June 14, 2021

NSSLab Report Shows That IE Still Best At Blocking Socially Engineered Malware


(LiveHacking.Com) – NSS Labs has released its latest Web Browser Security Comparative Test Reports against Socially-Engineered Malware for the third quarter of 2011. The report examines the ability of the top five web browsers to protect users from websites that look harmless but actually are designed to trick visitors into downloading and installing malware.

According to a recent study by AVG, users are four times more likely to be tricked into downloading malware than be compromised by a vulnerability.

The report found that Windows Internet Explorer 9 (IE9) caught an exceptional 99.2% of live threats (96% with the SmartScreen URL reputation and an additional 3.2% with Application Reputation). Google Chrome 12 caught 13.2% of the live threats, four times more that it managed during the Q3 2010 global test. Apple Safari 5 and Firefox both caught 7.6% of the live threats. Opera 11 caught the lowest number of threats, just 6.1%.

The full report can be downloaded from the RSS Lab’s website (download PDF) and unlike previous reports this latest report was not paid for by Microsoft.

Microsoft Release Temporary Fix to December’s Zero-day Vulnerability in Internet Explorer

Just before the Holidays details of a zero-day vulnerability emerged in Internet Explorer. Now after nearly three weeks Microsoft have issued a temporary fix.Internet Explorer logo

The flaw creates a means for hackers to infect PCs with malware when someone visits a booby-trapped web site. The problem lies with the way Internet Explorer handles cascading style sheets, specifically recursive CSS pages which have the same URL as the CSS style sheet from which it is being called. In such circumstances uninitialized memory is created within Internet Explorer which can be used by a specially crafted web page to execute remote code.

Microsoft’s Fixit solution is not intended to be a replacement for a future security update, however, it is a temporary workaround probably until Microsoft’s next Patch Tuesday. According to the Fixit description “This Fixit solution adds a check to check whether a cascading style sheet is about to be loaded recursively. If this is the case, the Fixit solution cancels the loading of the cascading style sheet.”

The vulnerability affects Internet Explorer 6, 7 and 8 on all Windows platforms.

Web Browser Tests Show IE Best at Detecting Socially-Engineered Malware

One of the most prevalent forms of malware on the Internet today is what is know as “socially-engineered malware” meaning malware that uses seemly benign links and/or trusted social networking sites (like Facebook® etc.) to trick visitors in to downloading and executing a piece of software that has malicious intent. Common examples of such seemly innocent programs are screen savers, video codec upgrades and free games.

Beginning in 2009, NSS Labs have been conducting tests on the leading web browsers to determine which browsers are most susceptible to socially-engineered malware. The Q3 2010 results have recently been published and the results are very interesting.

At the top of the leader board for protection surprisingly comes Internet Explorer. With a bad reputation over the years IE has often been pushed to one side in favor of Firefox, but these tests results portray IE in a new light. Internet Explorer 8 managed to block 90% of the malware but even more exceptional is that Internet Explorer 9 managed to catch 99% of the threats. These results are even more remarkable when compared to Firefox 3.6 which caught only 19% of the live threats which was actually a 10% decrease in protection from the Q1 2010 tests.

As for the rest of the browsers:  Safari 5 caught 11% of the threats, down 18% from Q1 2010. Google Chrome 6 caught 3% of the threats, down 14%  and Opera 10 caught nothing!

You can read the introduction to the group test here and you can download the full report (as a PDF) here.

Security Updates for IE and Stuxnet Holes

Microsoft has released 17 security updates to close 40 security holes.

With reference to Microsoft Security Bulletins, this security update resolves four privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Further, This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory and script during certain processes. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2458511.

More information is available here.

Source:[Microsoft Security Bulletin MS10-090]

Internet Explorer Protected Mode is NOT Protected

Security researchers at Verizon found a way to carry out stealthy drive-by exploits even when victims are using recent versions of Internet Explorer in Protected Mode.

In a white paper published by Verizon, the attack requires the intruder to have an exploit for a zero-day security news at livehacking.comvulnerability that’s not patched. The attack works only against machines that have the Local Intranet Zone enabled, as is the default for domain-joined workstations.

Protected Mode, which was introduced in version 7 of IE helps to protect users from attack by running the Internet Explorer process with greatly restricted privileges. With reference to Microsoft website, Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user’s machine or to install malicious code.

However, the Verizon researchers are able to bypass the measure that requires no interaction on the part of the victim. “The attack combines the facts that sockets are not subject to Mandatory Integrity Control and that sites in the Local Intranet Zone are rendered with Protected Mode disabled,” the paper states.

“The new malicious web page will be rendered in the Local Intranet Zone and the rendering process will now be executing at medium integrity. By exploiting the same vulnerability a second time, arbitrary code execution can now be achieved as the same user at medium integrity. This provides full access to the user’s account and allows malware to be persisted on the client, something which was not possible from low integrity whilst in Protected Mode.”

Download Verizon white paper here.