Thursday, July 3rd, 2008

IE8 showing how serious it is about security

Category: IE, Security

The IE8 team has created a blitz on its blog with a slew of posts on security. There is a ton of great stuff here, and is well worth going into detail on each post:

IE8 and Trustworthy Browsing

At first they set the scene:

This blog post frames our approach in IE8 for delivering trustworthy browsing. The topic is complicated enough that some context and even history (before we go into any particular feature) is important, and so some readers may find this post a bit basic as it’s written for a wide audience. In previous posts here, we’ve written about IE8 for developers: the work in standards support, developer tools, script performance, and more. In future posts, we’ll write about IE8 for end-users (beyond the benefits of improved performance, activities, and Web Slices). This post starts a series about trustworthy browsing, a topic important for developers and end-users and everyone on the web. By setting the context and motivation with this post, the next posts that dive into the details of IE8 will build on this foundation.

Trustworthy refers to one of our overall goals: provide the most secure and most reliable browser that respects user choice and keeps users in control of their machine and their information. For reference, Microsoft’s framework for Trustworthy Computing in general spans four areas: security, privacy, reliability, and business practices.

IE8 Security Part III: SmartScreen® Filter

For Internet Explorer 8, we’ve built upon the success of the Phishing Filter feature (which blocks over a million phishing attacks weekly) to develop the SmartScreen® Filter, a replacement that improves upon the Phishing Filter in a number of important ways:

  • Improved user interface
  • Faster performance
  • New heuristics & enhanced telemetry
  • Anti-Malware support
  • Improved Group Policy support

IE8 Security Part IV: The XSS Filter

The XSS Filter operates as an IE8 component with visibility into all requests / responses flowing through the browser. When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server’s response. Users are not presented with questions they are unable to answer – IE simply blocks the malicious script from executing.

With the new XSS Filter, IE8 Beta 2 users encountering a Type-1 XSS attack will see a notification.

IE8 Security Part V: Comprehensive Protection

As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don’t provide attackers with new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits.

Posted by Dion Almaer at 10:58 am

3.6 rating from 39 votes


Comments feed TrackBack URI

I’ve been reading their blog, and I love that they are serious about security, but it’s really hard for me to take IE8 seriously unless it improves substantially off the first beta. I actually had to REMOVE my DocType for IE8 to get google’s canvas emulator library working.

Where is the native Canvas support? Every other major browser has that. Doesn’t Microsoft have thousands of developers? If I were king of Microsoft, I’d decree that if there’s a feature in all 3 of the other major browsers, it should be mandatory for IE8.

IE doesn’t even have to run in multiple OS’s like the other browsers do. How is it possible that Opera kicking its ass?

The security stuff is great. The built-in debugger is nice. But IE8 still feels like a browser that is trying to catch up and doesn’t make the grade yet.

Opera, FF, and especially Safari now all seem to be dictating the terms of the competition. Safari has extraa clout since it is innovating with CSS so quickly and since it’s the browser that drives AIR and iPhone.

Comment by Nosredna — July 3, 2008

I can’t take IE seriously *at all*, in any incarnation. They’ve so consistently been behind the times and missed the point that it’s basically an ongoing joke. After I finish a web application in Firefox, I check the other browsers. It almost always looks/works great in Opera and Safari, and is completely destroyed in IE6/7. Boo!

Comment by richtaur — July 4, 2008

I’d prefer the IE8 team to be less “serious” about security and more focused on full CSS/CSS3 support for god’s sake!

Comment by zeno — July 5, 2008

Security is the #1 priority for most IE users as paranoia runs deep (it should) and they’ve never even heard of canvas. An active XSS filter is a good baby step even if it’s only somewhat effective because someone needs to take steps to protect users from these attacks. I also won’t be surprised if they start tightening up the markup they accept, particularly regarding event hooks and script elements.

Comment by mrclay — July 14, 2008

Leave a comment

You must be logged in to post a comment.