Where Are the IE 8 Security Goodies?

There's a conspicuous absence of information about whether IE8 will include anti-malware blockers, anti-virus integration or changes to dangerous ActiveX-related defaults.

The first beta of Microsoft's new Internet Explorer 8 browser looks surprisingly sparse on security-related features and improvements.
The browser makeover, expected to be unveiled at the MIX08 conference in Las Vegas this week, will feature several nifty productivity features but there's a conspicuous absence of information about whether IE8 will include anti-malware blockers, anti-virus integration or changes to dangerous ActiveX-related defaults.
According to an IE8 Beta 1 welcome page published Mar. 4, the only security-related enhancement is a "Safety Filter" that is built to work as a warning mechanism when Web surfers land on identity-theft phishing sites.
The Safety Filter, which appears to be an enhancement to the Phishing Filter in IE 7, is now offering what Microsoft calls "improved protection" from malicious Web sites but it's not clear if this will actually do proactive blocking of drive-by malware downloads.
"The Safety Filter continues to block known Phishing sites and now blocks sites known to contain malicious software that could harm users' computer or steal their information. Beyond this improved protection, the Safety Filter operates quicker than ever before to ensure that users can browse both safely and quickly," Microsoft said.
For IT administrators, IE8 will also come with new Group Policy options to remove the user-override option and fully block access to known unsafe sites, Microsoft said.
Major weakness

The absence of built-in, on-by-default blockers for drive-by malware downloads is seen as a major weakness in previous versions of Internet Explorer. Several third-party companies-including anti-virus players Trend Micro, AVG Technologies and McAfee-have already pounced on this perceived need, shipping browser add-ons that provide color-coded warnings and proactive protection from browser-based exploits.
A quartet of former Microsoft employees have also latched on to the idea of making a business out of securing Internet Explorer users, launching a venture-backed company called Haute Secure with a promise to use browser plug-ins as an answer to the threat from drive-by exploits.
Haute Secure uses behavior-based profiling algorithms to identify and intercept malicious files in real time.
Google's recent purchase of GreenBorder Technologies, a company that sells browser virtualization software, is a strong hint that the search giant will also be a player in this space-most likely via the Google Toolbar in Internet Explorer.
Microsoft's biggest rival in the browser space-Mozilla Firefox-is also readying a major makeover with security as the main theme. Among other security goodies, Firefox 3 will include a Google-powered Web forgery protection page that blocks the display of suspected phishing sites; a similar feature that blocks sites rigged with malicious executables; and a one-click site info feature that lets Firefox users click on the favicon in the location bar to see who owns the site and to check if the connection is protected from eavesdropping.
Security professionals are also clamoring for Microsoft to change the way the browser is configured to handle ActiveX controls. High-risk vulnerabilities in ActiveX controls used by major software vendors have put IE users at risk of code execution attacks, prompting a suggestion from the U.S. CERT (Computer Emergency Readiness Team) for Redmond to change the browser defaults around scripting.
"We're telling IE users that they should, from a security perspective, disable ActiveX controls from running by default. It would be nice if this is something Microsoft did with the next version of the browser," says Will Dormann, vulnerability analyst at the Carnegie Mellon Software Engineering Institute CERT/CC.