IE9 Blocks Malware, But Older Versions Are Vulnerable

IE9 beta offers “vastly” more protection from malware than other browsers, while vulnerability in IE 6, 7 & 8 that could allow malicious remote control

IE9 Blocks Malware, But Older Versions Are Vulnerable

It’s one step forward and one back for security on Microsoft’s Internet Explorer browser.

A new report from a security firm found that IE9 beta offers “vastly” more protection from malware than other browsers, while Microsoft on Wednesday issued a warning that there is a vulnerability in IE 6, 7 and 8 that could allow someone to take remote control of the computer.

The software giant said there is no evidence this vulnerability has actually been used. Dave Forstrom, director of Microsoft’s Trustworthy Computing group, said Microsoft was “currently unaware of any attacks trying to use the claimed vulnerability or of customer impact.”

Cascading Style Sheets
The attack could be hidden as malicious code in a web page, and involves the way computer memory is managed when the browser processes Cascading Style Sheets. CSS is widely utilized to control how a page is presented.

Microsoft has issued updates to fix the memory management problem, but now it appears the updates aren’t completely effective. While it works on a more permanent fix, the company has recommended the use of a free Enhanced Mitigation Experience Toolkit that it offers. But, the company said, “the issue does not currently meet the criteria” for an out-of-cycle fix.

The company said IE Protected Mode on Windows Vista and Windows 7 “helps to limit the impact” of this vulnerability. But according to some security researchers, the vulnerability can be still exploited in up-to-date Windows 7 and Vista computers.

‘Exceptional’ IE9 Beta

Meanwhile, NSS Labs has tested live malware threats of various browsers and found that IE9 beta caught what it called an “exceptional” 99 percent of live threats.

IE9 has both SmartScreen URL filtering and the new SmartScreen Application Regulation service, the combination of which NSS Labs credited for the good performance. The report also found that the presence of SmartScreen URL filtering in IE8 increased that browser’s protection, but not as much as IE9.

The report said IE 9 was “by far the best at protecting against socially engineered malware,” in that it had “a far superior malware identification, collection and classification method.”

The next best browser for this protection was Mozilla Firefox 3.6, which captured 19 percent of live threats.

Other browsers tested included Apple’s Safari 5, which found 11 percent of threats, Google’s Chrome 6 with only three percent, and Opera 10 in last place with no capturing at all. The testing involved NSS Labs’ assessing if a browser would block potentially malicious URLs in at least one run, with new URLs added each day.

Michael Gartenberg, research director with the Gartner Group, said IE9’s security, as assessed by NSS Labs, “shows how vendors are going to great lengths to differentiate themselves.”

However, he said there is “a certain amount of inertia in browser usage” for consumer and business users, and they are “unlikely to make browser choices based on security.”