Internet Explorer 9 Security Part 2: Protection from Socially Engineered Attacks


As Eric introduced in his post earlier this week, Internet Explorer offers layered defenses to protect against and mitigate each of three major classes of threats that browser users face when surfing the sometimes-hostile Web:

  1. Technological attacks designed to exploit the browser or operating system
  2. Web attacks designed to exploit vulnerabilities in Web sites
  3. Social engineering attacks against the user’s trust

Today’s post discusses how IE8 and IE9 can help protect users from the third class of attacks: Social Engineering.

Socially-engineered Attacks

Socially engineered attacks take advantage of a user’s trust by convincing the user to take an action that compromises their computer and/or data. This could involve tricking a user into entering their private information into a convincing phishing page or running a program that infects their computer

In both Internet Explorer 8 and 9, SmartScreen® Filter provides award-winning protection against socially engineered malware and phishing attacks. Since IE8 launched we have blocked over 1.5 billion malware attacks.

Building on this experience and intelligence, in IE9 we’ve introduced a new approach to socially engineered malware protection and a new layer of safety in IE9. That feature is SmartScreen Application Reputation which is a part of the new IE9 download experience. URL Reputation and Application Reputation together provide significantly improved protection against socially engineered attacks.

SmartScreen URL Reputation

We’ve discussed SmartScreen Filter many times in the past – it consistently leads the field in protection from socially engineered malware and phishing attacks.

Chart of Mean Block Rate for Socially Engineered Malware

As mentioned, SmartScreen continues to block millions of malware and phishing attacks by URL each day for IE8 and IE9 users.

However impressive these numbers may be, malware authors have the time and motivation to continuously work around any blocklist-based scheme. When talking about hundreds of millions of downloads, that means attackers will succeed in getting malicious programs past existing solutions and to our users. SmartScreen blocks a large percentage of malicious downloads by URL and antivirus products block their share, but both blocklists and antivirus products suffer from latency issues. Both are great at blocking what is currently known to be malicious at the time, but offer little protection for users that find themselves part of the leading wave of new attacks. Our work on Application Reputation in IE9 works to fill this gap and help protect users from undetected attacks.

Application Reputation (IE9)

For Internet Explorer 9, we took a hard look at the download landscape and found that the download space was fairly well defined for most users. We began researching methods of building intelligence systems that could distinguish between reputable downloads (whether a specific file or digital signature) and those that were more likely to be malicious. The end result was SmartScreen Application Reputation that is now part of the IE9 download experience.

The goal of Application Reputation is to reduce the number of infections from socially engineered malware. It accomplished this by greatly reducing the number of unnecessary warning prompts while warning users only when they are about to run a downloaded program that is more likely to be malicious. At this point, the user can either explicitly run the program or they can decide to delete the downloaded immediately. We found that the warning is working extremely well to help users make better decisions:

  • 90% of IE9 Beta and RC users were never shown a warning because they downloaded only reputable programs.
  • Between 20% and 40% of downloaded files that do not have established reputation are eventually classified as malicious. These are malware downloads that have managed to bypass all existing solutions and would likely be run by users if not warned.
  • 95% of previously undetected malware is deleted by users when presented with the App Rep warning.

The data shows that this feature is a great complement to our existing social-engineering protection and will contribute significantly to the safety of our users over time. In the coming weeks we will continue to post more detailed information and data about SmartScreen Application Reputation and how it helps protect IE9 users from malware downloads.

—Ryan Colvin, Program Manager, SmartScreen Team

Comments (12)

  1. Anonymous says:

    Pwn2Own 2011: Safari, IE hacked first at Pwn2Own

    http://www.computerworld.com/…/Safari_IE_hacked_first_at_Pwn2Own

  2. Anonymous says:

    @IE_hacked

    I wonder what would have happened if the Google Chrome guys actually showed up…

    Also, didnt Google and Mozilla push out a TON of security updates a day or two before pwn2own?  Kind of invalidates the competition, if you ask me.,

  3. Anonymous says:

    Come on Microsoft…. Why do you show a grid which compares IE9 against old browsers from the other guys… Let’s compare apples to apples here….

    This would be the same as Google Chrome showing how great Chrome 11 is against IE6… Same thing for FireFox 4 vs IE6, it’s an unfair comparison…. If you going to compare a Beta/RC, compare it against the others guys same product…

  4. Anonymous says:

    Well, it was IE8. How is it related to this blog about IE9?

  5. Anonymous says:

    Nice job on blocking 1.5 billion malware attacks.

    @iE_hacked

    That was IE8 and not IE9

    @nathan

    From arstechnica: "The third browser to be tested was scheduled to be Chrome. However, the contestant registered to attempt the attack did not show up, so the browser remains unbeaten. One possible reason for this is that Google published a Chrome update yesterday, closing at least 24 security flaws. The prizes in the Chrome test were different from the others, with worse hardware (a ChromeOS Cr-48 laptop) and more prize money ($20,000 instead of $15,000) available. The would-be Chrome attacker may have been depending on one of the flaws patched this week to attack the browser, and may have lost interest once the money was off the table." (winning the prize for chrome required succesfull browserhack and a sandbox hack)

  6. Anonymous says:

    How many do IE6 and IE7 block? – both of these browsers are still used fairly heavily.

  7. Anonymous says:

    It displayed me a warning when I tried to download a Firefox nightly, nice!

  8. Anonymous says:

    windowsteamblog.com/…/a-more-beautiful-web-launches-on-march-14th.aspx

    For those who have not heard: IE9 launches next week!

  9. Anonymous says:

    The smart dl block in IE8 did give quite few false positives so will be interesting to see what's the trend with IE9.

  10. Anonymous says:

    I hope IE9 launch would turn out to be a great achievement for MS and whole web-surfers’ community would get used to this nextgen webbrowser in no time. I still hope that the support would be pervasive to XP users. Those who use Mac would able to use IE9 via winebottler and other emulators.

    @ieblog, would there be "feature" update (other than security ones) after the final release? Or they shall be scheduled for IE10? (so I would use connect website accordingly)

  11. Anonymous says:

    The vulnerability in Internet Explorer 8 that researcher Stephen Fewer exploited at the Pwn2Own hacking contest this week has already been fixed in Internet Explorer (9), according to Microsoft.

  12. Anonymous says:

    you guys are pathetic really pathetic

    you compare IE to dead browsers versions

    don't make me start comparing latest chrome and opera to your crap 5 6 and 7 versions

    you'd be nothing a huge ZERO