Feeds

Microsoft touts trustworthy browsing with IE8

If it asks if you'd like to see some puppies, just say no

Using blade systems to cut costs and sharpen efficiencies

Microsoft has detailed a raft of security improvements due to appear in Internet Explorer 8. The second beta of Redmond's web browser will be packed full of features designed to thwart phishing and drive-by download attacks, Redmond explained on Wednesday.

Users need to be running either Vista or Windows XP SP2 to take advantage of the upgrade. We knew already that IE8 would be promoted on three grounds: improved security, enhanced ease of use and a move towards stricter adherence to web standards. However, the upcoming release will feature a far more extensive set of security enhancements than previously expected, particularly in relation to blocking some classes of cross-site scripting attack.

Internet Explorer 7 introduced a phishing filter, and IE8 Beta 2 goes beyond this with features designed to warn surfers about sites that harbour malware, as well as those designed to trick users into handing over ebanking login credentials and such to crooks. Users who stray onto sites infected with Trojans will be confronted by a full-screen warning. The combined anti-phishing and malware defence will be branded as Microsoft SmartScreen filter.

(The latest updates to Firefox and Opera also include similar anti-malware technology. Apple is yet to introduce equivalent features.)

In addition, IE8 Beta 2 will have a Cross Site Scripting (XSS) filter, designed to help prevent malicious scripts from executing. Cross-site scripting attacks can be used to present content from a third-party site as if it came from a vulnerable site, potentially a bank or ecommerce store. The approach can also be used to steal session cookies, thereby allowing the takeover of webmail accounts, for example.

Microsoft clearly states that its Xss filter technology is no panacea against cross-site scripting flaws. But the promise of technology that automatically blocks malicious script from executing, crucially without presenting a user with a potentially confusing dialogue box, is a step in the right direction.

IE8 Beta 2 will also include features designed to thwart the malicious re-purposing of ActiveX controls and enhancements to the "Protected Mode" introduced in IE7. The software will also prompt users in cases where third-party applications, such as streaming media players or intenet telephony apps, are launched from the browser. Finally, in a nod to Web 2.0 security, there are a number of changes to the browser - such as safe rendering of MIME content - designed to make social networking and mashup sites safer to visit.

Redmond's developers describe IE8 as offering "trustworthy browsing". Similar security claims have been made about Win XP and Vista, of course. Windows XP was prone to worm infection before the release of service pack 2 and Vista, while more secure, has performance and reliability problems.

Even if Microsoft persuades users to upgrade - no mean feat, a survey out this week found that many surfers are still stuck on IE6 - IE8 will only succeed if it gets the tricky balance between usability and security right.

Microsoft's developers are smart and have clearly applied themselves diligently in thinking through IE8's security enhancements, as Wednesday's posts on the IE8 development blog illustrate, but attackers have a far easier job. They only need come up with one workable attack vector, whereas software vendors need to blockade every possible route.

A recent analysis story by El Reg's Dan Goodin explains the limitations of browser security upgrades in far greater depth here.

IE8 beta 2 is due out on 20 August. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.