Application reputation warnings introduced in Internet Explorer 9 are leading consumers to not download or run malware 95% of the time, resulting in at least 20 million infections being blocked per month.

Those statistics come by way of a Microsoft blog that reports on the results of new security features introduced in IE9, or improved from previous versions.

In the blog post, Microsoft points to research from Bruce Hughes at antivirus vendor AVG Technologies, who said that "our users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit." Accordingly, while addressing vulnerabilities is important, so is combating social engineering attacks.

To that end, Microsoft added a SmartScreen URL filter to IE7 to block phishing, which it tweaked for IE8, to also block malware, and again for IE9, to also block known malicious URLs.

IE9 also added SmartScreen Application Reputation, which in Microsoft's words "helps protect users from undetected malware masquerading as legitimate executable downloads." How big of a problem is this? According to Microsoft, one in 14 programs downloaded by Internet Explorer users is later confirmed to be malware.

But thanks to the new feature, "users are choosing to delete or not run malware 95% of the time from the new Application Reputation warnings," resulting in the prevention of an estimated 20 million infections per month, said Microsoft. Interestingly, when users do still choose to use the downloaded software--despite warnings--they face a 25% to 70% risk of malware infection. As that suggests, however, the feature may also create false positives, warning that a legitimate application may be malware, 30% to 75% of the time.

Helping stop users from executing malware, via the browser, can slow mass outbreaks and buy time for antivirus vendors to code fixes. For example, Microsoft points to a Trojan application outbreak which resulted in hundreds of thousands of downloads. It says IE9 flagged the application as suspect the moment it appeared, while it took 11 hours--by which time the brunt of the attack had already passed--for the first antivirus signatures and URL blocks to appear. According to Microsoft, "99% of IE9 users who clicked to download this malicious program chose to delete or not run the program from the Application Reputation unknown program warning."

Based on the comments to Microsoft's blog post, however, some people argue that the IE9 security benefits touted by Microsoft come at the expense of usability. For example, one commenter to Microsoft's Tuesday blog post said that "I am also finding a high number of false positives which is frustrating due to the way IE9 makes it so much more difficult to download and run these legitimate files."

Another commenter said the $400 cost of the digital certificate required for Application Reputation served to punish smaller software developers and generate higher levels of false positives. "If you are so keen on digital signing (which by the way is a good idea), then provide certificates for free," said the commenter.

Finally, security based on digital certificates can be effective, but is not without its own potential flaws. Notably--and as happened recently with certificate-issuing authority Comodo--an attacker can fraudulently obtain a legitimate certificate. But completely blocking those fraudulent Comodo certificates required browser makers to update and release new versions of their applications.

The Comodo incident echoed Stuxnet, which spread using a valid digital signature. Stopping that digital certificate required Microsoft to hard-code an update into its Windows operating system.

In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)