Earlier this week Microsoft Development blogs posted an update about its SmartScreen Application Reputation ranking software for Internet Explorer. In the post, Microsoft had some statistics about users downloading malicious Web applications and the pop-up warnings that IE delivers to users warning them about potentially harmful downloads.
Chet Wisniewski of Sophos Security is calling shenanigans on Microsoft’s statistics. In a blog post on Sophos’ blog, Naked Security, Wisniewski says, “Microsoft is comparing Apples to…nothing.” Microsoft’s post says that users get two pop-up warnings a year, which Wisniewski says means that IE users make 20 downloads a year. Wisniewski looks at these numbers and thinks something is not quite right in Microsoft land.
“I do not believe most computer users are equipped with the knowledge necessary to make good decisions regarding deeply technical problems,” Wisniewski writes.
“I don’t know anyone who only downloads 20 files per year,” Wisniewski writes. “These numbers just don’t really add up.”
Microsoft concludes that one out of every 14 downloads made by IE users is malicious. It concludes that users are falling prey to phishing and targeted malware attacks much more than drive-by exploits (such as happening to visit an infected site).
Update: Microsoft’s public relations firm got in touch with us to try and add clarification. Here is what they had to say: “Microsoft blog post actually says “1 out of every 14 programs downloaded is later confirmed as malware.” I take this to mean 1 in 14 executable downloads are malicious which would affect the other mathematical statements made in the Sophos blog post.”
“SmartScreen itself is unable to prevent exploits from convincing Adobe Reader, iTunes, Real Player, Adobe Flash, Java and other technologies from downloading malicious content, and Microsoft hasn’t presented any data on how often exploits are actually being used,” Wisnieski writes.
When is a Pop-Up Warning Really Malicious?
Microsoft says that over 90% of user downloads do not trigger a warning and of those warnings, 30% to 75% of the time the warnings are false positives. This begs the questions – if three out of every four times you get the pop-up warning and it there is truly nothing wrong with the file you are downloading, why even bother heeding the warning?
Yet, not all download circumstances are identical. For instance, say you download a particular file from Adobe quite often and know that it is safe. Every so often you get a warning from IE telling you it is not. You know that is not true so you click through anyway. Yet, there may be times that you are on a site you do not know and have little reason to trust. Are you still going to click through a pop-up warning to get at something you think you want?
Microsoft says that the malware it finds with its reputation rankings and the subsequent pop-up warnings lead to users not downloading and running the malicious software 99% of the time.
Wisniewski does not trust the average computer user to know the difference.
“I do not believe most computer users are equipped with the knowledge necessary to make good decisions regarding deeply technical problems,” he writes. “When they are confronted with a question attempting to stop them from making a mistake it is often viewed as an annoying roadblock.”
Microsoft has been running data on malware for the SmartScreen Application Reputation program in its lead up to the release of IE9. It is a community reputation engine where users can submit malicious links to the database to be incorporated into the browsing experience. Reputation ranking is not new to security on the Web. Symantec and other companies run every malware exploit they come across through a reputation database, and community reputation company Web of Trust just teamed with Facebook to protect users.
This post was updated May 25, 2011 at 10:48 EST with information from Microsoft.