IE11 shows that browser security tech has peaked

IE11 shows that browser security tech has peaked

Summary: Every new version of Internet Explorer for a decade has had important new security features. Internet Explorer 11 on Windows 7 has basically none, and that's a good thing.

TOPICS: Security, Microsoft

Security improvements have been a staple feature of Internet Explorer major version upgrades since the Great Security Awakening 10 years ago. Now that Microsoft is getting closer to releasing Internet Explorer 11 for Windows 7 it's clear that the trend has run its course.


Contrary to aged conventional wisdom, recent versions of Internet Explorer are very secure, perhaps the most secure browser available. It's rare for users to get exploited through IE vulnerabilities these days (yesterday's revelations notwithstanding).

There is one interesting new security feature in IE11 on Windows 8.1: support for the WebCryptoAPI, a JavaScript API for performing basic cryptographic functions. I suspect this is less useful for web pages as such and more designed for Windows apps, which are often written in JavaScript.  On Windows 7 there will be no WebCryptoAPI.

The closest thing to a new security feature for IE11 on Windows 7 is WebGL, and no, WebGL is not a security feature. But it's security related because Microsoft had previously sworn that WebGL is unsecurable and had no place in Microsoft products.

The problem is that WebGL exposes a mere thin interface layer between web pages and graphics drivers, a category of software with a dubious reputation for quality.

It seems they've squared the circle, using a combination of certified drivers and a thicker software layer for safety. So it's not so much a security feature as a security mitigation of a dangerous, new non-security feature.

IE10 was also rather thin for security features. The closest one was the integration of the Adobe Flash Player, which should make it more promptly updated. In fact, more significant in IE10 was the removal of several features, like VML (Vector Markup Language), that never caught on but expanded the attack surface.

Security innovations are also not the focus of recent versions of Chrome or Firefox either.

Obviously users still get hacked through browsers, but it's a different sort of problem, usually involving social engineering and no real software error. It's just another way of saying that we've done what we can securing the browser; now we have to secure the user, and that may be impossible.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Security

    I doubt any browser has perfect security.

    I do agree however the major browsers are rarely the real security problem. The problems tend to be Flash, Java Applets, and user errors for most "browser issues" not the browsers themselves. The first two attack vectors are inexcusable. Adobe and Oracle need to clean up the products. User errors will be with us because it is impossible for anyone not to make an occasional mistake.
  • There's more ...

    1. Allow the user to put a leash on JavaScript so that it runs only one's legitimate and frequently-visited websites. A good start would be to make Enhanced Security Configuration for IE, which defaults on Windows Server OSs, **optional** for use on Windows client OSs.

    2. Allow the user to put a leash on Java applets so that they can run only on one's legitimate and frequently-visited websites.

    3. Allow the user to put a leash on WebGL, now that IE 11 supports it. Similar to JavaScript and Java applets, only one's legitimate and frequently-visited websites should have access to WebGL.

    These three items are among the most important features offered by the NoScript add-on for Mozilla Firefox.
    Rabid Howler Monkey
    • One more

      Flashblock. It helps with more than security since you don't run million flash based ads to eat your CPU cycles.
      • Flash is unstable

        Not to mention that Flash crashes frequently and is the cause of a lot of browser instability. And it's a security nightmare.
  • Even better -click to play

    Click to play is better if implemented correctly - it blocks every plugin instance by default and you have to click on an overlayed image to play its content (you also have the option to enable running the plugins if the site has basic functions through plugins).
    Every other major browser has it - Chrome, Opera (the 12 series), Firefox (although 24 has it nerfed for some seemingly downright silly reasons).
  • auto-censor

    zdnet post checker is broken.

    Anyway, totally disagree with the article. IE security is horrible when every app in the world installs toolbars and makes changes to IE with almost no user intervention or approval. It's way too easy for addons to sneak in, like Conduit, coupon bars, Ask, etc. IE should be locked down and addons should not install or run without EXPLICIT user approval. Unknown (non-whitelisted) addons should evoke a big red flashing "potentially dangerous" alert. As there are IE updates monthly, this shouldn't be an issue. We have "smartscreen" yet it doesn't block or alert on any of this nasty stuff.
  • you gotta be kidding me...

    "Every new version of Internet Explorer for a decade has had important new security features. Internet Explorer 11 on Windows 7 has basically none, and that's a good thing."

    so it still suck and that's a good thing???? only microsoft paid propagandists can stand behind such ridiculous orvelian claims.