In August, Microsoft will ship Internet Explorer 8 Beta 2, the second major milestone of its upcoming Web browser. Whereas Beta 1, released in March, focused primarily on developer features, Beta 2 will be about end users. And while I wish I had some new UI bits to show you today, that will have to wait. Instead, this week, Microsoft is talking about the new and improved security features that it will debut in IE 8 Beta 2. These features constitute the bulk of the work Microsoft is doing around security in IE 8, so this overview will provide an interesting snapshot of what we can expect.
To put the security functionality of IE 8 in perspective, let's first look back at some of the security features Microsoft introduced in IE 7 (see my review) and in IE 8 Beta 1 (see my review). As a major release of the browser, IE 7 included a number of security advances, such as Protected Mode (Vista only), ActiveX Opt-In, international domain spoofing protection, and more. There were also related advances around the Manage Add-ons UI.
In IE 8 Beta 1, Microsoft added a few security enhancements as well. The most obvious was domain highlighting. But as it turns out, Microsoft in IE 7 Beta 1 also at least partially implemented a few of the other security advances I'll describe below. But they're only now discussing these changes, and of course IE8 Beta 2 will complete the picture. Let's see what's going on with IE 8 security.
From a security perspective, IE 7 is already an excellent product, especially on Windows Vista, where you can take advantage of Protected Mode. But with online threats evolving, Microsoft is taking steps to address new types of attacks in IE 8. Here's what they're doing.
In order to protect users, IE 8 highlights the relevant part of the loaded URL in the Address Bar so that you can see which site you're really visiting. This is particularly important for sites that have incredibly long URLs, as is often the case with malicious sites that attempt to fool you into believing you're at another, trusted, site. And when a site uses a raw IP address instead of a domain name, the Address Bar will turn red, alerting you to the potential threat. (Legitimate Web sites do not use raw IP addresses.)
Where IE 7 had the phishing filter, IE 8 adopts a new and improved version, which has been renamed to the SmartScreen Filter. As with its predecessor, the IE 8 SmartScreen Filter provides anti-phishing functionality. But it also helps protects against other classes of malicious Web sites, including those that have been set up specifically to deliver malware to users. Similar in functionality to the malware protection in Firefox 3 (see my review), the SmartScreen Filter consults with a blacklist to prevent known-malicious sites from delivering malware. To warn the end user, the browser window is colored red in a very obvious way and the user is given the choice to return to their home page or disregard the warning and continue. And because this is IE, administrators can use Group Policy (GP) to turn off that disregard option.
If the SmartScreen Filter discovers a site that isn't on the blacklist but trips certain heuristics--like an IP-based site that's asking for your credit card number--it will display a different pop-down dialog alerting you to the potential issue. Like most other IE-based warnings, this dialog originates from the Information Bar and appears over the browser window.
The SmartScreen Filter also pops up during downloads. In the case of a normal download, a new bit of SmartScreen Filter text will appear at the bottom of the download window, noting that the originating site "has not been reported as a source of unsafe downloads." However, for malicious sites, you'll get an "Unsafe Download Blocked" dialog. You can, of course, unblock the download if you'd like. (Unless, of course, a system administrator has turned off this functionality via GP.)
Microsoft added ActiveX Opt-In functionality in IE 7, which prevents malicious ActiveX controls from infecting your system, so that even if you attempt to install one, the installation will fail. IE 8 adds a wide range of related functionality.
First, ActiveX controls are now installed on a per-user basis. So on PCs with multiple users, ActiveX controls will only be activated by default for the user that installed them. This removes the User Account Control (UAC) requirement for ActiveX installation, and it limits the scope of both malicious controls and unstable or poorly-written controls.
ActiveX controls in IE 8 can now be installed on a per-site basis only. This means that an individual control will only run on the site from which it was downloaded. In previous versions of IE (6 and 7), developers could write controls in such a way that would lock them to an individual site, but few did so. Naturally, there are exceptions for popular known-good controls from trusted sources: Adobe Flash, Apple QuickTime, and Windows Media Player are among the exceptions. And when you go to install a control, the Information Bar will let you choose between Run add-on and Run add-on on all web sites.
A feature called ActiveX Killbits helps control makers disable controls when exploits are found. This feature has actually been around for a while, but now it's integrated with Windows Update: If an exploit is found, the control maker can request that a Killbit be sent to users via Windows Update. Microsoft will package it up and deliver it to users automatically, preventing out of date or exploited controls from loading in IE.
Data Execution Prevention (DEP) is one of the major security advances in recent versions of Windows, including Windows Vista: It prevents a common type of exploit in which a hacker forces a buffer overflow and then essentially infects other areas of memory with their code. But DEP has one minor flaw under Windows XP and Vista: It isn't enabled in IE because of compatibility issues with certain ActiveX controls. Now, in IE 8, DEP is enabled by default, though this feature requires XP with Service Pack 3 or Vista with Service Pack 1. (The change required some OS updates which were delivered in those respective service packs.)
What's interesting about the DEP implementation in IE 8 is that it works on a tab-by-tab basis. If an ActiveX control or other IE add-on somehow triggers a DEP error, the Web page will be closed and replaced with a warning message. But other open IE windows and tabs are unaffected, and you can just continue browsing.
Microsoft refers to XSS as "the new buffer overflow." It's essentially a reflection attack, where a malicious Web site creates a URL that includes an embedded script. When a user triggers this URL, another trusted Web site is loaded into the browser, but the script runs, or reflects, on that site. Malicious scripts can then perform such actions as stealing cookies, logging keystrokes, defacing Web sites, steal certain credentials, and so on. And this isn't just theoretical: Microsoft has already identified at least one major news Web site that can easily be exploited using this type of attack. (It wouldn't reveal the identity of the site for obvious reasons.) What's nefarious of course is that while this is happening, the URL never changes: You're actually at the known, trusted Web site.
These two features are aimed at Web developers who wish to create "mash-ups," blogs, and other emerging sites that rely on cross-domain requests and content fetching, but in a more secure way. Basically, Microsoft is trying to formalize the ways in which Web sites can share information, but do so in a way that minimizes risk.
I'm eager to get my hands on Internet Explorer 8 Beta 2 so I can check out these features first-hand, but this first peek behind the scenes of IE 8 security is encouraging. Expect a lot more information from the IE team in the coming days and, of course, Beta 2, which is due in August.