Microsoft Unveils New Internet Explorer Security Features - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Enterprise Architecture
11:58 AM
Connect Directly

Microsoft Unveils New Internet Explorer Security Features

Coming to IE8 is a set of cross-site scripting defenses to defeat hackers looking to steal cookies and browser history, logging keystrokes, stealing credentials, or just evading phishing filters.

Internet Explorer's getting a little bit safer. Microsoft Wednesday unveiled significant new security features that will be in the next version of the company's Web browser, Internet Explorer 8, currently in public beta testing.

From Microsoft's standpoint, any improvement in security is a plus, and the company seems to be taking that to heart with Internet Explorer 8, which includes a slew of new or upgraded security features. In the past, Microsoft has been heavily criticized for its browser security, while its chief competitor, Mozilla Firefox, has been largely lauded.

One of the most important new features in IE8 is a set of cross-site scripting defenses to protect the browser against the most common type of these attacks, known as "reflection" attacks, wherein transmitted data is sent back to the attacker. During these attacks, hackers could be stealing cookies and browser history, logging keystrokes, stealing credentials, or just evading phishing filters.

Internet Explorer 8 will also have what Microsoft's calling the SmartScreen Filter, which has been previously announced, but is more than Microsoft originally let on. It's an upgraded version of the phishing filter found in Internet Explorer 7 with a twist. It now includes malware protection, a feature also found in the latest versions of Mozilla Firefox and Opera.

When users visit a site that's been reported by any one of a number of third-party data providers as a phishing or malware-laden site, they'll be greeted with a big red background and a warning. That's an upgrade over the anti-phishing user interface in Internet Explorer 7, which Microsoft tests found looked too much like a potentially less harmful page that just has security certificate errors.

The warning has options either to go to the user's home page or to "disregard and continue," though the first option is in much bigger text. Businesses will be able to set policy so that "disregard and continue" doesn't show up as an option. The anti-malware protection will also block suspicious downloads.

Several third-party data feeds will provide Internet Explorer with the information needed to block phishing and malware-laden Web sites. Microsoft gets data on reported phishing sites from seven providers, though it's not yet clear where it will get data on sites reported to contain malware.

Microsoft's already announced a number of security features for Internet Explorer 8. For example, the browser has a number of anti social engineering features. It will highlight domain names in the URL bar to help prevent URL spoofing, like when an e-mail tells the recipient to click on a site that's represented as a PayPal site, but is really a malicious one. There's also an additional anti-phishing feature, where a dialogue that catches certain site characteristics sets off a red flag even when the site isn't in IE's anti-phishing data feeds.

There are several new browser-based security features, including improvements to ActiveX dialogues and control. There are now several levels of security for ActiveX controls. With per user control, users can download and install a control and it will run whenever it wants. An opt in level allows users to decide whether the control should run each time it wants to. ActiveX kill bits can stop a control from loading at all, and per site control means a control can only be invoked by one particular Web site.

Data Execution Prevention helps mitigate many memory-related attacks, including buffer overruns, by blocking code execution from running in protected memory. Several other features, including cross domain request and cross domain messaging, are aimed at preventing attacks from taking place in mash-ups or any time two Web sites have to exchange information.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll