IE8 SmartScreen Filter – Protecting Users at Internet Scale


The RSA 2010 Security Conference is just finishing up here in San Francisco, and I’m struck by how many of the conference sessions and keynotes have warned about the threat that socially engineered malware poses to the security of the Internet. Malware has become the scourge of the Internet, and it’s not just the security experts who are worried—the top story in my morning paper yesterday described how a typical malware attack compromised a financial firm’s network. Our data shows that one out of every 250 downloads is the result of a user being tricked into downloading malware to their PC.

We’re proud of the protection SmartScreen® Filter provides to protect IE8 users from such attacks, and I’d like share some of the latest numbers on our level of protection.

Since we launched IE8 in March 2009, SmartScreen has blocked over 560 million attempts to download malware, recently averaging over 3 million blocks per day! Hosted in datacenters around the world, SmartScreen’s URL Reputation Service (URS) has evaluated over 250 billion URLs to help keep IE8 users safe from malware. Even more impressively, since IE7’s Phishing Filter was introduced in 2005, the URS has processed over 5.7 trillion reputation requests in order to block malicious web sites. Every day, Microsoft receives around 300 million telemetry reports from IE8 users and processes 4.1 billion URLs looking for malicious websites and files. On the back end, our systems and analysts evaluate over 1 terabyte of binaries every day to help identify sites delivering malware.

The Q1 2010 NSS Lab’s test shows that Microsoft’s continued investment in SmartScreen is paying off. Since launch, IE8’s SmartScreen Filter has continued to improve its protection against Socially Engineered Malware threats.

line graph of browsers malware block rate.

IE6 and 7 don’t provide protection against socially-engineered malware. If your family and friends aren’t up-to-date, please encourage them to upgrade to IE 8 for a safer Internet experience.

While IE8 offers the best built-in protection any browser offers against socially engineered malware, you still should follow best-practices to stay safe online. For instance:

  • Enable SmartScreen Filter using IE8’s Safety menu (safety menu icon).
  • Install antivirus and antispyware software from trusted sources and keep it up-to-date. Microsoft Security Essentials is available for free.
  • Turn on your firewall.
  • Enable Automatic Updates for Windows and other Microsoft software using Microsoft Update.
  • Keep your computer’s other software, including browser add-ons, up-to-date.
  • Before downloading software, consider the risks and be aware of the fine print. For example, make sure the license agreement does not conceal a warning that you are about to install software with unwanted behavior.

You can read more tips and learn about common Internet attacks over on the Security Tips blog.

Stay safe out there!

Eric Lawrence
Program Manager

Comments (66)

  1. Anonymous says:

    What’s amazing is that even though NSS Labs are using MICROSOFT’S malware database, IE doesn’t reach 100%.

    How crappy is it when IE can’t even block the malware pages in its own database?

    Amazing.

  2. Anonymous says:

    Looks like "JamesPr [MSFT]" admitted to NSS Labs cherry-picking data.

    And as the report also admits, mere 12,000 URLs in total were cherry-picked down to less than 2000! And the final test was ONLY A LITTLE OVER 500 URLs!

    Wow.

    And where is this list of URLs? Has NSS Labs published it?

    Or is NSS Labs once again engaging in unreproducible pseudoscience?

  3. Anonymous says:

    And in addition to that, ONE SITE could contain UP TO 10% OF THE URLs! So maybe as little as 50 SITES were included!

  4. Anonymous says:

    When I goto a site that pushes a download on me e.g. download.cnet.com in Firefox a dialog pops up asking me where I want to SAVE the file.

    This is the safe, responsible thing to do with the downloaded file.

  5. Anonymous says:

    next bit…

    However in IE, I get a dialog that offers an insecure option… (Open).  This button is the first button on the dialog and is just asking for a horrible outcome.

    If MSFT really cares about IE users, IE9 will REMOVE this button completely.  In an age where 560 MILLION malware attempts were blocked in IE, one can only imagine how many more files are out there.  Since real-time blocking of files across the entire Internet simple does not scale it is important for IE to take a pro-active step and remove the Run button from user temptation.

  6. Anonymous says:

    third bit…

    Combine this with a file download manager and there will be no issues for end users.  Files are never executed automatically, yet they are easily found in the download manager and further still A/V software will instantly scan the file once it is added to the local file system (if not before).

  7. Anonymous says:

    So Microsoft is censoring comments that expose the cherry-picking and manipulation?

    Amazing.

    Matt, who works for NSS Labs, above claimed that there was no cherry-picking, that the 50 sites comment was false, and that the false positives were no there.

    The evidence, however, shows a clear cherry-picking of URLs, from more than 12K, down to 500.

    And since one site could have up to 10% of the URLs, we are talking maybe as little as 50 or so sites.

    And the false positives were indeed there, but NSS Labs is now trying to paddle their way out of it.

  8. Anonymous says:

    Matt works for NSS Labs too 🙂

    No, the 50 sites thing is not an invention. The report actually admits that one site could make up up to 10% of all URLs, so in theory, they could have tested just 50 something sites.

    You are cherry-picking. The URLs are being cherry-picked. Read some of the comments above for more details.

    You keep making false claims about Opera. It started out with the claim that Opera updated itself automatically when those versions didn’t even support automatic updates.

    LOL.

  9. Anonymous says:

    Apparently "Jack" works for NSS Labs too:

    # People quote HAAVARD as the official Opera

    # dispute of the test, even though according

    # to his website "Even though I work for Opera

    # Software, the opinions stated herein do not

    # necessarily represent those of my

    # employer".

    That’s not the point. The point that the post exposes the pseudoscientific nonsense that is these NSS Labs reports.

    # Opera, Chrome, Firefox, nor Safari have come

    # out disputing the NSS test results or

    # methodology. Don’t you think if they trully

    # disagreed with the results they would have

    # made an official statement?

    Why would they? It’s futile. The Microsoft propaganda machine is running full steam ahead. Better ignore it and just move on to something else. Else, the Barbara Streisand effect.

    # This is the third-time MS has released the

    # study, and all we here from them is

    # silence.

    Again, because they know it’s futile.

    # Has there been another test from a different

    # independent test org that contradicts the

    # NSS test?

    Irrelevant. First NSS Labs will have to provide something other than pseudoscience and manipulated statistics.

    # If not NSS, what test org is qualified to do

    # an in-the-wild phishing and malware test?

    Irrelevant to the question of whether NSS Labs’ "research" is valid or not.

    # When I search the web looking for NSS’s

    # reputation, I see a lot of positive stuff

    # from people who do not have any skin in the

    # browser game

    They evidently haven’t looked deeply into NSS Labs’ history, then.

    Also, funny how your links are all companies crowing over how NSS Labs’ pseudoscience crowned them the victor in some nonsensical test at some point.

  10. Anonymous says:

    Joe, we know that you work for NSS Labs.

    We also know that NSS Labs will lie.

    Your employer was caught lying repeatedly, even insisting that a version of Opera with no support for automatic updates updated itself.

    You didn’t share the URL list. If you did, people wouldn’t be pointing out that you didn’t.

    Stop being a paid shill. Admit that your company engages in pseudoscientific nonsense.

    Of course you would LOVE other browsers to pay you lots of money to maniuplate the pseudocsience to their advantage. Is that what this is about?

    "Pay us, and we’ll manipulate the results so you look better!"

    LOL.

  11. Anonymous says:

    – AntiTroll

    – Jack

    – Joe

    All these are paid shills for for NSS Labs. If you read various blogs, you will notice that they are paid by NSS Labs to spread FUD and lies anywhere NSS Labs is being criticized.

    The fact is that NSS Labs has failed to share their data, and there is no way to verify their claims. Combine that with blatant lies, such as Opera updating itself, and you will see that you are dealing with a deeply dishonest company which will gladly take Microsoft’s money, and then launch astroturfing campaigns to harass and silence criticism.

    The funniest part here is when the paid NSS Labs shill says that Trend Micro endorses the methodology. Why would they not? They won the pseudoscientific and unverifiable test by NSS Labs, so they have no reason to question it!

    Here’s another article blowing the lid off NSS Labs:

    http://www.thetechherald.com/article.php/200912/3268/Can-you-trust-the-NSS-Labs-report-touting-the-benefits-of-IE8

    Notice the comments: The paid NSS Labs shills are out in force, spreading lies and attacking people who criticize their pseudoscientific nonsense!

    http://my.opera.com/haavard/blog/show.dml/3092194#comment7307545

    http://my.opera.com/haavard/blog/show.dml/3092194#comment7312183

    http://my.opera.com/haavard/blog/show.dml/3092194#comment7313368

    http://my.opera.com/haavard/blog/show.dml/3092194#comment7353886

    http://www.favbrowser.com/nss-security-test-more-details-emerge/

  12. Jack says:

    These stats are impressive….

  13. g88keeper says:

    I will be re-posting this on Facebook, it’s important for people to know what IE8 has to offer, in comparison with other browsers.

  14. Meph says:

    It amazes that homes are still using IE6 or 7. Even if they use a different browser, they should still upgrade.

  15. Jesper says:

    Why are you still using NSS Lab as your data source, when it was discovered last time that their methodology was nonsense and their data was completely unreliable?

  16. Frederico says:

    @Jesper, can you please link to a clear explanation of this "discovery" about NSS Labs that you mention.  I read the NSS Labs report and it sounds as good a methodology as any to me.

  17. Paulo says:

    @Frederico NSSLabs test are paid by Microsoft… no wonder IE8 looks awesome in their reports lol

  18. Jorge says:

    @Jesper, as Frederico said, I also would like to know about that discovery, I want to believe 🙂

    Anyway, I use IE8 in my machines, in Windows 7 and Windows Vista, and so far I’ve had a great experience, it’s fast, secure… but if we talk about web standards, other browers are better in that area.

    I look forward to hearing more from IE9! 🙂

    Best regards from Peru!

  19. AntiTroll says:

    @Frederico: Jesper didn’t bother to read the methodology. It’s easier to parrot the talking points of the non-IE fanboys than to actually read the report and decide what he thinks of the methodology himself.

  20. Jack says:

    The methodology is sound. It has been endorsed by Trend Micro http://trendmicro.mediaroom.com/index.php?s=43&item=749, Gartner, and others. Non of these are friends of MS. Google fans need to start asking Google why they continue to score poorly and refuse to offer their customers equal levels of protection from drive-by attacks as they do socially engineered attacks ( malware & phishing).

  21. active x says:

    So of the sites that host this malware – what percent of it has: Active-x, JScript, VBScript, VML, or CSS expression based attack vectors?

    Keeping in mind that if 75% of these sites use these non-web-standard attack vectors all the other browsers (Firefox, Safari, Opera & Chrome) are all immune to them by design!

    Combine that with the social angle.

    Statistically, IE users are less technical and knowledgeable about the Internet and the dangers that lie within.

    IE users are more likely to click on dialogs and grant permission to infectious files, download shifty codecs/licenses for windows media player because the porn video they downloaded "claims" it needs it.

    an IE user that has not yet learned there are better browsers out there is not likely going to recognize spoofed behavior like a faked yellow security bar that actually initiates the malware download that non-IE users would spot right away as bogus!

    Installing a non-IE browser as the default browser on all my families computers was the best thing I ever did. tech support calls dropped by 90% overnight.

  22. billybob says:

    What do the IE guys think of Google’s Native Client proposal?

  23. jessedee says:

    I find all this to be very interesting

  24. Joe says:

    Activex, you have your stats reversed. 80% of malware attacks are from social engineered attacks that all browsers don’t have any protection against since the attack is against the user, not the pc or browser. http://blog.brickhousesecurity.com/2010/02/19/pdfs-make-up-80-of-all-internet-exploits/.  The only protection is to have a feature like Smartscreen and keep adobe products up to date.

    If you don’t agree with the above article, take a look at blog by Trendmicro from about a year ago, where they determined only 20% of malware is installed through exploits. They said the vast majority of malware installations can be traced back to a socially engineered attack.

    Please don’t throw out SWAG percentages as fact. It does nothing but harm your argument. Also don’t get me wrong, I am not an IE zellot, I just believe in an honest factual discussion.  

  25. George Wurst says:

    Does blacklisting really scale?

  26. George Wurst says:

    I thought Firefox uses Google as it’s blacklist Source, shouldn’t they be dead even then?

  27. Gordy says:

    Would users permit a browser to only allow them to go a whitelist?  I don’t think so, so a black list may be the only option.

    Let a lone there was an article a while back stating most malware is hosted on legit sites like blogspace and Google docs so protection must have to be very granular to be effective.

  28. Lucas V. says:

    @George Wurst

    They do, but Firefox’s filter technology works much more consistently than Chrome.

  29. Joe says:

    I just read the post.  Haavard only raised FUD about the test. He did not have proof why Opera should have scored better, especially since opera does not have any data sources for malware anymore.

  30. sfc2000 says:

    I don’t really use phishing filter since usually its easy to tell if a website is fake or filled with spyware

    Still its impressive to see that ie has the best protection rates well done and keep up the good work

  31. sawengchuan says:

    Believe me. When Google or Firefox or Non-IE browser score well than IE, then all the people that against this report now will embrace it, praise the standard/methodology in this malware test as unbiased, and bash IE for less secure.

    This is life. All the Microsoft haters sitting out there, waiting for any chances to spread the FUD.

    Linus Torvalds: Microsoft hatred is a disease.

    So, to all Microsoft haters, please quarantine/isolate yourself, stop spreading the disease out.

  32. When people hear IE, they keep thinking IE6…

    That is why IE8 is getting so much negative publicity while being quite good browser overall.

    Also, there doesn’t seem an easy way to check site for blacklist status (without visiting it), like you can with google, mcaffe or norton services. And without open side-by-side comparison there will always be complaints about biased researches, evil microsoft and

    insecure IE.

  33. tina says:

    If you plan to publish the full results of the next security tests that are done that are not sponsored by Microsoft then great! Otherwise do not post the results of a sponsored test. It does nothing for your credibility other than undermine it.

  34. AntiTroll says:

    Tina, if you plan to post a comment that adds to the conversation in a meaningful way, then great! Otherwise, please do not post your comment, as it does nothing for the reader other than waste their time.

  35. hAl says:

    I find these tests more usefull than javascript speed test that were made by some browserbuilders themselves to show one aspect of browser speed at onesided non-realistic repetative tests

  36. hAl says:

    A PCMag tester last year has shown similar results in his Anti Phishing tests even dropping FF and Chrome from the tests because they were not effective.

    http://www.pcmag.com/article2/0,2817,2350317,00.asp

  37. hAl says:

    And another link that confirms much better results for IE8 smartscreen filtering than for instance Firefox or even some third party browser addons

    http://www.brighthub.com/computing/smb-security/articles/56996.aspx

  38. hello says:

    @Joe

    "I just read the post.  Haavard only raised FUD about the test. He did not have proof why Opera should have scored better, especially since opera does not have any data sources for malware anymore."

    You work for NSS Labs, don’t you, Joe? Did you actually read the blog post?

    NSS Labs employees have been actively spreading FUD after being caught red-handed spreading misinformation in various blogs.

    This is from the first report, but it’s equally valid, and NSS Labs has failed to provide others with a full list of URLs or any way to reproduce the results:

    * NSS Labs claims that Opera automatically updated itself even though it did not support automatic updates at the time.

    * The report contradicts itself ("The report says that 7% of the threats were blocked by all browsers, but Opera is claimed to have blocked only 5%").

    * The test started with more than 100K URLs, but the final list was less than 500(!) URLs.

    * Worst case, NSS Labs only tested 10 sites. Yes, 10 sites! According to them, the same site could have up to 10% of the total URLs.

    * "According to the "Malware URL Response" table on page 3, Opera catches 15% on hour 0, and 33% after 5 days. And yet the final rate was set to only 5%"

    * "According to the same table, Chrome consistently catches 25% or more, but the final score is only 16%"

    * "The same table shows that IE8 never reaches 69% even once in the table, and yet its final score is raised to 69%"

  39. hello says:

    @Joe

    Another nice contradiction:

    "Also, the test included Phishing, Clickjacking, and so-called “drive-by downloads” (where the web page contains an exploit against a browser and the payload of that exploit is malware that is automatically installed)."

    Then

    "It did NOT cover Phishing, so-called “drive-by” exploits/downloads, or Clickjacking."

    Wow.

  40. Joe says:

    You speak of what not you know. Have you called NSS and asked for the data.  I know people at Google and Safari were offered the data. According to Opera’s website, the last time I looked, their one published source from Malware is defunct as a data source (Haught Secure).

    Safari, Google, Firefox and OPERA, have never officially disputed the test results or the methodology.   Haavard goes out of his way to say his blog is personal opinion and not an official Opera blog.

    As for funding, according to what I read, all the browsers were offered to split the cost of the test, but they declined and have never done a competitive test to counter the test.

    Now don’t get me wrong.  My browser of choice is FF.  I like it’s speed, customization, ad blocker, no script, and plug-in model a lot better than any other browser.  But I do wish MS allowed other products to use their protection from socially engineered attacks like Google does.

    I

  41. NSS Labs have taken on board a lot of the community feedback about being more transparent with their methodology and I think the latest report reflects that.

    They start with more than 12,000 suspicious URLs which are gathered from “honey pot” e-mail addresses and scanning sites known to deliver malware.  Many of these URLs are already “down” by the time NSS Labs first hit them.  Others do not pass validation, for example they aren’t providing socially engineered malware which is what this report is testing.

    NSS Labs are producing a unique report which focusses on testing real, live socially engineered malware.  It’s expensive and complex to build the infrastructure to do the testing and I suspect that’s why there aren’t other reports available. Because the test is against live threats, by this point a month later many of the URLs have gone dead reflecting how quickly the landscape changes.  I’m not sure what we’d learn from looking at a list of now defunct URLs.

    I’d welcome a community or competitor driven effort to provide another report that could corroborate – or not – the findings in NSS labs study against live or socially engineered malware.

  42. EricLaw [MSFT] says:

    Folks, just a quick reminder about the blog comment policy: While disagreements and criticism are welcome, personal attacks targeted at other commentators are not. See the full policy here: http://blogs.msdn.com/ie/archive/2004/07/22/191629.aspx

  43. Huri says:

    Looks like "JamesPr [MSFT]" admitted to NSS Labs cherry-picking data.

    And as the report also admits, mere 12,000 URLs in total were cherry-picked down to less than 2000! And the final test was ONLY A LITTLE OVER 500 URLs!

    And in addition to that, ONE SITE could contain UP TO 10% OF THE URLs! So maybe as little as 50 SITES were included!

    Wow!

    And where is this list of URLs? Has NSS Labs published it?

    Or is NSS Labs once again engaging in unreproducible pseudoscience?

  44. EricLaw [MSFT] says:

    @Huri: James correctly notes that NSS removes URLs that don’t deliver socially-engineered malware.

    I’m sure most folks would agree that it doesn’t make sense to try to test a malware filter by testing it against URLs that don’t deliver malware.

  45. Jack says:

    I don’t understand the the logic of a lot of these posts.  

    People quote HAAVARD as the official Opera dispute of the test, even though according to his website "Even though I work for Opera Software, the opinions stated herein do not necessarily represent those of my employer".  Opera, Chrome, Firefox, nor Safari have come out disputing the NSS test results or methodology. Don’t you think if they trully disagreed with the results they would have made an official statement?  This is the third-time MS has released the study, and all we here from them is silence.  

    Has there been another test from a different independent test org that contradicts the NSS test?

    If not NSS, what test org is qualified to do an in-the-wild phishing and malware test?

    When I search the web looking for NSS’s reputation, I see a lot of positive stuff from people who do not have any skin in the browser game

    http://www.forbes.com/2009/11/03/security-nss-labs-technology-cio-network-wildlist.html

    http://www-935.ibm.com/services/us/index.wss/detail/iss/a1028930

    http://www.mcafee.com/us/about/press/corporate/2009/20090121_060000_x.html

  46. Reader says:

    hello>> I don’t know what doc you’re reading, but both of the Q1 2010 PDFs from NSS clearly state that they don’t include "clickjacking" attacks. (The term "clickjacking" is misused here anyway: NSS means "drive-by attacks" where they say clickjacking.)

    The difference between a driveby and a socially-engineered malware attack is covered in an old post on this blog: http://blogs.msdn.com/ie/archive/2009/02/09/ie8-security-part-viii-smartscreen-filter-release-candidate-update.aspx

  47. further analysis says:

    (I’m breaking this into segments as this blog is refusing to accept the entire message without filtering it)

    For the "drive-by-downloads" what are we refering to?

    E.g. what percentage is:

    a.) pages that "push" a file download on the user? e.g.

    header("Content-Disposition: attachment; filename="updatefile.exe"");

    vs.

    b.) pages that take advantage of a browser flaw/security hole to prompt/force the user to download a file?

  48. further analysis says:

    (I’m breaking this into segments as this blog is refusing to accept the entire message without filtering it)

    (con’t)

    …I’m just curious – as the latter (b) URL’s should only be held up to testing against the browsers that have said holes/behavior.

    e.g. if Chrome/Firefox do not block page ‘X’ because they do not contain a flaw that would allow the download of malware file ‘Y’ – then that should not count as a strike against Chrome/Firefox as they are already safe from this malware by design.

    Are there any statistics on the urls to indicate how the malware would get downloaded? I think this is a very important piece of the security puzzle that should not be overlooked.

  49. Phil says:

    Ok, so we have IE 8 which is good at blocking bad sites, or every other browser which follows W3C standards.  Hmmm, which browser should I use… I know, I’ll use Opera because it’s fast, follows standards, has a built in mail client, scores 100 on Acid 3, is skinnable and has a download manager.  I’ll use my own common sense to judge the validity of a website.  If I keep my anti-virus up to date, I’m sure I’ll be fine.  Oh, no!  But wait a minute!  My AV isn’t up to date… in fact, I don’t have any installed!  I use Linux 🙂

  50. EricLaw [MSFT] says:

    @further: In the context of this study, "Drive by attack" or "drive by download" means "attempted exploit of a browser vulnerability to get code execution." As you noted, trying to benchmark those would not be reliable because of cross-browser differences.

    The NSS studies, in contrast, measure socially-engineered malware, which is a different class of attack wherein the user is mislead into downloading and running a malicious program; no browser exploits are involved– the attacker takes advantage of the user, rather than a technical vulnerability. Such attacks work the same way across all browsers, which is one of the reasons why they are popular.

    @Phil: As noted in the post, SmartScreen has blocked 560 million malware downloads in just one year, suggesting that either social-engineering attacks can defeat "common sense", or that "common sense" is perhaps not as "common" as one might hope.

  51. heh says:

    @EricLaw [MSFT]

    "James correctly notes that NSS removes URLs that don’t deliver socially-engineered malware."

    Yes, that is but one of the examples of cherry-picking. The other one is the reduction from 12K to 500 pages, and something like 50 sites! Wow.

    "The NSS studies, in contrast, measure socially-engineered malware"

    Cherry-picking again.

    Also, NSS Labs does not test whether the browser actually blocks it or not. For example, Opera fetches the requested document while at the same time checking the fraud list. If the document is found to be fraud, it will be blocked, even though a request has already been sent.

    So: False positives.

  52. Matt says:

    "something like 50 sites" — your own invention and not based in fact.

    "Cherry-picking again" — they are measuring exactly what they’re advertising their test to measure. If you have a problem with that, it’s not that they are "cherry picking" it’s "I don’t like the premise behind your test. I don’t believe socially engineered malware is as important as you do."

    "False positives." — wrong again. IE also downloads and performs checks in parallel. NSS says their test measures whether the block occurs, not whether a download occurs. Opera has miserable results because they have no antimalware data. Their phishing data is the weakest of the browsers as well.

  53. Phil says:

    @Eric MSFT – valid point.  However, I was referring to -my own- common sense, not the average user, who generally don’t have any at all.  I know how to check site certs, I know how to validate links etc.  To be honest though my surfing is generally limited to probably less than 30 different websites (although they have very dynamic content) and I trust them enough to NOT be rooted and loaded with malware.  I’d never expect Joe User to be able to test for things like invalid SSL certs – which is one feature I really do like in IE8, it’s very good at getting in your face and telling you the site has issues.

    I was being flippant about the Linux thing – which I do use – that was just me taking a cheap shot about being maybe a little more secure than the average Windows user 😉

  54. Ubuntu says:

    If you really want to protect your users, then quit developing operating systems. If you want to be safe, just install Linux (for example Ubuntu) on your system of buy a Mac.

  55. Paul McKeown says:

    @Ubuntu

    >>>If you really want to protect your users, then quit developing operating systems. If you want to be safe, just install Linux (for example Ubuntu) on your system of buy a Mac.>>>

    Snore.

  56. safer browser says:

    When I goto a site that pushes a download on me e.g. download.cnet.com in Firefox a dialog pops up asking me where I want to SAVE the file.

    This is the safe, responsible thing to do with the downloaded file.

    However in IE, I get a dialog that offers an insecure option… (Open).  This button is the first button on the dialog and is just asking for a horrible outcome.

    If MSFT really cares about IE users, IE9 will REMOVE this button completely.  In an age where 560 M-I-L-L-I-O-N malware attempts were blocked in IE, one can only imagine how many more files are out there.  Since real-time blocking of files across the entire Internet simple does not scale it is important for IE to take a pro-active step and remove the Run button from user temptation.

    Combine this with a file download manager and there will be no issues for end users.  Files are never executed automatically, yet they are easily found in the download manager and further still A/V software will instantly scan the file once it is added to the local file system (if not before).

    thank you

  57. ie blog error says:

    Just an FYI – the IE blog attempts to load a theme file? but gets a 403 forbidden error instead.

  58. Joshbw says:

    @safer browser

    "Since real-time blocking of files across the entire Internet simple does not scale it is important for IE to take a pro-active step and remove the Run button from user temptation"

    I am curious at such assertions – this isn’t a client based signature list but a server based signature list.  Since all you have to compare is a hashed key on the server it scales much better than, say, normal search results (which obviously can scale, i.e. google, bing, etc).  The weakness in the blacklist is that there is a lag time between a new malware signature and and updating of the malware index that MS maintains, but that is a seperate problem from the issue of scaling the size of the index.

    Per the "how much of this is an IE specific attack so it doesn’t matter", such arguements are pretty outdated.  IE expliots are worth a lot less than the used to be, as Flash, Quicktime, and Acrobat are the new primary targets of web based exploits (all three have greater market penetration than IE these days, are much more fruitful hunting ground for vulnerabilities, and neither Adobe nor Apple had an equivelent SDL to Microsoft).  Additionally, exploits are not the primary delivery vector on the client – socially engineered trojans are.  Finally, trusting that you can spot a phishing/malware site is not a sound assumption anymore – a good deal of malware is hosted on otherwise legitimate sites thanks to the rise of SQL Injection worms. It isn’t 2001 anymore folks, and operating under the assummptions from 9 years ago is not a sound decision.

  59. SOME RANDOM GUY says:

    So, I’ve been very impressed with IE8’s security. If they maintain this good security(or improve it evven better!) with IE9, and also give it good web standards support and overall browsing/page-loading performance, then I may actually use it as my main browser.

  60. JER0EN R0LAND says:

    SmartScreen Filter make internet slow.

    Better is a whitelist in register to check site is friendly and keep it uptodate.

  61. wechrome says:

    @safer browser,

    I don’t think pressing "Open" will automatically execute the file bypassing other safety measures.

    Actually, when you press "Open", the file is still downloaded to a temporary location on your harddisk, so your AV would still scan it before it has any chance to execute. So there’s really not that much difference in terms of security between selecting "Save" first then manually double-click it to open, and just selecting "Open" right away. The only advantage of "Save" is that you can choose a location to permanently store it for later use, instead of just downloading it to a temporary location and just run it once. But it’s not any more or less safe than just "Open".

  62. wechrome says:

    @active x,

    Actually, MOST attacks these days are NOT exploiting browser vulnerabilities, only the most elite attackers have the intelligence and resource to conceive such attacks. The average attackers will just make a page and put a download link that says "download this and run it and your credit card will have 100 more dollars", things like that. And for those common attacks, what kind of browser you use doesn’t matter, since every browser provide the functionality for people to download and run things from the internet.

    As for your second point, it is valid, non-IE users are usually more techie than IE users, I myself use Opera most of the time, and non-IE users are usually more security-aware, I met many IE users who don’t install any AV on their system, while non-IE users all have some kind AV installed or use Linux/FreeBSD, or both 😉

  63. wechrome says:

    @active x,

    (cont.)

    But then they are testing the browsers, not the browser users, so it’s kinda irrelevant to talk about how techie the users of a certain browser are. And for your last part, I highly doubt installing non-IE browsers on your family computers can magically make your family members more techie unless you educated them about computer security at the same time. After all, it doesn’t matter whether they are using IE or Opera or Firefox or Chrome or Safari to download an executable file that says "click me and you’ll see a nice firework show", so just changing the browser itself doesn’t really stop them from being vulnerable to the vast majority of malware attacks out there.

    The only thing that can protect someone from malware attacks is to educate him/her about internet security, not just changing the browser he/she uses. Opera surely has much better web standards support than IE, that’s for sure, but Opera does NOT have any better protection against malware downloads, and I don’t think people can truly rely on browsers to protect them from malwares anyway, what they need is some real AV software and a brain better suited to this internet age.

  64. @Joshbw and wechrome:

    Today most exploits that people should worry about, are BOTH social and drive-by. Exploit pack are freely sold, so infesting a user is merely a question of making him click a link.

    And no easy solution exists.