Microsoft Internet Explorer Security Strikes Back

Microsoft Internet Explorer 8 Beta 2 security builds on the Phishing Filter of IE 7 and thwarts cross-site scripting.

Microsoft Internet Explorer 8 Beta 2 will put a bull's-eye on malicious sites courtesy of the new SmartScreen Filter.

The feature, revealed July 2, is an answer to the blacklisting features built into Firefox 3 and Opera 9.5, and builds on the Phishing Filter introduced in IE 7 with, among other things, anti-malware support and new heuristic detection capabilities to block known bad sites. Security has been a key battleground between Microsoft's Internet Explorer, Mozilla's Firefox and other browsers. In addition to blocking bad sites, the filter also protects users who click on a link leading to a download on a rogue site by interrupting the download with a warning, according to Microsoft.

When it comes to thwarting XSS (cross-site scripting), Microsoft has added a filter that uses a heuristics-based approach to sanitize injected scripts.

"The XSS Filter operates as an IE 8 component with visibility into all requests [and] responses flowing through the browser," David Ross, a security software engineer at Microsoft, said in a blog post. "When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server's response. Users are not presented with questions they are unable to answer-IE simply blocks the malicious script from executing."

The new version of the browser also includes DEP/NX Memory Protection, turned on by default in IE 8 for users of Windows Server 2008, Windows Vista Service Pack 1 and Windows XP SP3, as well as a feature called Per-Site ActiveX, which serves as a defense mechanism to help prevent malicious repurposing of ActiveX controls.

Other features have been added to help developers build safer mashups for IE 8, such as support for HTML5 cross-document messaging. IE 8 Beta 2 is slated to be released in August.