Internet Explorer Aces Security Test as Google Faces Accusations

Internet Explorer 9 should be the go-to browser for organizations concerned about protecting machines from malicious downloads, according to a new study from NSS Labs: Microsoft’s browser trounced rivals Chrome, Firefox, and Safari in the security company’s more recent malware-blocking tests, a significant win considering that traditional malware remains among the most prevalent threats to users.

Although that should the most important take-away for security-minded IT professionals and end-users alike, the report — “Did Google pull a fast one on Firefox and Safari users?” (PDF) — spends considerable time accusing Google of depriving Firefox and Safari users of its latest malware-fighting capabilities, which lifted Chrome far above the other two in the tests.

Did Google hold out? Not really; it seems, rather, that Mozilla has been hesitant to embrace the Chrome’s latest Safe Browsing API v2 technology, due to privacy concerns. The API works by sending Google the URLs for suspicious pages or executables downloads that aren’t white-listed, and neither Mozilla nor Safari use it.

More important, does it matter if Google held out? To a degree, yes, in that Firefox and Safari do rely on Google’s Safe Browsing API for identifying potential malware and warning users against accessing it. Thus, they understandably should want the best protection Google can provide.

But the best protection Google provides apparently ain’t that great, if NSS Labs’ testing is to be believed: Chrome’s malware-blocking rate using Google’s latest and greatest Safe Browsing upgrades is still a lowly 34.1 percent. Yes, that’s better than Firefox 7’s 3.6 percent block rate and Safari 5’s 3.5 percent block rate, but it’s tough to imagine the average IT security professional sleeping easy with machines running browsers that are just 34.1 percent effective at blocking malware.

That’s NSS Labs’ conclusion: “While NSS does not recommend switching browsers based on the results of these tests alone, if you currently have a free choice of browser, then Internet Explorer 9 offers the most comprehensive protection from these particular threats.”

The report also discusses whether Google is somehow to blame for Firefox’s and Safari’s for respective low scores. Google rolled out its newest malicious-download protection in December, and it appears to help Chrome block malware downloads. During the tests, NSS Labs observed that Chrome, Firefox, and Safari offer nearly equal protection. However, with the technology implemented, Chrome fared considerably better in blocking malware downloads over the span of the testing.

The question, then, is why don’t Mozilla and Safari use the feature? According to NSS, “It’s an undocumented API call to block malware once download begins. This API is not utilized by Firefox or Safari, apparently due to lack of documentation and a proprietary format.”

That’s not so, according to Google. The company has insisted that it has been open about how the Safe Browsing feature works and has made the technology available to Mozilla. “Our understanding is that Mozilla is still waiting for more data from Google about the effectiveness of our new technology, and is considering those benefits against the limited circumstances when URLs are sent to Google for scanning,” Google Chrome senior product manager Ian Fette wrote on ZDNet.

“Microsoft takes a similar approach in Internet Explorer that involves sending URLs to Microsoft,” he added.

Privacy concerns indeed appear to be playing a role in Mozilla’s hesitancy to adopt Google’s latest security changes. “[Google’s Safe Browsing team] has made phishing and malware detection services available to our users, and these are already implemented in Firefox,” Johnathan Nightingale, Mozilla’s director of Firefox engineering, told InfoWorld. “Their new services communicate more information back to Google about a user’s browsing history, and we are still evaluating the merits of that approach.”

Ed. note: As originally published, this story neglected to mention that Microsoft has funded NSS Lab tests in the past, although NSS Labs claims it did not receive funding for this test. InfoWorld apologizes for the omission.