Microsoft Steps Up IE8 Security
Sticking to this week's hot topic of browser security -- building off an influential new report published on the topic on Tuesday and Mozilla's move yesterday to address a dozen newly discovered flaws in its Firefox browser -- Microsoft has announced a pair of new/retrenched security features that will arrive in the next rebuild of Internet Explorer.
The tools aim to address some of the most significant security issues facing Net users today, including phishing and cross-site scripting attacks. The company specifically said late yesterday that it will offer a new security filtering tool dubbed SmartScreen Filter along with additional cross-site scripting protection in IE8 Beta 2, which is slated to arrive in August 2008.
Previously known as its Phishing Filter and first introduced in late 2006 as part of its initial IE7 browser, and then parceled together with Extended Validation certificate support in the first version of IE8 released in 2007, the SmartScreen Filter promises features improving on the previous tools, including:
- An improved user interface
- Faster performance
- New heuristics and enhanced telemetry
- Anti-malware support
- Improved Group Policy support
... according to the company's official IEBlog, found here.
Perhaps most interesting is the filter's anti-malware support promises to "go beyond anti-phishing to help block sites that are known to distribute malware, malicious software that attempts to attack your computer or steal your personal information," the company said.
The SmartScreen anti-malware feature is going to be "URL-reputation-based, which means that it evaluates the servers hosting downloads to determine if those servers are known to distribute unsafe content."
SmartScreen's reputation-based analysis will work "in concert with other signature-based anti-malware technologies like the Malicious Software Removal Tool, Windows Defender and Windows Live OneCare" to provide more "comprehensive protection against malicious software," the company said.
The "XSS Filter" obviously aims to address the growing problem of hijacked Web sites, which was one of the larger issues highlighted in this week's report from browser researchers at Google, IBM and the CENL.
According to a blog on the feature authored by David Ross, one of Microsoft's security software engineers, the XSS filter will offer "visibility into all [browser] requests / responses flowing through the browser."
"When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server's response. Users are not presented with questions they are unable to answer -- IE simply blocks the malicious script from executing," Ross writes.
While the feature will stop many common XSS attacks, the software giant does clearly harbor some concerns that it could negatively affect the performance of some widely used Web components, so some of its elements won't be turned on by default, which seems a pity, but you have to give the company credit for avoiding a more draconian strategy.
"Ultimately we have taken a very pragmatic approach -- we choose not to build the filter in such a way that we compromise site compatibility. Thus, the XSS Filter defends against the most common XSS attacks but it is not, and will never be, an XSS panacea. This is similar to the pragmatic approach taken by ASP.Net request validation, although the XSS Filter is able to be more aggressive than the ASP.Net feature," Ross said.
Based on the Google/IBM/CENL report it's clear that users of IE -- approximately 577 million of the roughly 640 million people using the world's top four browsers, according to the research -- are in need of the most help.
While an impressive 83.3 percent of Firefox users are typically working with the latest, most updated version of the browser, only 47.6 percent of IE users are typically on the newest iteration, making on-board tools such as these even more important.
Microsoft really began its full frontal assault on browser security with the release of IE7 back in late 2006, when it blended additional ActiveX controls, a security status bar, phishing filters and a handful of other security tools into the browser.
Kudos to the software maker for continuing its efforts to try to address the problem, which has arguably become the biggest issue related to IT security these days, aside perhaps for the need for more software secure coding practices, which it has also worked to institute and advocate.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.