Firefox users would have no XSS protection, for example.

And, as you well said, all users have to do, is to allow scripts to run, because it cripples the web site. I really never understood the hype about this extension, and to be honest, about Firefox.

My family has been running IE since ever, and never had any problems, even before I become computer and security aware.

On the other hand, in one of the computer forums at my country, where I use to hang, I see Firefox users complaining about odd behaviors. It turns out to be malware.

Its not only the browser, but also the user. A security aware Windows user will be safer than a Linux unware security user, won't he/she?

 

All is well ... just one thing, you said Firefox executes the same things IE8 blocks. Executes? What do you mean executes? Prompts for download? Otherwise, there is no execution unless we're talking about a browser vulnerability, unpatched, being exploited.

That's the whole thing. Firefox (and other non-IE browsers) don't get to execute stuff ... that's the beauty and hence the comparison is flawed.

Don't take this too hard. I have no issues with anything except badly designed experiments. If you want to prove the earth is a cube rather than a sphere or such, you need a very good experiment, that's all

Mrk

 

Where is Opera!?

 

They fear the power of Opera. Besides, the less known the better, because less people will use it, and practically there will be no targets for it!

Stay cool... Don't give out our secret!

 

Personally, I find it amazing that even a "Linux systems expert" buys the outdated and unsubstantiated hype that IE8 is the least-secure browser.

Or maybe it's because they're "Linux systems experts", that they're particularly susceptible to all this anti-MS brainwashing?

Hmm...

Seriously, people who promote hype like this almost make me feel ashamed to admit that I'm a Firefox user myself...

 

I have used Opera with great satisfaction, and this isn't like football where the heart might play the main role. We are talking about software which performs in an ever changing internet system, and we might have different results at different times, in different systems. That's why loyalties can be dangerous.