A Security Wish List for Microsoft Internet Explorer 9

Microsoft unveiled some details about Internet Explorer 9 this week at the Professional Developers Conference in Los Angeles. But what does Microsoft have in store for IE users from a security perspective?

Microsoft unveiled an embryonic version of Internet Explorer 9 at its Professional Developers Conference this week, touching off a round of speculation about what the browser will entail feature-wise.

From a security perspective, Microsoft has sought to make strides with each version of Internet Explorer. IE 7, for example, introduced a phishing filter; IE 8 added a cross-site scripting filter and InPrivate browsing.

Just what is in store for Internet Explorer 9 from a security perspective remains unknown. But in light of Microsoft's announcement, some security pros shared their thoughts with eWEEK about what they would like to see in the upcoming version of the Web browser.

For Jeremiah Grossman, CTO of WhiteHat Security, the first item on the list is for Microsoft to implement a content security policy, like Mozilla is doing with Firefox. Second is ensuring that publicly available Websites cannot initiate RFC 1918 connections by default. Third, he said, is that Microsoft offer more centralized user control over localStore, sessionStorage, Flash cookies and "all those other things like browser cookies hidden around the place."

The final item on Grossman's wish list is a solution to clickjacking and DNS-pinning-something he admits no one really has.

Gartner analyst John Pescatore said he would like to see Microsoft extend some of its malware detection in IE 9. In addition, all the browser vendors should make better use of Extended Validation certificates to make it harder for SSL (Secure Sockets Layer) certificates to be used in spoofing.

But others suggested even more extensive changes for Microsoft. Scott Crawford, an analyst with Enterprise Management Associates, told eWEEK he would like to see IE take a more proactive approach to stopping attempts to compromise the browser.

"This is in view with respect to the OS itself in Microsoft's vision of Trusted Computing, where (to summarize) only trusted functionality would be permitted to execute," he said in an e-mail. "A whitelisting approach such as a Bit9 or the type of change control acquired by McAfee with Solidcore would be another preventive approach. Endpoint application virtualization would also enable a browser compromised in runtime to be reinstantiated from a known good version."

The latter model has been implemented in a partnership between Mozilla, Symantec (Altiris) and Hewlett-Packard in which Firefox is locally virtualized by Altiris Workspace Virtualization on selected HP enterprise desktop PC models, he continued.

"Microsoft could package this concept in concert with, e.g., Virtual PC and System Restore capabilities," Crawford said. "One of IE's challenges in isolating browser functionality has been its depth of integration with a broadly functional and (at least prior to capabilities such as Windows File Protection) a readily modified OS. A more thorough approach would take advantage of hardware assisted virtualization and capabilities such as Intel VT-d on enabled hardware to isolate I/O for virtualized environments.

"Local execution, scripting and 'AJAX' capabilities generally have also been problematic," he added. "For Firefox, tools such as NoScript can be helpful here, but they can also be a real inhibitor to the browsing experience, and may have too much reliance on a user's ability to discern appropriate actions."

Even when a user is knowledgeable, page or site functionality may be seriously inhibited with scripting or client-side functionality is hampered for security reasons, he said.

"IE could, however, enable even greater control over scripting or client-side execution than it currently does, but to be more successful than approaches such as NoScript, some level of informed, automated control would be necessary. ... A lighter approach would be, for example, to expand client-side validation of browser-server interactions to increase controls over issues as cross-site scripting," he said.

For its part, Microsoft did not say much about security, but it did talk a lot about performance and the work it is doing around Web standards. Microsoft has not yet offered any timeline as to when IE 9 would be ready.