Microsoft developed a prototype defense tool, BrowserShield, that can defend unpatched browsers by filtering and rewriting incoming Web content at network borders.

In the current prototype BrowserShield is deployed as a plugin for Microsoft Internet Security and Acceleration (ISA) Server 2004 along with a Javscript library that it sent to client browsers. BrowserShield translates HTML into "safe equivalents" and modifies the content to use the BrowserShield JavaScript library.

In a simple example, a Web page that contains the script alert("Hello World"); would be translated to eval(bshield.translate("alert(\"Hello World!\");". Because of the translation BrowserShield's JavaScript library would be called into action (via bshield.translate) instead of the browser's standard JavaScript libraries.

In this way malicious code can be rendered safe before it reaches the browser even if the browser has known but unpatched vulnerabilities, and when new zero-day exploits emerge updates can be made to BrowserShield while a patch is being developed. Because of its design BrowserShield could be implemented on client networks to filtering incoming traffic or on content hosting providers' networks to filter content before it leaves a Web server.

Several Microsoft product groups are reportedly interested in BrowserShield, including the IE and ISA Server teams as well as Live teams and MSN Search. Development of BrowserShield, which began in 2005, was done by Helen Wang and John Dunagan of the Systems and Networking group at Microsoft Research's Redmond lab. Wang and Dunagan were assisted by interns Charlie Reis and Saher Esmeir, as well as ISA Server program manager Opher Dubrovsky.

A more complete description of the technology and its inner workings can be found in Microsoft Research's publication BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML.