Feeds

Microsoft touts trustworthy browsing with IE8

If it asks if you'd like to see some puppies, just say no

Choosing a cloud hosting partner with confidence

Microsoft has detailed a raft of security improvements due to appear in Internet Explorer 8. The second beta of Redmond's web browser will be packed full of features designed to thwart phishing and drive-by download attacks, Redmond explained on Wednesday.

Users need to be running either Vista or Windows XP SP2 to take advantage of the upgrade. We knew already that IE8 would be promoted on three grounds: improved security, enhanced ease of use and a move towards stricter adherence to web standards. However, the upcoming release will feature a far more extensive set of security enhancements than previously expected, particularly in relation to blocking some classes of cross-site scripting attack.

Internet Explorer 7 introduced a phishing filter, and IE8 Beta 2 goes beyond this with features designed to warn surfers about sites that harbour malware, as well as those designed to trick users into handing over ebanking login credentials and such to crooks. Users who stray onto sites infected with Trojans will be confronted by a full-screen warning. The combined anti-phishing and malware defence will be branded as Microsoft SmartScreen filter.

(The latest updates to Firefox and Opera also include similar anti-malware technology. Apple is yet to introduce equivalent features.)

In addition, IE8 Beta 2 will have a Cross Site Scripting (XSS) filter, designed to help prevent malicious scripts from executing. Cross-site scripting attacks can be used to present content from a third-party site as if it came from a vulnerable site, potentially a bank or ecommerce store. The approach can also be used to steal session cookies, thereby allowing the takeover of webmail accounts, for example.

Microsoft clearly states that its Xss filter technology is no panacea against cross-site scripting flaws. But the promise of technology that automatically blocks malicious script from executing, crucially without presenting a user with a potentially confusing dialogue box, is a step in the right direction.

IE8 Beta 2 will also include features designed to thwart the malicious re-purposing of ActiveX controls and enhancements to the "Protected Mode" introduced in IE7. The software will also prompt users in cases where third-party applications, such as streaming media players or intenet telephony apps, are launched from the browser. Finally, in a nod to Web 2.0 security, there are a number of changes to the browser - such as safe rendering of MIME content - designed to make social networking and mashup sites safer to visit.

Redmond's developers describe IE8 as offering "trustworthy browsing". Similar security claims have been made about Win XP and Vista, of course. Windows XP was prone to worm infection before the release of service pack 2 and Vista, while more secure, has performance and reliability problems.

Even if Microsoft persuades users to upgrade - no mean feat, a survey out this week found that many surfers are still stuck on IE6 - IE8 will only succeed if it gets the tricky balance between usability and security right.

Microsoft's developers are smart and have clearly applied themselves diligently in thinking through IE8's security enhancements, as Wednesday's posts on the IE8 development blog illustrate, but attackers have a far easier job. They only need come up with one workable attack vector, whereas software vendors need to blockade every possible route.

A recent analysis story by El Reg's Dan Goodin explains the limitations of browser security upgrades in far greater depth here.

IE8 beta 2 is due out on 20 August. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.