Microsoft boosts anti-phishing skills of Chrome
24 April 2018 | 0
Microsoft has ceded a major asset of its Edge browser to rival Google by releasing an add-on that boosts Chrome’s phishing detection skills.
The Redmond company had little choice, according to one analyst. “Phishing is a huge problem, and people are going to use the browser they use,” said Michael Cherry of Directions on Microsoft. “They’re doing this to protect the Windows ecosystem.”
Dubbed Windows Defender Browser Protection (WDBP), the free extension can be added to Chrome on Windows or macOS, and after a post-launch fix, Chrome OS as well. Like the defenses built into Edge, the add-on relies on Microsoft’s SmartScreen technology that warns users of potentially malicious websites that may try to download malware to the machine or of sites linked in e-mail messages that lead to known phishing URLs.
Microsoft keeps a constantly-changing list of these likely bad destinations on its servers, that list generated in part from telemetry sent by SmartScreen users.
At least that’s what it appears WDBP does: Microsoft has not documented the extension’s operation beyond some general information on its site and in the description on the Chrome Web Store. In the latter, Microsoft said: “If you click a malicious link in an e-mail or navigate to a site designed to trick you into disclosing financial, personal or other sensitive information, or a website that hosts malware, Windows Defender Browser Protection will check it against a constantly updated list of malicious URLs known to Microsoft.” That is SmartScreen.
In its online pitch for WDBP, Microsoft cited 2017 research from NSS Labs, which pegged Edge as the browser best able to block phishing and socially-engineered malware attacks, sniffing out 99% of all attempts while Chrome and Mozilla’s Firefox found 87% and 70%, respectively. Those two rivals each relied on Google’s Safe Browsing API.
Which raises an obvious question. Why has Microsoft ceded one of the few advantages of its own Edge to a competitor’s browser?
Cherry believes Microsoft was faced with the devil’s choice: Protect the majority of Windows users or only those running Edge (or the obsolete, legacy Internet Explorer). “Edge has not caught on,” Cherry noted, referring to its low usage statistics on Windows 10. “But if people fall for phishing, they’re not going to point a finger at the browser, which is just an application. They’re going to ask [Microsoft] ‘Why didn’t you protect Windows?’ This is just a self-defense move.”
Edge, which is approaching its third-year launch anniversary, has been unable to attract a sizable audience. The latest data from analytics vendor Net Applications put Edge’s share of all browsers at just 4%, and its share on Windows 10 only at 13%. Meanwhile, Chrome was the preferred choice of 61% of the world’s online population.
There are other reasons for Microsoft’s sharing largess.
With Edge and IE accounting for only a slice of Internet users – Net Applications put it as a combined 18% during March – Microsoft was not getting the amount of telemetric data, crucial to SmartScreen, that it once received. “The simplest explanation of Microsoft’s motivation for offering SmartScreen on Chrome is that it gives the company visibility on the bad stuff encountered by the 60% of the market that uses Chrome,” wrote John Dunn in a post to a blog maintained by security company Sophos. “This, in turn, helps Microsoft’s Office 365 Exchange email service offer better protection to compete with Google’s rival G Suite.”
True. Microsoft has baked SmartScreen into more than just Edge and Internet Explorer. Its Outlook.com webmail service and Outlook e-mail client – the latter an important part of Office 365 – as well as its Exchange e-mail server, all turn to SmartScreen to fight phishing and malware.
With a shrinking share of the browser market – at Edge’s introduction in mid-2015, Internet Explorer owned 53% – Microsoft may have realised it was not getting enough data from browser users to fuel SmartScreen. That rationale plays to Microsoft’s focus, which is on the enterprise; without sufficient data for SmartScreen, business tools such as Outlook and Exchange might lose the ability to correctly detect malicious URLs.
IDG News Service