| Executive Summary: |
Microsoft has improved the security of Microsoft Internet Explorer (IE), and in IE 8.0 Beta 2 you can expect to see such new security features as domain highlighting, SmartScreen Filter, and ActiveX security features. Brief descriptions and a recommendation of what to do about IE 8.0 Beta 2 follow.
By the time you read this, Microsoft will have released Microsoft Internet Explorer (IE) 8.0 Beta 2, the second major external prerelease version of its upcoming browser. Beta 2 includes several end-user oriented features, in sharp contrast to developeroriented Beta 1. But the big news in this release is that it includes a near-final look at the security advances Microsoft is planning for this product. Here’s what you need to know about IE 8.0 security features.
Microsoft has been improving IE security for some time now. In the Windows XP SP 2 version of IE 6.0, for example, Microsoft added a pop-up ad blocker, drive-by download protection, and Manage Add-on functionality. In IE 7.0, the company added additional security functionality such as Protected Mode in Windows Vista, the Phishing filter, ActiveX Opt-In, and international domain name (IDN) spoofing protection. In IE 8.0, you can expect to see the following new security features:
Domain highlighting. IE 8.0 highlights the domain name of the currently loaded web page. For example, if you’ve navigated to http://www.winsupersite.com/showcase, you will see http://www.winsupersite.com/showcase in the browser’s Address Bar. This is especially important to prevent malicious sites from trying to redirect you or fool you into believing you’re visiting a legitimate site. If the URL for the current web page navigates to an IP address instead of a domain name, the Address Bar will turn red.
SmartScreen Filter. IE’s Phishing Filter has been renamed as the SmartScreen Filter and updated to protect against web sites that attempt to deliver various forms of malware. Known malicious sites are blocked via a red screen, and malicious software downloads are blocked as well. (You’ll be able to bypass these blocks if you want.) Potentially bad sites will trigger a pop-up warning.
ActiveX security features. Microsoft has built on the ActiveX opt-in functionality from IE 7.0 in several ways. Now, ActiveX controls are installed per user by default and on a per-site basis. (However, popular and trusted controls for Adobe Flash Player, Apple QuickTime, Windows Media Center, and a few others will work on any site.) A feature called ActiveX Killbits helps control makers disable controls when exploits are found, by using Windows Update functionality.
Data execution protection (DEP) support. In the currently shipping versions of Windows XP and Vista, IE isn’t covered by the DEP security feature because of incompatibilities with popular ActiveX controls and other add-ons. This changes in IE 8.0, as long as you’re running XP SP3 or Vista SP1.
Cross-Site Scripting Filter. Similar to a buffer overflow, cross-site scripting occurs as the term suggests—across sites. Microsoft refers to it as a reflection attack, where a malicious web site creates a URL that includes an embedded script. When a user triggers this URL, another trusted web site is loaded into the browser, but the script runs, or reflects, on that site.
Cross-Domain Request and Cross- Document Messaging. These two features are aimed at web developers who want to create mash-ups, blogs, and other types of web applications that rely on cross-domain requests and content fetching, but in a more secure way. Untrusted sites in a page can communicate, and different domains can exchange documents, yet the user is protected from any threats.
Built for Business
IE 8.0 is engineered to support a wide range of customization options via Group Policy Objects (GPOs). For example, administrators can turn off the SmartScreen Filter’s Disregard and Continue and Unlock download options. If it’s customizable in IE, you can enforce it via Group Policy.
The IE 8.0 value proposition isn’t as clear cut as that of IE 7.0. Given how insecure IE 7.0’s predecessors were, moving to IE 7.0 was of obvious value. Still, you should begin evaluating IE 8.0 Beta 2. Security is probably the best reason: With its proactive security features, IE 8.0 appears poised to protect users against a new generation of electronic attacks. And unlike Mozilla’s otherwise excellent Firefox browser, IE 8.0 is business friendly, using the familiar corporate deployment and customization tools that you’re already familiar with.