Feeds

Microsoft touts trustworthy browsing with IE8

If it asks if you'd like to see some puppies, just say no

The Power of One eBook: Top reasons to choose HP BladeSystem

Microsoft has detailed a raft of security improvements due to appear in Internet Explorer 8. The second beta of Redmond's web browser will be packed full of features designed to thwart phishing and drive-by download attacks, Redmond explained on Wednesday.

Users need to be running either Vista or Windows XP SP2 to take advantage of the upgrade. We knew already that IE8 would be promoted on three grounds: improved security, enhanced ease of use and a move towards stricter adherence to web standards. However, the upcoming release will feature a far more extensive set of security enhancements than previously expected, particularly in relation to blocking some classes of cross-site scripting attack.

Internet Explorer 7 introduced a phishing filter, and IE8 Beta 2 goes beyond this with features designed to warn surfers about sites that harbour malware, as well as those designed to trick users into handing over ebanking login credentials and such to crooks. Users who stray onto sites infected with Trojans will be confronted by a full-screen warning. The combined anti-phishing and malware defence will be branded as Microsoft SmartScreen filter.

(The latest updates to Firefox and Opera also include similar anti-malware technology. Apple is yet to introduce equivalent features.)

In addition, IE8 Beta 2 will have a Cross Site Scripting (XSS) filter, designed to help prevent malicious scripts from executing. Cross-site scripting attacks can be used to present content from a third-party site as if it came from a vulnerable site, potentially a bank or ecommerce store. The approach can also be used to steal session cookies, thereby allowing the takeover of webmail accounts, for example.

Microsoft clearly states that its Xss filter technology is no panacea against cross-site scripting flaws. But the promise of technology that automatically blocks malicious script from executing, crucially without presenting a user with a potentially confusing dialogue box, is a step in the right direction.

IE8 Beta 2 will also include features designed to thwart the malicious re-purposing of ActiveX controls and enhancements to the "Protected Mode" introduced in IE7. The software will also prompt users in cases where third-party applications, such as streaming media players or intenet telephony apps, are launched from the browser. Finally, in a nod to Web 2.0 security, there are a number of changes to the browser - such as safe rendering of MIME content - designed to make social networking and mashup sites safer to visit.

Redmond's developers describe IE8 as offering "trustworthy browsing". Similar security claims have been made about Win XP and Vista, of course. Windows XP was prone to worm infection before the release of service pack 2 and Vista, while more secure, has performance and reliability problems.

Even if Microsoft persuades users to upgrade - no mean feat, a survey out this week found that many surfers are still stuck on IE6 - IE8 will only succeed if it gets the tricky balance between usability and security right.

Microsoft's developers are smart and have clearly applied themselves diligently in thinking through IE8's security enhancements, as Wednesday's posts on the IE8 development blog illustrate, but attackers have a far easier job. They only need come up with one workable attack vector, whereas software vendors need to blockade every possible route.

A recent analysis story by El Reg's Dan Goodin explains the limitations of browser security upgrades in far greater depth here.

IE8 beta 2 is due out on 20 August. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.