Microsoft Hones IE 7's Drive-by-Download Defenses - InformationWeek
03:11 PM

Microsoft Hones IE 7's Drive-by-Download Defenses

Developers working on Internet Explorer 7 are fortifying the browser against stealth downloads carrying malicious software.

While Microsoft's chairman Bill Gates told security professionals that security is job number one on Tuesday, he's leaving it up to developers like those working up the next version of Internet Explorer to make it happen.

Internet Explorer 7 (IE 7), said Gary Schare, director of product management for IE, will reduce the chance that spyware spreaders can use silent drive-by downloads to infect PCs with malicious software.

"Drive-by download" is the term for the hacker practice of using vulnerabilities, usually those in a browser, but sometimes within Windows, to install software when users simply surf to a malicious Web site.

"There are two primary ways that drive-by downloads are done, either through a vulnerability in IE itself or an add-on, or because the user has the security setting set too low," said Schare.

IE 7, which is currently in beta preview for Windows XP, will slash some of the first and offer a tool to help users avoid the second, Schare promised.

The new browser -- set to release for XP before the end of the year and to be included with the new Windows Vista when it ships around the same time -- further reduces the attack surface area, said Schare, by disabling most ActiveX controls tucked inside Windows.

Called "ActiveX Opt-in," the feature turns off all but a handful of ActiveX controls, and requires explicit user consent for others to run within IE 7. "We're going to disable nearly every control," said Schare, "especially the ones which don't need to be in Internet Explorer."

Although the list hasn't been finalized, Schare said that among the few controls which would be enabled off the bat would be Flash's and Acrobat's, as well as the one used by Windows/Microsoft Update.

"The ones that really matter are those in Windows," Schare said, acknowledging that Microsoft had to repeatedly patch older versions of IE against ActiveX-based flaws during 2005. Those bugs all involved ActiveX controls within Windows itself that were not intended to be used by IE, but could be used to hack into a PC.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll