So you are drawing NSS Labs credability to task?
The Firefox 3.5 vs. IE8 Deathmatch Yesterday, however, I made up my mind to drop Firefox altogether. I wrote a chapter for my upcoming "Windows 7 Spotlight" book on Internet Explorer 8, and I was so impressed by the features that I decided Firefox was history. Yesterday morning, I found out that Firefox released the 3.5 beta (4), and many features are the same as in IE8. And so the personal war rages on.
http://www.pcworld.com/article/164097/the_firefox_35_vs_ie8_deathmatch.html
Test Center: How secure is Internet Explorer?
http://www.infoworld.com/d/applications/test-center-how-secure-internet-explorer-343?page=0,0
Microsoft have a history of commissioning "independent" research which is nothing of the sort, so yes, their credibility is suspect.
I have a few doubts about the research.
- Were any of the malware URL's supplied by MS? NSS claim to have their own honeypots, but also to get malware samples from "networks". MS must pick up a lot of malware in MSN, Hotmail and now Bing- if they are one of NSS's sources, that would bias the result towards IE.
- What is the result of NSS choosing URL's that used only social engineering techniques? Most malware sites will use social engineering and a smorgasbord of exploits. In wanting test IE against social engineering alone, they have restricted themselves to a small subset of malware sites whose constituents may have unexpected consequences when it comes to detection. As none of the URL's were disclosed, we can't know the consequences of the selection made.
- Why do NSS claim to have rejected many hundreds of URL's from the test because browsers "Opera (in particular) kept being exploited and crashing". As an Opera user, I know that an up to date version of the browser has never been open to exploits in this way. Do they mean that they eliminated 100's of URL's that were simply crashing browsers? What effect did this have on detection rates? Again, none of the URL's are supplied so we can't know the answer to the question.
http://my.opera.com/haavard/blog/2009/03/26/malware-report-from-nss-labs-manipulates-statisticshttp://www.thetechherald.com/article.php/200913/3329/Can-you-trust-the-NSS-Labs-report-touting-the-benefits-of-IE8-Update?page=2Microsoft has an anti-virus business, a search engine combing the web, major email and IM services- they are going to be picking up and looking at a lot of malicious URL's. It would surprise if IE8's anti-malware blocker
was highly effective, but this report just doesn't convince me.
A final point (again), this is not about IE8 being "more secure"- it's about its anti-malware download blocker (allegedly) being more effective- which is only one aspect of security.
As to the slipper analogy, IE6 was a pair of old, worn out and stinky slippers for me- and got thrown in the bin. I haven't touched IE since. IE8 seems to be a great improvement in terms of security and web standards support (from what I hear)- I'd recommend IE8, Firefox and Opera to anybody.
EDIT: Typo.