Spyware on the web - some data
Following the recent nonsense over the Firefox Myths web page, it’s interesting to see in Information Week that more data has come to light about spyware and browsers.
Researchers at the University of Washington have been looking at the prevalence of spyware on the web, and in the process they did a side by side comparison of spyware attacks on IE and Firefox. The original paper can be found (956KB PDF) over on co-author Steve Gribble’s web page.
Peripheral
I’ve only briefly skimmed the paper but it appears that comparison of the two browsers was peripheral to their main project, which was “to provide a quantitative analysis of the extent of spyware-laden content in the Web”. However I think they recognised that their study would not have been complete without taking into account the effect of spyware on both Internet Explorer and Firefox (“currently the second-most popular browser in use”).
Summary
On this matter they summarise:
To study drive-by installations of spyware using the Internet Explorer browser on Windows, we performed a crawl of 45,000 URLs in May and two crawls of 45,000 URLs in October 2005 … Once a user browses an infectious domain, they are very likely to be hit with a spyware infection, often whether or not they respond “yes†to a security prompt. Overall, in our most recent crawl, we found drive-by downloads attempted in 0.4% of the URLs we examined and drive-by attacks that exploit browser vulnerabilities in 0.2% of the examined URLs.
We also examined whether the Firefox browser was susceptible to drive-by installations. We found that only 0.08% of examined URLs performed a drive-by download installation, but all of these required user consent in order to succeed. We found no drive-by attacks that exploited vulnerabilities in Firefox.
Conclusion
A good conclusion on this from the Information Week article:
“We can’t say whether Firefox is a safer browser or not,” said Henry Levy, one of the two University of Washington professors who, along with a pair of graduate students, created Web crawlers to scour the Internet for spyware in several 2005 forays. “But we can say that users will have a safer experience [surfing] with Firefox.”
So both browsers on unpatched systems are vulnerable to spyware attacks and users should never assume that they are totally safe with any browser. For whatever reason, Internet Explorer does appear to be more vulnerable to attack than Firefox. Particularly alarming for IE users is the finding that spyware can still install even if the user responds “No” to the security prompt.
At the same time the study doesn’t take into account that IE7 is currently in Beta and for all I know about it many of the vulnerabilities in IE6 may no longer be a concern in the new version.