Archive for the ‘Security’ Category

According to a recent test, Internet Explorer 8 is the best browser at protecting users from malware. Not so fast…

August 18, 2009 1 comment

According to a recent test by a company called NSS Labs, Internet Explorer 8 beat the competition as far as preventing users from going to websites that distribute malware. By a lot.

IE8 was able to protect users from 80% of sites that attempted to trick users into deliberately downloading malware. Firefox 3 was second with 27% accuracy. Safari 4 scored 21%, Chrome 2 scored 7%, and the Opera 10 Beta scored a mere 1%.

There are a few things I’d like to highlight. First of all, the test only covered sites that try to trick the user into downloading malware, or “trojans.” Sites that distribute programs that don’t, or secretly do more, than the user expects (such as a program that claims to be a game, but is in fact a backdoor that allows a hacker to gain access to your computer).

This was a good category to choose, but it’s only a fraction of what needs to be tested in order to determine the overall security of a browser. The big things, in my opinion? Exploits and drive-by downloads. Rick Moy, the president of NSS labs, said that these were left out because of the risk of infecting test computers (sandboxing and other technologies were utilized to protect computers from malware on the tested sites).

From what I know, I could guess the threat of exploits could be mitigated via methods such as going to flagged websites with a computer running a less used operating system such as Linux or BSD, which is presumably immune to the effects of the vast majority of exploits out there. More so, the computers could easily run a live version of a rare operating system off a CD or external drive. Although less stable, they could avoid installing these softwares thus preserving the native OS and configuration.

There are a few things I noticed when looking through the report:

  • The analysis strictly focused on how effectively browsers were able to warn the user about the site. On page 3, NSS noted that the study did not cover actual vulnerabilities in plugins or the browsers themselves. In other words, the test didn’t cover Internet Explorer’s internal security issues, or, more importantly, it’s highly vulnerable native ActiveX support, which poses the biggest risk for IE users.
  • After testing a number of sites, NSS finally decided to test just over 600 websites that distributed malware in this fashion. I would feel better about the accuracy of the study if that number had been well over 1,000, or beyond.
  • NSS tested Mozilla Firefox 3.0, instead of 3.5, the latest version, which has major improvements in its anti-malware protection. I think it was kind of odd that they decided to test the Opera 10 beta, which is newer than the current stable version of Opera, but not Firefox 3.5, the newest stable release.

I get a Google Alert every day with a harvest of Firefox and Mozilla-related news articles. In the past few days, I’ve been seeing headlines (from lesser-known and presumably less credible sources) such as “Microsoft leads browsers in malware defense.” Saying that, you’d be ignoring the fact that Internet Explorer has been and is considered far less secure by numerous security experts and writers when compared to alternative browsers, Firefox especially.

So in conclusion, IE can not be considered superior security-wise because of one test covering one fraction of what needs to be analyzed in order to determine the overall security of a browser. I hope NSS, or another testing company provide some more tests giving more insight into which browsers are more secure.

Categories: Security, Web Browsers

Why shortened URLs are dangerous

June 27, 2009 Leave a comment

Hundreds of millions of URLs are being shortened using services like TinyURL, Snipurl, and (comparison). (Unrelated, but “.ly” is for sites in Libya, although the server is located in Colorado).

Sure, these short and easy to remember links are convenient, but they do pose a significant security risk.

When you click on a link to one, you don’t know what site that you’ll be taken to. You could be taken to a site like ErrorSafe, which was a distributor of the infamous WinFixer scareware that has since been shut down by the U.S. Federal Trade Commission (I had a close call with it in 2007). There are, however, tools to prevent this. TinyURL offers a preview feature, (but only 1.7% of visitors utilize this feature) and offers a Firefox extension.

ZoneAlarm has gone an extra step to warn users about sites shortened by TinyURL, notifying users that “TinyURL may be unsafe. This website has been known to distribute spyware”. This prompted Gilby Productions, who owns TinyURL, to add the preview feature.

The users probably most vulnerable to insecure shortened addresses are those on Twitter. Twitter shortens longer URLs to shortened ones (to keep tweets shorter). Users who are careless and without an extension could be directed to sites that distribute, viruses, scareware, scams, spam, or exploits.

Categories: Security