Feeds

Microsoft touts trustworthy browsing with IE8

If it asks if you'd like to see some puppies, just say no

SANS - Survey on application security programs

Microsoft has detailed a raft of security improvements due to appear in Internet Explorer 8. The second beta of Redmond's web browser will be packed full of features designed to thwart phishing and drive-by download attacks, Redmond explained on Wednesday.

Users need to be running either Vista or Windows XP SP2 to take advantage of the upgrade. We knew already that IE8 would be promoted on three grounds: improved security, enhanced ease of use and a move towards stricter adherence to web standards. However, the upcoming release will feature a far more extensive set of security enhancements than previously expected, particularly in relation to blocking some classes of cross-site scripting attack.

Internet Explorer 7 introduced a phishing filter, and IE8 Beta 2 goes beyond this with features designed to warn surfers about sites that harbour malware, as well as those designed to trick users into handing over ebanking login credentials and such to crooks. Users who stray onto sites infected with Trojans will be confronted by a full-screen warning. The combined anti-phishing and malware defence will be branded as Microsoft SmartScreen filter.

(The latest updates to Firefox and Opera also include similar anti-malware technology. Apple is yet to introduce equivalent features.)

In addition, IE8 Beta 2 will have a Cross Site Scripting (XSS) filter, designed to help prevent malicious scripts from executing. Cross-site scripting attacks can be used to present content from a third-party site as if it came from a vulnerable site, potentially a bank or ecommerce store. The approach can also be used to steal session cookies, thereby allowing the takeover of webmail accounts, for example.

Microsoft clearly states that its Xss filter technology is no panacea against cross-site scripting flaws. But the promise of technology that automatically blocks malicious script from executing, crucially without presenting a user with a potentially confusing dialogue box, is a step in the right direction.

IE8 Beta 2 will also include features designed to thwart the malicious re-purposing of ActiveX controls and enhancements to the "Protected Mode" introduced in IE7. The software will also prompt users in cases where third-party applications, such as streaming media players or intenet telephony apps, are launched from the browser. Finally, in a nod to Web 2.0 security, there are a number of changes to the browser - such as safe rendering of MIME content - designed to make social networking and mashup sites safer to visit.

Redmond's developers describe IE8 as offering "trustworthy browsing". Similar security claims have been made about Win XP and Vista, of course. Windows XP was prone to worm infection before the release of service pack 2 and Vista, while more secure, has performance and reliability problems.

Even if Microsoft persuades users to upgrade - no mean feat, a survey out this week found that many surfers are still stuck on IE6 - IE8 will only succeed if it gets the tricky balance between usability and security right.

Microsoft's developers are smart and have clearly applied themselves diligently in thinking through IE8's security enhancements, as Wednesday's posts on the IE8 development blog illustrate, but attackers have a far easier job. They only need come up with one workable attack vector, whereas software vendors need to blockade every possible route.

A recent analysis story by El Reg's Dan Goodin explains the limitations of browser security upgrades in far greater depth here.

IE8 beta 2 is due out on 20 August. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.