The latest website to fall victim to getting hacked is MySQL.com, owned by Oracle Corporation, which was briefly forcing malware downloads to computers running vulnerable web browsers that connected to the MySQL.com website.
According to recent statistics published at Virus Bulletin by Bruce Hughes of anti-virus company AVG technologies, Internet users are four times more likely to encounter social engineering as the mechanism used to infect their computers than a technological ‘hack’.
An independent security firm has released their third quarter report on the protection provided by each of the top five web browsers. The test was designed to determine how well each browser protects against malicious URL’s, malicious downloads and phishing.
The firm compared the following browser versions:
According to NSS Labs, all of these browsers offer a reputation system to warn the user about malicious URL’s and block malicious software downloads from those addresses. Reputation systems are used to provide the user additional feedback to make a determination as to whether the site is safe and to recommend blocking the website to the user in cases where the sites are known to be malicious. However, one of these browsers proved dramatically more effective at blocking socially-engineered malware–malware that users are tricked into downloading simply by visiting a website or clicking a picture or link in a search engine result, e-mail, tweet or SMS text.
Opera, Safari and Firefox caught the least
Google Chrome 12 caught only 13.2%, that’s over 400% more effective than last year’s 3% in the same tests in 2010. Google Chrome takes advantage of the SafeBrowsing feature that is enabled by accessing the Wrench icon > Options > Under the hood and checking the Enable phishing and malware protection checkbox.
Internet Explorer caught 99.2% of live malware threats using its built-in SmartScreen Filter which is composed of the URL Reputation filter (new in IE8) and the new Application Reputation function (new in IE9). Internet Explorer 9’s SmartScreen Filter provides anti-phishing protection to prevent the theft of personal information, application reputation checks to prevent the download of malicious software, and URL Reputation checks to warn you about unsafe websites.
But while Internet Explorer 9 trumped the other browsers in the NSS labs report, it doesn’t mean that Internet Explorer is actually safer overall than any other browser. IE9 users can still ignore the warnings and attempt to install the malware anyway.
Microsoft Windows Vista, Windows 7 and Windows Server 2008 include User Account Control (UAC) which slows down malware attempting to access protected areas of the operating system by running most processes. The web browser runs as an ordinary user even when run by accounts with administrator access to the computer (members of the local Administrators group). For any action that requires accessing a sensitive system file or resource, the user’s administrator token is required. If so, then the user is prompted to accept the action. Since most users don’t understand what they are clicking on, they click ‘ok’ or ‘yes’ most of the time, so this really doesn’t do much to block malware because the user can be tricked into authorizing the activity. While UAC helps isolate an executable from touching sensitive areas of the system, but it doesn’t prevent an exploit from crashing a process and gaining administrator access to install more malware on the system.
Internet Explorer is the most common browser on the planet because it is installed on the most common operating system on the planet. Therefore it is the browser most hackers target and if you use it, you run the greatest risk. However, malicious websites now contain multiple exploits and will automatically detect the brand and version of browser you use, and the list of plugins and plugin versions, and will then automatically deliver the necessary exploit to break into your computer via the browser, the plugin or both. Other browsers are equally vulnerable, and that includes the Apple browsers. At the most recent Pwn2Own contest at CanSecWest, Internet Explorer, Firefox and Safari all fell to ‘hacker’ competitors, who won free equipment as prizes for ‘cracking’ the browsers. Only Chrome survived unscathed. Opera wasn’t tested.
By itself, no browser will protect you from Internet threats. Safe browsing habits will protect you better than any browser or technology. Learning to use the security technologies available to you will protect you better still. A complete, up-to-date Internet Protection Suite will help stop access to the computer system and to detect and quarantine questionable files for the most common malware, and any malware that accesses sensitive system files or performs suspicious activities, but the newest malware is tested against the top anti-virus products before release into the wild, so it’s no guarantee.
But whichever browser you choose: