Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share
  • icon

Microsoft Unveils New Internet Explorer Security Features


Coming to IE8 is a set of cross-site scripting defenses to defeat hackers looking to steal cookies and browser history, logging keystrokes, stealing credentials, or just evading phishing filters.

By J. Nicholas Hoover
InformationWeek
July 2, 2008 12:20 PM

Internet Explorer's getting a little bit safer. Microsoft Wednesday unveiled significant new security features that will be in the next version of the company's Web browser, Internet Explorer 8, currently in public beta testing.

From Microsoft's standpoint, any improvement in security is a plus, and the company seems to be taking that to heart with Internet Explorer 8, which includes a slew of new or upgraded security features. In the past, Microsoft has been heavily criticized for its browser security, while its chief competitor, Mozilla Firefox, has been largely lauded.


More Internet Insights

White Papers

Videos


Alan Osetek, executive VP of Connexion A, talks about how the company helps large digital advertisers build marketing data warehouses between disparate data sets, and then analyze that data to genrate more sales and build their brands. It currently h 'Global Hosted Operating System' site offers free virtual computers that eliminate physical liminations, administrative challenges of running personal computers. AOL guru highlights tools, APIs, ad platform and mobile delivery options for Web 2.0-style apps tied to AIM, Mail and AOL Video.
'Global Hosted Operating System' site offers free virtual computers that eliminate physical liminations, administrative challenges of running personal computers.
One of the most important new features in IE8 is a set of cross-site scripting defenses to protect the browser against the most common type of these attacks, known as "reflection" attacks, wherein transmitted data is sent back to the attacker. During these attacks, hackers could be stealing cookies and browser history, logging keystrokes, stealing credentials, or just evading phishing filters.

Internet Explorer 8 will also have what Microsoft's calling the SmartScreen Filter, which has been previously announced, but is more than Microsoft originally let on. It's an upgraded version of the phishing filter found in Internet Explorer 7 with a twist. It now includes malware protection, a feature also found in the latest versions of Mozilla Firefox and Opera.

When users visit a site that's been reported by any one of a number of third-party data providers as a phishing or malware-laden site, they'll be greeted with a big red background and a warning. That's an upgrade over the anti-phishing user interface in Internet Explorer 7, which Microsoft tests found looked too much like a potentially less harmful page that just has security certificate errors.

The warning has options either to go to the user's home page or to "disregard and continue," though the first option is in much bigger text. Businesses will be able to set policy so that "disregard and continue" doesn't show up as an option. The anti-malware protection will also block suspicious downloads.

Several third-party data feeds will provide Internet Explorer with the information needed to block phishing and malware-laden Web sites. Microsoft gets data on reported phishing sites from seven providers, though it's not yet clear where it will get data on sites reported to contain malware.

Microsoft's already announced a number of security features for Internet Explorer 8. For example, the browser has a number of anti social engineering features. It will highlight domain names in the URL bar to help prevent URL spoofing, like when an e-mail tells the recipient to click on a site that's represented as a PayPal site, but is really a malicious one. There's also an additional anti-phishing feature, where a dialogue that catches certain site characteristics sets off a red flag even when the site isn't in IE's anti-phishing data feeds.

There are several new browser-based security features, including improvements to ActiveX dialogues and control. There are now several levels of security for ActiveX controls. With per user control, users can download and install a control and it will run whenever it wants. An opt in level allows users to decide whether the control should run each time it wants to. ActiveX kill bits can stop a control from loading at all, and per site control means a control can only be invoked by one particular Web site.

Data Execution Prevention helps mitigate many memory-related attacks, including buffer overruns, by blocking code execution from running in protected memory. Several other features, including cross domain request and cross domain messaging, are aimed at preventing attacks from taking place in mash-ups or any time two Web sites have to exchange information.


Subscribe to RSS


Advertisement

CAREER CENTER
Ready to take that job and shove it?



TechCareers

SEARCH
Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center





Subscription Info
Apply for a free 52-week subscription to InformationWeek (a $199 value)

Last Name:

First Name:

Title:

Company Name:

City:

Business Address:

Zip:

State:

Email Address:

NOTE: Offer valid for U.S., U.S. possessions, & Canada only