Microsoft Unveils New Internet Explorer Security Features

Coming to IE8 is a set of cross-site scripting defenses to defeat hackers looking to steal cookies and browser history, logging keystrokes, stealing credentials, or just evading phishing filters.
Internet Explorer's getting a little bit safer. Microsoft Wednesday unveiled significant new security features that will be in the next version of the company's Web browser, Internet Explorer 8, currently in public beta testing.

From Microsoft's standpoint, any improvement in security is a plus, and the company seems to be taking that to heart with Internet Explorer 8, which includes a slew of new or upgraded security features. In the past, Microsoft has been heavily criticized for its browser security, while its chief competitor, Mozilla Firefox, has been largely lauded.

One of the most important new features in IE8 is a set of cross-site scripting defenses to protect the browser against the most common type of these attacks, known as "reflection" attacks, wherein transmitted data is sent back to the attacker. During these attacks, hackers could be stealing cookies and browser history, logging keystrokes, stealing credentials, or just evading phishing filters.

Internet Explorer 8 will also have what Microsoft's calling the SmartScreen Filter, which has been previously announced, but is more than Microsoft originally let on. It's an upgraded version of the phishing filter found in Internet Explorer 7 with a twist. It now includes malware protection, a feature also found in the latest versions of Mozilla Firefox and Opera.

When users visit a site that's been reported by any one of a number of third-party data providers as a phishing or malware-laden site, they'll be greeted with a big red background and a warning. That's an upgrade over the anti-phishing user interface in Internet Explorer 7, which Microsoft tests found looked too much like a potentially less harmful page that just has security certificate errors.

The warning has options either to go to the user's home page or to "disregard and continue," though the first option is in much bigger text. Businesses will be able to set policy so that "disregard and continue" doesn't show up as an option. The anti-malware protection will also block suspicious downloads.

Several third-party data feeds will provide Internet Explorer with the information needed to block phishing and malware-laden Web sites. Microsoft gets data on reported phishing sites from seven providers, though it's not yet clear where it will get data on sites reported to contain malware.

Microsoft's already announced a number of security features for Internet Explorer 8. For example, the browser has a number of anti social engineering features. It will highlight domain names in the URL bar to help prevent URL spoofing, like when an e-mail tells the recipient to click on a site that's represented as a PayPal site, but is really a malicious one. There's also an additional anti-phishing feature, where a dialogue that catches certain site characteristics sets off a red flag even when the site isn't in IE's anti-phishing data feeds.

There are several new browser-based security features, including improvements to ActiveX dialogues and control. There are now several levels of security for ActiveX controls. With per user control, users can download and install a control and it will run whenever it wants. An opt in level allows users to decide whether the control should run each time it wants to. ActiveX kill bits can stop a control from loading at all, and per site control means a control can only be invoked by one particular Web site.

Data Execution Prevention helps mitigate many memory-related attacks, including buffer overruns, by blocking code execution from running in protected memory. Several other features, including cross domain request and cross domain messaging, are aimed at preventing attacks from taking place in mash-ups or any time two Web sites have to exchange information.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing