Microsoft to ratchet IE8 security another notch in Beta 2

Microsoft to ratchet IE8 security another notch in Beta 2

Summary: Sometime in August, Microsoft plans to release Beta 2 of Internet Explorer 8. Yesterday, I spoke with Austin Wilson, Director of Windows Client Product Management at Microsoft, about some of the security-related changes due in this milestone, and got a preview of the changes announced today. Here are some details about what you can expect IE8 to do to block phishing attacks and minimize the risk from ActiveX controls, among other changes.

SHARE:

Sometime in August, Microsoft plans to release Beta 2 of Internet Explorer 8. Yesterday, I spoke with Austin Wilson, Director of Windows Client Product Management at Microsoft, about some of the security-related changes due in this milestone, and got a preview of the changes announced today.

The most noticeable change is the SmartScreen Filter, which replaces the Phishing Filter found in IE7. It uses the same reputation-based filter as its predecessor, but adds a few tweaks to make it easier to spot social engineering attempts. IE8 adds domain highlighting (as shown below) to frustrate phishing attempts that use long, complex URLs to make a link appear to go to a legitimate domain.

Changes to address bar in Internet Explorer 8

Part of the work involves simplifying the interface for displaying potentially dangerous websites. In IE7, for example, the address bar turns yellow when you encounter a suspicious site and red when you attempt to visit a site that is reported as unsafe. In IE8 the yellow bar is gone, replaced by a dialog box. The green address bar for sites that use Extended Validation certificates remains.

When you try to visit a site that is listed in the database of known unsafe sites, the background of the browser window turns blood red and this stern warning appears:

New SmartScreen anti-phishing filter in Internet Explorer 8

The SmartScreen filter in IE8 also extends protection to download attempts, blocking access to servers that are known to be serving up malware

The concepts behind that work should be familiar to anyone who's used a competing browser, such as the just-released Firefox 3. Corporate customers and security professionals should be more interested in architectural changes designed to block access to vulnerabilities in ActiveX controls and take advantage of Data Execution Prevention features.

The ActiveX changes (some of which were announced in May) allow controls to be locked to a specific site and to be offered on a per-user basis. The former prevents a hostile website from being able to call an existing ActiveX control (such as one installed by the system builder or with another program, or one downloaded from a different, presumably safe web page). The user (or a system administrator, using group policy) has to opt-in to those controls and can lock them for use only on a specific site.

ActiveX controls can also be offered on a per-user basis, bypassing the need for UAC prompts and lessening the possibility that one user can install a control that compromises the entire system or other user accounts.

In IE7, Data Execution Protection is disabled for the browser process by default, primarily for compatibility reasons. IE8 enables DEP on Windows Vista SP1, Windows XP SP3, and Windows Server 2008. As a result, any page or add-in that tries to use a buffer overflow or other exploit to write executable code to an area of memory that is reserved for data will crash that browser tab (but shouldn’t take down other tabs).

Finally, IE8 is designed to protect from some forms of server-based attacks as well. The most noteworthy change is code that blocks common forms of cross-site scripting exploits. According to Wilson, IE8 will detect Type-1 (reflection) attacks and block script from being injected to web a server via URL.

I’ll have a more detailed look at these changes when the beta code is available next month.

Topics: Windows, Browser, Microsoft, Operating Systems, Security, Software, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Microsoft Press Release

    Only the other week Ed ran a story about how shoddy some people are running stories based on software companies press releases/marketing documents. Oh and that companies selling security software try and scare the market about the need for their products ability to provide improved security.

    This story seems to fit the same bill?

    Tell us the security has been improved when the product is out on beta in August not when they send out a press release.
    martin23
    • Sheesh, Martin

      Are you deliberately being obtuse?

      I've described changes that Microsoft plans to make in the next version of a piece of software that is the most widely used in the world. I said at the end that I would look in more detail at the specifics when the code is available next month. I went out of my way not to make any claims about how well anything would work, only to describe the design and the plans.

      People do want to know this stuff. It affects their buying plans and their web development plans. That makes it news.
      Ed Bott
      • Some People's Kids

        Yes, I agree, this is very important since I am always weary of the new changes in browsers since I am a web developer and web master for a site that gets over a million visitors a year -- I know, it's not porn, if it were, a million hits a day, and about 200,000 visitors a day -- But I am happy... Keep up the good work and pay no mind to the snivelers and simpletons out there.
        Kromaethius
    • Don't feel that I'm picking on you...

      But I am...

      In a word; Comprehension.

      Might I suggest that you catch your breath and re-read before making an "obtuse" comment?

      The author didn't make any bold claims in anyway of how good the beta is, but simply what the so-called features are in the browser. To see how good something is, yes I agree, let's launch the product to the masses and see how good it all works.

      Microsoft will indeed launch the beta eventually to the public, and I for one will begin my own testing when the final release is out the door.
      Kromaethius
  • RE: Microsoft to ratchet IE8 security another notch in Beta 2

    I think IE security is extremely important. For one thing, it's what most Windows users, especially the most vulnerable will use.
    Having used beta 1 of IE 8 it works very well with Vista but no so hot on XP, at least that was my experience with it. Seems very fast compared to IE7 or FF2. I'm looking forward to the update.
    marks055@...
  • RE: Microsoft to ratchet IE8 security another notch in Beta 2

    I am always stunned by those people who feel the need to rush to Ed's defence and throw insults at anyone who dares question him. Zdnet looks like a Microsoft fanzine web sites sometimes. Maybe some people out there feel the need to justify their decisions including, web masters with a billion visitors an hour included.

    Now Ed if your going to throw out the somewhat puerile accusation "obtuse" and accuse me of not reading what you said then please have the courtesy or reading what I said not twisting what you think I meant.

    I fully accept IE8 is important for a number of reasons and in no way dispute that fact. However I do not see why an upcoming beta merits 2 stories on Zdnet based just on their press release without and serious questioning of the content of those press releases.

    It is not acceptable to justify repeating Microsoft's claims without any circumspection simply because you have to wait until the product is released. Are there no charicteristics of the beta that concern you, no omissions, no doubts that the product will fulfil the expectations contained in the press release.

    For the towering intellects who wish to repeat Eds epithet's and use words like comprehension. Please don't bother Ed can defend himself. Unlike most I have no vested interest in defending or opposing any product.
    martin23
    • So what you want is ...

      I reported based on the announcement, asked some qurestions, added some context, and promised to provide more details when the product is actually available for me to look at.

      But that's not good enough for Martin. You write:

      "Are there no charicteristics of the beta that concern you, no omissions, no doubts that the product will fulfil the expectations contained in the press release."

      In other words, can I please add some speculation that is not based on fact? Or ask some questions that can't be answered?

      Meanwhile, I see you've dropped your original argument, which is that I'm guilty of the same behavior I accused other people of a few months ago. To refresh everyone else's memory, that was when a company claimed in a press release that Windows Vista was less secure than Windows 2000, and several dozen media outlets repeated that claim (in screaming headlines, even) without bothering to check the facts.

      There's no comparison to this post, which lists the design changes Microsoft has announced for an upcoming beta release of IE8.

      You may now change the subject again.
      Ed Bott
  • RE: Microsoft to ratchet IE8 security another notch in Beta 2

    Ed I am not dropped my original argument, far from it. If your story had been headed Microsoft "claim" security will be ratcheted up it might seem more circumspect and plausible. Reporting as fact that security will be increased without any regard to those issues which may or may not not be addressed or which might remain outstanding is "speculation" but that's surely the point of journalism. Are you saying that from the specification you have seen there are no holes no issues which concern you. Is IE8 going to be a perfectly secure product.

    If we want to read a Microsoft press release without review or moderation then why not simply post the press release directly. The reality is that neither Microsoft nor any other companies press releases are totally accurate.

    The analogy with your previous post where you berated others for not critically reviewing another companies press release holds in as much as that all stories should critically review. Suggesting you are not able to comment on Microsoft's because the product is not released seems a weak justification for raising no issues. This would imply if you were a political journalist you would take as fact the manifesto of both the prospective Presidential candidates.
    martin23
    • You really need to learn

      How to use the Reply To Message button.

      Meanwhile, I've said my piece and you're simply repeating yourself.
      Ed Bott
      • Ed your right - for once

        Ed your right. (full stop placed there so you can quote this back to me in the future) I pressed the wrong reply option. Must be getting to old to read the large print.

        On the issue of the content I'm not repeating myself just clarifying things for you and correcting your misunderstandings as you seemed to have got a little confused between journalism (which you seemed to deprecate as speculation) and copy typing.
        martin23
        • Announcements and analysis

          Martin, announcements are news. They don't always require a full-blown analysis. In fact, in many cases they can't be analyzed because there's nothing to examine.

          In this case, I reported on some announcements from Microsoft. I tried to state the facts of the announcement and refrain from any opinion on whether they were good, bad, successful, or misguided. I will have all that in a month or so, when the beta code is ready.

          Press releases and company announcements are not inherently evil. They can form the basis of a news story, as in this case. The distinction you still don't understand is that the PC Tools press release contained analysis and conclusions from a company based on facts that they did not make available. When reporters simply cut and pasted that analysis without even bothering to check the facts, they were wrong.
          Ed Bott
    • What a maroon...

      [b]Are you saying that from the specification you have seen there are no holes no issues which concern you. Is IE8 going to be a perfectly secure product. [/b]

      Dude... When will you learn?

      [b][i]THERE IS NO SUCH THING AS A PERFECTLY SECURE PROGRAM! [/i][/b]
      Wolfie2K3
  • About Talkback moderation

    This is reposted from an earlier thread:

    If you've posted a comment here recently and found that it was deleted, this message is for you.

    As I've said repeatedly, I am not a moderator here. I do not have access to the tools that manage TalkBack message boards. I cannot delete a single TalkBack comment, and I can only edit my own posts. If your comment is deleted, that action was taken by a ZDNet moderator.

    Posts get deleted for a variety of reasons. The most common are that they engage in name-calling and abusive behavior. The second most common is that they are off-topic.

    Readers have made it very clear they are tired of off-topic posts and of flame wars, and the moderators are responding to that request. If you want the world to read a news article about something you find interesting, start your own blog and post it there. Or find a blog post or news article that is relevant to that topic and post it in the discussion under that post. But don't post that off-topic link or comment here: The moderators are taking a firmer line on these posts, in the interests of improving the TalkBack section for everyone.

    Comments that are directly relevant to the content of a post are always welcome. Contrary points of view are welcome and even encouraged, as long as they are relevant to the topic of the current post and don't violate other terms of service.

    The full terms of use are here:

    http://www.cnetnetworks.com/editorial/terms.html

    Meanwhile, if you have a problem with this policy, please don't complain about it here. That's not the point of this Talkback thread, and your comment will probably be deleted as off-topic. To contact the editors of ZDNet about this or any other policy, use this form:

    http://zdnet.custhelp.com/cgi-bin/zdnet.cfg/php/enduser/ask.php
    Ed Bott