Feeds

Microsoft touts trustworthy browsing with IE8

If it asks if you'd like to see some puppies, just say no

Providing a secure and efficient Helpdesk

Microsoft has detailed a raft of security improvements due to appear in Internet Explorer 8. The second beta of Redmond's web browser will be packed full of features designed to thwart phishing and drive-by download attacks, Redmond explained on Wednesday.

Users need to be running either Vista or Windows XP SP2 to take advantage of the upgrade. We knew already that IE8 would be promoted on three grounds: improved security, enhanced ease of use and a move towards stricter adherence to web standards. However, the upcoming release will feature a far more extensive set of security enhancements than previously expected, particularly in relation to blocking some classes of cross-site scripting attack.

Internet Explorer 7 introduced a phishing filter, and IE8 Beta 2 goes beyond this with features designed to warn surfers about sites that harbour malware, as well as those designed to trick users into handing over ebanking login credentials and such to crooks. Users who stray onto sites infected with Trojans will be confronted by a full-screen warning. The combined anti-phishing and malware defence will be branded as Microsoft SmartScreen filter.

(The latest updates to Firefox and Opera also include similar anti-malware technology. Apple is yet to introduce equivalent features.)

In addition, IE8 Beta 2 will have a Cross Site Scripting (XSS) filter, designed to help prevent malicious scripts from executing. Cross-site scripting attacks can be used to present content from a third-party site as if it came from a vulnerable site, potentially a bank or ecommerce store. The approach can also be used to steal session cookies, thereby allowing the takeover of webmail accounts, for example.

Microsoft clearly states that its Xss filter technology is no panacea against cross-site scripting flaws. But the promise of technology that automatically blocks malicious script from executing, crucially without presenting a user with a potentially confusing dialogue box, is a step in the right direction.

IE8 Beta 2 will also include features designed to thwart the malicious re-purposing of ActiveX controls and enhancements to the "Protected Mode" introduced in IE7. The software will also prompt users in cases where third-party applications, such as streaming media players or intenet telephony apps, are launched from the browser. Finally, in a nod to Web 2.0 security, there are a number of changes to the browser - such as safe rendering of MIME content - designed to make social networking and mashup sites safer to visit.

Redmond's developers describe IE8 as offering "trustworthy browsing". Similar security claims have been made about Win XP and Vista, of course. Windows XP was prone to worm infection before the release of service pack 2 and Vista, while more secure, has performance and reliability problems.

Even if Microsoft persuades users to upgrade - no mean feat, a survey out this week found that many surfers are still stuck on IE6 - IE8 will only succeed if it gets the tricky balance between usability and security right.

Microsoft's developers are smart and have clearly applied themselves diligently in thinking through IE8's security enhancements, as Wednesday's posts on the IE8 development blog illustrate, but attackers have a far easier job. They only need come up with one workable attack vector, whereas software vendors need to blockade every possible route.

A recent analysis story by El Reg's Dan Goodin explains the limitations of browser security upgrades in far greater depth here.

IE8 beta 2 is due out on 20 August. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.