Chrome Improves Anti-Malware Blocking Score by 340%

Google's Chrome blocked four times more malicious sites and malware than a year ago, but Firefox 4 was much less effective at warning users of danger than Mozilla's browser last year, according to a report released Monday.

Both were thrashed by Microsoft's Internet Explorer 9 (IE9), however, which easily retained its crown, said NSS Labs in a reprise of a 2010 study of browser anti-malware technologies.

Even with Chrome's improved detection -- it blocked 13.2% of the malware links that NSS threw at it during a 14-day run ending June 10 -- IE9 beat it with a score seven-and-a-half times higher.

According to NSS' test results, IE9 displayed a warning message for 96% of the malicious URLs, with the program's Application Reputation feature stymying an additional 3.2% for a total blocking score of 99.2%. Last year, IE9 posted a 99% score .

Application Reputation, or "App Rep," uses a file's hash -- which identifies the file contents -- and its digital certificate to determine whether it's a known application with an established reputation. For instance, "firefox.exe" would be labeled a legitimate download with a known history and reputation. If App Rep's algorithm ranks the file as unknown -- perhaps because the hash value hasn't been seen before -- IE9 throws up a warning when users try to run or save the file.

App Rep is a part of the overall SmartScreen technology included with IE9, the browser that runs only on Windows 7 and Vista.

NSS did not retest IE8, the newest Microsoft browser that works with Windows XP, still the most widely used edition of the operating system. Last year when it put IE8 through the paces, the 2009 browser blocked 90% of the sites that tried to download attack code.

Hackers spread "social-engineered malware" -- NSS Labs' term -- by enticing users to visit malicious sites that then dupe them into downloading attack code. Such downloads often pose as an update to popular software, an innocuous video codec or a seemingly-useful antivirus program.

The tests did not include sites that attack browsers without any user interaction through drive-by attacks that exploit vulnerabilities in Windows or its applications.

Rick Moy, president of NSS Labs, said that Microsoft's SmartScreen technology remains the browser anti-malware technology to beat, pointing out that it easily trumped Google's rival Safe Browsing API, which is used by Chrome, Firefox and Apple's Safari.

Google maintains a blacklist of suspected or known malicious sites, then serves that list via the Safe Browsing API to its own and other browsers.

The troika that uses the API fared poorly in NSS' tests.

Chrome was the best of the three, blocking 13.2%, up 10.2 percentage points from last year, a 340% improvement. Firefox 4, however, displayed a warning on only 7.6% of the URLs, a drop of 11.4 points from Firefox 3.6. (NSS Labs ran its tests before Mozilla shipped Firefox 5.)

Safari also scored 7.6%, down 3.4 percentage points from last year.

Moy attributed Chrome's improved score to the additional protection Google added to version 12 of the browser in early June. That edition -- and the current "stable" channel build of Chrome 13 -- flags dodgy files when users download some file types on the Safe Browsing blacklist.

IE9 again whipped all comers in a test of browser malware-blocking technologies. (Graphic: NSS Labs.)

NSS Labs was less certain why Firefox's score fell so dramatically.

"The deterioration in protection may be attributed to a more standardized implementation of the new Safe Browsing API v2 or evasion tactics being used by cybercriminals to which Firefox has not yet adapted," the company's report said.

Moy suspects that Chrome's higher score when compared to Firefox and Safari -- which both also rely on Smart Browsing for their malware blocking -- may also be partly due to tweaks Google's made to its implementation of the API, or to the others' slower response to changes.

"The numbers [for all three] are close enough, actually, but Google put a little extra in their product," said Moy in an interview Monday. "And I wouldn't be surprised if Google held some things back [from Mozilla and Firefox]."

The study's margin of error was around 3%, said Moy.

Not surprisingly, Microsoft touted IE9's numbers. In lieu of any real improvement in its overall score, the browser's head of marketing highlighted other aspects of NSS Labs' report.

"The average time taken by SmartScreen filter to block a threat has gotten 28% faster...and if Application Reputation is considered, then the average time has improved by 85%," said Roger Capriotti, the director of IE product marketing, on a company blog yesterday.

Comparisons of IE9's "average time to block" scores in NSS Labs' reports from 2010 and this year confirmed Capriotti's claims.

Moy attributed Microsoft's test dominance to several factors.

"They're using both a blacklist and a whitelist, which is significant," said Moy, referring to SmartScreen Filter and App Rep, respectively. The [antivirus] guys have been talking about this for two years. It doesn't take a rocket scientist to see that maybe we should use both."

And thanks to the telemetric data provided by Windows, Microsoft also has far more information at its fingertips than other browser makers when it comes to direct feedback on sites or files that cause IE or Windows to crash.

"Think how many desktops IE is on," said Moy, talking about the browser's share of the global market. "They get feedback that others don't."

NSS' malware blocking report can be downloaded from the company's website ( download PDF ). Unlike previous reports, which Microsoft sponsored, the newest was not paid for by the Redmond, Wash. developer, Moy said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Subscribe to the Security Watch Newsletter

Comments