Internet Explorer 9 Security Part 2: Protection from Socially Engineered Attacks

As Eric introduced in his post earlier this week, Internet Explorer offers layered defenses to protect against and mitigate each of three major classes of threats that browser users face when surfing the sometimes-hostile Web:

  1. Technological attacks designed to exploit the browser or operating system
  2. Web attacks designed to exploit vulnerabilities in Web sites
  3. Social engineering attacks against the user’s trust

Today’s post discusses how IE8 and IE9 can help protect users from the third class of attacks: Social Engineering.

Socially-engineered Attacks

Socially engineered attacks take advantage of a user’s trust by convincing the user to take an action that compromises their computer and/or data. This could involve tricking a user into entering their private information into a convincing phishing page or running a program that infects their computer

In both Internet Explorer 8 and 9, SmartScreen® Filter provides award-winning protection against socially engineered malware and phishing attacks. Since IE8 launched we have blocked over 1.5 billion malware attacks.

Building on this experience and intelligence, in IE9 we've introduced a new approach to socially engineered malware protection and a new layer of safety in IE9. That feature is SmartScreen Application Reputation which is a part of the new IE9 download experience. URL Reputation and Application Reputation together provide significantly improved protection against socially engineered attacks.

SmartScreen URL Reputation

We’ve discussed SmartScreen Filter many times in the past – it consistently leads the field in protection from socially engineered malware and phishing attacks.

Chart of Mean Block Rate for Socially Engineered Malware

As mentioned, SmartScreen continues to block millions of malware and phishing attacks by URL each day for IE8 and IE9 users.

However impressive these numbers may be, malware authors have the time and motivation to continuously work around any blocklist-based scheme. When talking about hundreds of millions of downloads, that means attackers will succeed in getting malicious programs past existing solutions and to our users. SmartScreen blocks a large percentage of malicious downloads by URL and antivirus products block their share, but both blocklists and antivirus products suffer from latency issues. Both are great at blocking what is currently known to be malicious at the time, but offer little protection for users that find themselves part of the leading wave of new attacks. Our work on Application Reputation in IE9 works to fill this gap and help protect users from undetected attacks.

Application Reputation (IE9)

For Internet Explorer 9, we took a hard look at the download landscape and found that the download space was fairly well defined for most users. We began researching methods of building intelligence systems that could distinguish between reputable downloads (whether a specific file or digital signature) and those that were more likely to be malicious. The end result was SmartScreen Application Reputation that is now part of the IE9 download experience.

The goal of Application Reputation is to reduce the number of infections from socially engineered malware. It accomplished this by greatly reducing the number of unnecessary warning prompts while warning users only when they are about to run a downloaded program that is more likely to be malicious. At this point, the user can either explicitly run the program or they can decide to delete the downloaded immediately. We found that the warning is working extremely well to help users make better decisions:

  • 90% of IE9 Beta and RC users were never shown a warning because they downloaded only reputable programs.
  • Between 20% and 40% of downloaded files that do not have established reputation are eventually classified as malicious. These are malware downloads that have managed to bypass all existing solutions and would likely be run by users if not warned.
  • 95% of previously undetected malware is deleted by users when presented with the App Rep warning.

The data shows that this feature is a great complement to our existing social-engineering protection and will contribute significantly to the safety of our users over time. In the coming weeks we will continue to post more detailed information and data about SmartScreen Application Reputation and how it helps protect IE9 users from malware downloads.

—Ryan Colvin, Program Manager, SmartScreen Team