Is IE 8 Truly a Security Improvement over IE 6?
|
This morning I wrote a story for the eWEEK news site about two NSS Labs reports showing that Microsoft's Internet Explorer 8 Web browser is effective at blocking both phishing sites and socially engineered malware. A few minutes after I posted, a reader helpfully reminded me that the two papers had, in fact, been sponsored by Microsoft (a fact that I added to a revised version of the story). Does that fact alter the validity of the studies? NSS Labs seems to take pride, at least on its Website, in being an "independent" research company; but as other sites such as Ars Technica have pointed out, any time a corporation sponsors a study that concludes its product either matches or proves superior to others on the market, the suspicion of bias is (perhaps necessarily) raised. So I went and asked NSS Labs some detailed questions about its methodology, particularly with regard to issues such as sample size and the default settings on the browsers being tested, but I haven't heard anything back yet. When originally asked about the whole sponsorship issue by Ars Technica, NSS Labs President Rick Moy said he invited "Google. Mozilla, Apple [and] Opera to participate" and heard nothing from any of them except for Opera Software, which allegedly told him that it didn't "really focus on malware." Take that as you will. In its phishing site-blocking study, NSS Labs showed that IE 8's mean block rate for phishing stood at 83 percent, versus 80 percent for Firefox 3 -- a statistical dead heat, according to the Labs, which put its margin of error at 3.96 percent. For its socially engineered malware study, NSS Labs found that IE 8's ability to block socially engineered malware stood at 81 percent, versus Firefox at 27 percent. Exact percentages aside, it seems that IE 8 is indeed safer than its previous iterations, something that made eWEEK Labs feel all warm and fuzzy during testing. Microsoft no doubt hopes that users will migrate en masse to IE 8 in coming months, and acknowledges that much of this movement will come as people adopt the upcoming Windows 7 operating system. A higher adoption rate might help bolster Internet Explorer's market-share numbers, which are dropping in the face of competition from Firefox and other browsers. But Microsoft also finds itself competing against IE 6, which came bundled with Windows XP, the operating system that a certain percentage of the community elected to stick with rather than upgrade to Windows Vista. "Our first competition is our own past versions," Amy Barzdukas, general manager of Internet Explorer, told me in an interview the week of Aug. 10. The key to compelling people to switch, she added, was making the community understand the "security" issues that come with using an older browser. As a result, those using IE 6 might finally want to start relying on a more updated browser, even if they find their current Web experience "good enough." For my own part, I'm looking forward to seeing how other research companies rate the security of IE 8. |
Comments (9)
To be really safe, users need to upgrade to Vista or 7, so they can get sandboxed IE, ASLR, and many other protections. Say what you will about Vista, but if everyone had upgraded from XP, there would probably be no real botnets. It's funny, because on one hand I see people complain MS won't break compatibility to improve the OS, and on the other hand when MS does that, people complain that Vista is incompatible and offers 'no real upgrade' - because the only upgrade 99% of people understand are upgrades they can see....
And why do we make a big deal out of who sponsors the study? I mean, are these studies supposed to pay for themselves? And no study is going to be free from suspicions of bias. Everyone in the computer world has a vested interest, so no study can be trusted absolutely. These people assail MS for twisting facts, then go to slashdot and write hundreds of posts about "M$ Windoze" bluescreening every 5 minutes and all windows machines being infested with viruses. If only they could see the hypocricy. And they think THEY are trustworthy... I'll take MS' word any day over the average slashdotter.
Posted by James G. | August 18, 2009 1:32 AM
> any time a corporation sponsors a study
> that concludes its product either matches
> or proves superior to others on the market,
> the suspicion of bias is (perhaps necessarily)
> raised.
"perhaps necessarily" ? You must be kidding, the correct sentence is that a suspicion of bias MUST ALWAYS be raised.
With such mistakes, your whole article sounds like Microsoft PR...
Posted by Dada | August 18, 2009 2:51 AM
Well, anyone who's been following the industry's press etc. knows well that IE 8 is much safer than IE 6, safer than FF and safer than Opera.
It runs in protected mode on Windows Server, Windows Vista and Windows 7 (something none of the competing browsers do); it is coded by a team using safe coding techniques, built with a team very experienced warding off attacks and so on.
I understand Microsoft is wary of forcing updates, but there sort of comes a time when companies should make the move, maybe even strongly prompted to do so. IE 6 is very old code from a time *before* 9/11 and the subsequent security initiatives and really should be retired.
I've coded my website with current W3 standards including standards based css/html that semi-breaks IE 6 and IE 7 (lol neither 6 nor 7 support css frames).. providing the visitor a link, of course, to where they can download IE 8.
Posted by Clumpy | August 18, 2009 11:31 AM
I've said it about 10 times now and i'll say it a million. If Microsoft wants to stop competing against IE 6, the problem isn't businesses. Its that Windows update pops up a confirmation prompt and requires the user to click next a bunch of times to install IE 8!
Windows update should never include anything that doesn't just automatically install. IE 8 is a critical update, and it should automatically install it without any prompts at all except for a prompt by windows update at the end of installing updates to restart the computer. I shouldn't even notice that the browser is being updated.
It is specifically because most users are trained (because of spyware) to click cancel or no on these types of prompts, that we still have such high rates of useage of IE 6. Less than half of the people using IE 6 are in corporations. The rest are individuals that keep clicking cancel.
And guess what? If that number gets below 30% IE 6, the businesses will be forced to update as well and this issue will go away.
And quite frankly, most people will just use IE 8. The reasons to switch for it admins and general users to Firefox just aren't there anymore, but if the machine still has IE 6 on it and IE 8 hasn't automatically installed because of the cancel button issue, people will switch to Firefox or something else.
Hence Microsoft, please please please stop Windows Update from prompting with the IE 8 installer and download and install it even if cancel has been chosen in the past. Just do it, and get it over with and volia, no more problem.
Posted by James Hancock | August 18, 2009 1:01 PM
@James Hancock
Yup. Agreed. Microsoft should just push it as a critical update. If someone really doesn't want it, they could set updates to manual then uncheck and hide the update.
Regardless though, if Win7 is a success, a lot of people will be getting it when they move to this new rendition of NT. Since the "upgrade" from XP to Win7 requires a "clean" install, a heck of a lot of malware will hit the bit bucket for good right then and there.
Posted by Clumpy | August 18, 2009 2:44 PM
Nicks article asks the question:
"Is IE 8 Truly a Security Improvement over IE 6?"
Someone has been drinking the koolaid at Redmond again? Using bought and paid for reports by MS, is not going gain this site a reputation for fairness in blogging, that's for sure. I think Nick if you careful read what you have written again, you might see it the same way too. It was over the line in many ways.
First of all, I am going just completely discount all the reports from the Shill site. Life is too short to listen to those lies.
Yes IE8, most likely is a security improvement over IE6, at least IE7 was. But neither are enough, even with UAC, Vista or Seven, if one surfs the web with the default administrator account. You know, the way it comes off the Best Buy store room floor. Why hasn't MS fixed this yet? Why are not true limited normal accounts created by default during a setup? Until this happens, Windows will continue to be a malware magnet.
But when your article tries to imply that IE8 is more secure than Firefox, that's where I think you cross the line, and become somewhat of a MS Fanboi here. First I notice you only pick one or two (plishing comes to mind) things that the "bought and paid report for MS" centers on. A truely fair report, would have been one not "sponsed," and one that looks at every piece of malware written than could expoit each browser. That would have been meaningful, but what you wrote, was NOT! Not even close I might add. Advocating Firefox would have actually helped Windows users to be a little bit more malware resistant, which you failed to do.
So IE6 is not going away anytime soon, despite what standards people or even MS does. The simple fact is that every time XP is reinstalled, IE6 is. And the 3 R's of Windows rule, cannot be overcome; Repetition, Reformat, and Reinstall. That is what most users do that know how, when Windows crashes, become too infected, etc. And 22% of them, in the USA, (Probably 98% in China) may not be using genuine Windows, and unlikely they have update turned on. Not to mention all the complaints about IE7 breaking so many things.
Posted by chips b malroy | August 18, 2009 3:59 PM
@chips b malroy
The report comes to conclusions you don't like so you say it is bogus.
But if you wash the 2002 anti-Microsoft anti-IE rheotric from your eyes, you'd realize that on a system running Windows a surfer's safest browser is IE 8, evenmoreso and especially if it is running in Protected Mode (Windows Vista and Windows 7).
FireFox has a list of holes as long as the arm - and many of those are of the raw very exploitable type. IE's long hardened and when exploits arise they tend to be of the more esoteric type and more difficult to implement. And since FireFox doesn't run in Protected Mode, it shouldn't be used as a web browser on any verions of Windows after XP:
[Download IE 8 at Microsoft]
http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx
Posted by Clumpy | August 18, 2009 5:01 PM
Warning! Before downloading IE8 be sure and make a system restore point so it will be easy when (if) you start encountering problems such as; not being able to access certain web sites/pages, and other problems like not being able to keep the google toolbar visiable (it will still say it's enabled but it won't be available)Let's just say I spent the better part of a week thinking it was my connection or pc causing problems, also pc techs (over the phone several hours and 3 different ones) couldn't help. Finally I realized the timeline started around the time I downloaded IE8, so I unistalled the IE8 and went back and "what do you know" I was up and running great and my google toolbar is back!
Posted by **star** | August 22, 2009 9:50 AM
I have no problems with IE 8's operation what-so-ever. Almost any software package will find it hard to win against neurotic types who accidently on purpose screw things up. You know the type.
But it is smart to do a system restore before doing anything major, including installing a browser. On most Windows systems, Windows Update does one automatically before installing updates, but one can make sure by doing a manual one beforehand.
BTW, IE 8 has a "IE 7 compatibility mode" button that enables IE 8 to render a website the 'old way' should the html coding be outdated and not up to W3 Consortium standards.
Posted by Clumpy | August 25, 2009 2:07 PM