Microsoft in March pulled some of the covers off Internet Explorer 9, the upcoming version of its popular Web browser. At the time, the focus was on enhancements aimed at developers. So far, Microsoft has not talked much about security, but that doesn't mean no one else is thinking about it. Here at eWEEK, we assembled a list of things we would like to see Microsoft do to improve security in IE 9, based on recommendations from security pros. With these seven items in the mix, Microsoft could bolster security protections for its browser, experts said.
of
Seven IE 9 Security Recommendations for Microsoft
by Brian Prince
Sandboxing Technology
Microsoft could improve things in IE 9 by adopting some of the sandboxing approaches Google uses in its Chrome browser. IE 9 has "Protected Mode," which is similar, though not designed for the same purpose, said Aaron Portnoy, TippingPoint security research team lead.
Plug-ins Out of Process
"I believe it would be beneficial to IE's security posture for it to run as many third-party plug-ins out of process as possible," TippingPoint's Portnoy said. "By running them in-process, an attacker can utilize known or unknown techniques to defeat or weaken exploit mitigations such as DEP [data execution prevention] and ASLR [address space layout randomization]."
Memory Randomization
By randomizing memory addresses used by popular functions, attackers will have a tougher time identifying and repeating exploits against vulnerable code, said Rick Moy, president of NSS Labs.
Redirect Hopping
"Drive-by downloads make use of multiple redirects to confuse reputation systems [such as IE SmartScreen and Google SafeBrowsing] and bring the user to an unwanted page with an exploit," NSS Labs' Moy said. "Disallowing more than one sequential redirect could significantly increase the effectiveness of reputation systems."
Content Security Policy
By implementing content security policy, Microsoft can offer users additional protections against cross-site scripting and click-jacking. Mozilla has already begun work in this direction for its Firefox browser.
Plug-in Registry
Moy said he would like to see users get help differentiating between good and bad plug-ins. "A combination of code hashing/white listing and reputation could help potential users know who made and packaged the application, and what their track record is," he said.
Secure API for Plug-ins
"Browsers should take the lead in protecting plug-ins from memory-based attacks, such as buffer overflows and heap sprays," Moy said. "Providing a secure API instead of direct memory access would go a long way toward reducing the attack surface."
Windows Azure is a public cloud platform for building, hosting and scaling applications. Try Windows Azure free for 90 days and get 20GB outbound and unlimited inbound data transfer.
IT Security & Network Security News & Reviews News & Reviews 
Cloud Data Backup Now Makes Sense for SMBs: 10 Reasons Why 
HP, Lenovo, Asus Laptops, Desktops Offer Consumer Style for Busin[..]
Microsoft`s F#: 10 Reasons Why It`s a Hot Programming Language fo[..]
Data Center Efficiency: 10 Tips to Boost Productivity, Reduce Pow[..]
iPhone Apps to Kick Off the 2012 Summer Season 
Email Security: 10 Steps for Dealing With Dangerous Messages
See All Slideshows
Microsoft in March pulled some of the covers off Internet Explorer 9, the upcoming version of its popular Web browser. At the time, the focus was on enhancements aimed at developers. So far, Microsoft has not talked much about security, but that doesn't mean no one else is thinking about it. Here at eWEEK, we assembled a list of things we would like to see Microsoft do to improve security in IE 9, based on recommendations from security pros. With these seven items in the mix, Microsoft could bolster security protections for its browser, experts said.