Microsoft Details Internet Explorer 8 Security

April 9, 2008 – 5:24 PM

At the RSA Security Conference I caught up with Austin Wilson, Microsoft ‘s Director of Windows Product Management and learned a few tidbits about security enhancements coming in Internet Explorer 8. IE8 will address three specific areas where security can be a problem: social engineering, traditional browser vulnerabilities, and attacks on Web servers.

If the bad guys can trick you into giving away your personal information, they’ve won with almost no effort. IE8 builds on the anti-phishing protection that first showed up in IE7 but goes deeper in its analysis of suspicious pages. Wilson noted that Microsoft’s own network shrugs off a million phishing attempts a week–the problem is huge. Also, IE8’s address bar will boldface the actual domain and dim the rest of the address, so you won’t be fooled by something like www.ebay.notreally.com/stealpassword.html.

Data Execution Prevention blocks any attempt by a program to write into executable memory or execute code in an area marked as data, thereby preventing buffer overruns and similar attacks. In Vista DEP is turned on for all essential system components… except the browser. Because of backward-compatibility concerns, DEP isn’t active in IE7. Not only will IE8 have DEP turned on, it will also run each tab in its own separate process. That way, if a badly written add-in or an actual malware attack triggers DEP, it won’t kill the whole browser, just the tab involved. And if IE8 really does crash completely, the new automatic-recovery feature will allow it to reopen all tabs when it restarts.

Wilson noted that most “IE crashes” are actually caused by an add-in rather than the browser itself. Diagnosing the problem is a matter of disabling add-ins to see which is the culprit. IE8 will make this process easier by offering a much richer collection of information in the Manage Add-Ins dialog.

Starting with IE7 users have had to opt in any time a site invokes a new ActiveX control for the first time. IE8 will tighten this feature still further to require opt-in for each site that invokes a control. So, for example, a malicious site couldn’t trigger the diagnostic ActiveX that’s legitimately used by your computer’s OEM. Wilson noted that a small number of ubiquitous controls, like those needed to display Flash animation and PDF pages, will be exempt from this new requirement. ActiveX opt-in in IE8 will also be a per-user affair. Since the individual user isn’t requesting global installation of the control, the installation won’t trigger that annoying User Account Control dialog box.

The last piece, defending against Web server attacks, really isn’t something the average user will see. It’s aimed at Web developers who create mashups of information drawn from different sites. Cross Document Messaging (XDM) builds on XML 5 to create a secure way for sites to exchange information, and the XDomainRequest feature makes it possible for one site to securely invoke a component on another.

IE8 has been out in public beta for about a month, and there will be another, broader beta before the final release. Wilson wouldn’t commit to any specific timeframe; the release date will be driven by beta feedback and won’t be tied to any particular operating system release.

Source: PC Magazine