IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

Security Intelligence Report Volume 6

IEBlog — Fri, 01 May 2009 20:11:00 GMT

The sixth edition of the Security Intelligence Report (SIR), Microsoft’s semi-annual report on the state

re: IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

EricLaw [MSFT] — Wed, 01 Apr 2009 21:31:41 GMT

@jjb2009: Please feel free to email me any examples; I'm happy to investigate.

re: IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

jjb2009 — Wed, 01 Apr 2009 20:48:30 GMT

I wondered. I found a half dozen of their most dangerous sites (known to download malware, Mcafee said). Entered in IE8 and . . . SmartFilter does nothing! Of course, I wasn't infected with malware either so perhaps Mcafee as a LOT of false positives??

An explanation of the difference or a FAQ might help because I know lots of people who use Mcafee siteadvisor on IE and FF and you can't persuade them SmartFilter takes care of the job -- and I'm still fuzzy on the difference. Mcafee claims it does an actual crawl of sites??

Pat on the back:

I read Paul Thurott's review of IE8 -- it made him switch from FF to IE8, something I have done since you went official. It's like a new Microsoft! Perhaps I won't have to spend all my time having to search for "things MS can't do" -- there is less and less these days. (Total digression: No idea why Apple of MS don't have something like Clipmagic clipboard extender?).

re: IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

EricLaw [MSFT] — Tue, 31 Mar 2009 23:15:18 GMT

@jjb2009: SmartScreen blocks navigation to (and downloads from) known-malicious sites.

Note that McAfee's feature works differently than ours. A key goal for SmartScreen is that false positives must be as low as possible.

re: IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

jjb2009 — Tue, 31 Mar 2009 22:01:42 GMT

I'm confused: I have IE8 _and_ McAfee Siteadvisor. I like that it warns me with a read X that a site has dangerous downloads, or is linked to dangerous sites. Can SmartFilter do this?

Also, a lot of the sites that McAfee reports as downloading "Red" (malware) come up with no peep from SmartFilter. When I "CHeck this website" the SmartFilter says everything is fine?!

So, how do I know SmartFilter is REALLY working? I'd gladly junk McAfee Siteadvisor (yeah, yeah, the more "layers" the better but there is a performance hit).

re: IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

EricLaw [MSFT] — Tue, 31 Mar 2009 18:44:46 GMT

@Vanoie: If you are running the 64bit version of Windows Vista, you must download the 64bit package of IE8. (Note that this will also install the 32bit version as well).

You can determine if you're running the 64bit version by visiting this page in IE: www.enhanceie.com/ua.aspx. If your user-agent string (in red) contains tokens like "Win64" or "WOW64", you need the 64-bit version.

re: IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

Olivier — Tue, 31 Mar 2009 11:35:27 GMT

@Vanoie Ball : do you have Vista 32 or 64 bits ?

Which version of IE8 have you downloaded : 32 or 64 bits ?

You have to download the correct version for your OS.

re: IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

Vanoie Ball — Tue, 31 Mar 2009 06:48:48 GMT

ok I have Vista and downloaded vista version and i guess it. I don't work! Here is the message:

This installation does not support your system architecture (32/64bits).

So what now??????

re: IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

Olivier — Mon, 30 Mar 2009 11:43:35 GMT

@zzz : "For all the browsers on operating systems, the hardest target is Firefox on Windows" : you understand this means that Firefox is a security breach, do you ?

re: IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

Rob — Mon, 30 Mar 2009 03:32:13 GMT

zzz, I'm sure MS has learned that it's pointless to try to correct the inaccuracies in stories that are published in the media when those stories are specifically written with dramatic headlines (rather than correctness) in mind.

Firefox, you might remember, DID fall at the pwn2own contest, but it fell on Mac (which is the real loser at the contest). On Windows, Firefox/Chrome uses dep/NX and ASLR, like IE does. All three browsers help prevent this type of attack from succeeding on Windows. (As hAl points out, the dep bypass that was used at the contest doesn't actually work in the version of ie that was released.)

Even then, the design of the contest is pretty flawed because it treats all potential code execution flaws as equal. Both IE and Chrome run with restricted rights (called "sandboxing" in Chrome and "Protected Mode" in IE.) But Firefox has neither, meaning that if the bad guy DOES manage to bypass dep and ASLR, they get to run with full user permissions and trash the machine.

Chrome's sandbox is somewhat better than IE's (it prevents "read" of the system) but also somewhat worse than IE's (it runs plugins like Flash outside the sandbox with full trust).

While some note that Chrome didn't fall at the contest, it's also worth remembering that no one bothered to try, which does /not/ necessarily mean that it would have been hard to do so but rather that picking on targets like Safari (which got hacked twice) was simply easier.

The story here that zdnet and other should have written is that Windows browsers are simply safer than Mac browsers because they have protections like ASLR and dep.

Having typed all that, the /real/ point of all of this is that these types of "drive by"/"backdoor" attacks are not really very common. Much more common is when users get suckered into downloading malicious "through the front door" because soc. engineering is really effective. And MS' point with this blog post is that social eng. attacks are far less likely to be successful in IE because smartscreen is better than the competition.

But that's not the story you'll read in the media because it's a boring headline, and boring headlines don't sell ads.