What's New in Internet Explorer 8 (IE8) Security

**Security Viewpoint – June 2009
**See other Security Viewpoint columns

By Gina Narkunas, Director – IE8 Product Marketing, Microsoft Corporation

Rapid Evolution of Web-Based Threats Require Modern Tools

The Internet is constantly evolving and creating new ways for users to perform tasks or reach audiences.  This can create great change, but it can also make the Web a dangerous place for unsuspecting users.  With Web based applications and interfaces regularly under attack, users need modern tools that are up to the task of defending against modern threats. 

For Microsoft, the foundations of the ‘modern’ browser security environment began with Microsoft Internet Explorer 6 for Windows XP Service Pack 2.  The security mechanisms in that release helped combat the style of threats being used at the time; those threats focused on the application surface area — the actual code and design of the browser — and finding ways to compromise the application just by getting a user to visit a Web site.  Internet Explorer 6 XP SP2 focused on core security enhancements and introduced new features such as the Information Bar, Local Machine Zone Lockdown, and Pop-Up Window controls.

Internet Explorer 6 XP SP2 Architected for the Past

Of course, the Internet of the past has changed many times over, and the current types of threats were not envisioned many years ago.  Internet Explorer 6 XP SP2 was never designed for the issues and technologies needed for the Web today and is not able to meet the challenges.  During the period after the release of Internet Explorer 6 XP SP2, Internet threats evolved in new directions as the Internet user base rapidly expanded.  More users went online, the use of Web-based e-mail accounts soared, and online commerce took hold.  Suddenly the threats became ‘social’, preying on average users who couldn’t easily tell good sites from bad and who didn’t know the harm in opening attachments from unknown senders. 

Threats became more complicated as sites began to ‘mash-up’ data from multiple sites, pulling in dynamic content from any number of sources.  Today, applications use AJAX to create highly interactive experiences for users, without needing to browse from link to link around Web sites.  And, technologies such as Microsoft Silverlight and Adobe Flash have provided developers with even more powerful building blocks for Web-based applications, with high-quality graphics and video available to users in just a few clicks.  Internet Explorer 6 XP SP2 was designed in the days of dial-up and simply can’t offer the protection needed in the broadband age.

Windows Internet Explorer 8: Addressing Modern Social Engineering and Malware Attack Vectors

Increasingly, sophisticated phishing and malware exploits are tricking users through ’social-engineering‘ efforts, which convince users to download malware payloads or reveal passwords and other confidential information.  There has been a rapid rise in the number and sophistication of look-alike sites designed to steal information from unsuspecting users and gain personal and company information.  

Windows Internet Explorer 7 responded to this new class of ‘social-engineering’ attacks, introducing features like the Phishing Filter that provided users a new level of protection from known phishing websites.  The Phishing Filter also provided a new kind of security feature model – rather than simply build in a specific solution to phishing, the Phishing Filter was based on a service model that could adapt to include more site and block new site as the popped up.  Internet Explorer 7 also included the ActiveX Opt-In feature, which provided users protection from ‘drive-by’ malicious attacks where software was installed without the users consent or input.

Internet Explorer 8 continues to build on all of these areas, and includes many new security features to address Web 2.0 security issues.  The new SmartScreen Filter  enhances on the Phishing Filter from Internet Explorer 7, to provide protection against the latest types of attacks.  The SmartScreen Filter is able to provide granular protection and block specific malware files in addition to entire sites.  Along with the technical enhancements, the user warning and instructional messages have been redesigned to be clearer and more pronounced.  Lastly, enterprise administrators can now use Group Policy to prevent users from bypassing the SmartScreen Filter security protections by removing the ‘click to continue’ link from the user dialogs.

Adding to the SmartScreen Filter protections is a new set of visual cues in the Address Bar, designed to help users quickly identify fake, or ‘copy-cat’, Web sites.  This new Domain Highlighting feature displays the domain name in bold, while turning the rest of the URL grey. 

A common technique used by malicious sites is to create a visual copy of a well-known brand Web site (e.g. Microsoft) and create a long, confusing URL so users think they are on one site when they are really at another.  For example, a malicious Web site may try to confuse users by getting them to click on a link taking them to www.microsoft.com.fakesite.com.  Domain Highlighting will help users quickly realize they are at fakesite.com since it will appear in bold.

To learn more about other Address Bar protections in Internet Explorer 8, and the benefits of offering Extended Validation (EV) certificates to help users identify your business, please download The Business Value of Extended Validation SSL Certificates whitepaper. 

New threat types, such as Clickjacking and Cross-Site Scripting (XSS), are growing in severity and number of attacks.  These server-based attacks exploit trends in content aggregation that provide weaknesses that are exploited to steal important information.   To help prevent Clickjacking, Internet Explorer 8 offers content owners a mechanism to ensure their information can’t be integrated into other documents.  The XSS Filter in Internet Explorer 8 works in real time as users navigate from page to page, monitoring the data flow and analyzing scripts looking for reflection patterns.  When the XSS Filter is triggered, users see a simple Information Bar message at the top of their screen, and the script is neutered so it becomes harmless.

The XSS Filter operates as an Internet Explorer 8 component with visibility into all requests and responses flowing through the browser. When the filter discovers likely XSS in a request, it identifies and blocks the attack if it is replayed in the server‘s response. The XSS Filter is able to better protect users from Web site vulnerabilities without asking questions they are unable to answer or harming functionality on the Web site.

Mitigating Risks and Costs for Your Organization

The extent to which third party sites can gather information from overall browsing patterns has increased, reducing privacy for individuals and companies.  Successful attacks against an organization can be very costly not only in lost productivity and increased help desk calls, but also in the loss of valuable or proprietary company information.

To learn more about how these new security and privacy protections in Internet Explorer 8 can benefit your organization, please download and read the Increasing Your Organization’s Security and Privacy with Internet Explorer 8 document.

As perhaps the most used application on a user’s machine—for daily work and non-work tasks— the browser must be included among the tools that provide protection from external threats.  While a business’s internal applications must be secured, the browser is the main link to the many line-of-business applications run from the Web, as well as a key connection to external information sources on the Internet.  Internet Explorer 8 brings significant new protections for companies and their users to help counter new and emerging threats.  In addition, no other modern browser offers the level of policy configuration and provides the centralized management tools IT professionals need to manage the browser as an enterprise-level application.

Many organizations will be safe and secure using the default security settings included with Internet Explorer 8.  For those organizations looking for an even more secure settings configuration, the new Internet Explorer 8 Desktop Security Guide is an invaluable resource that explains additional Group Policy settings and their potential impact on applications in your organization.

Browser security is a key element of an organization’s overall security protection, and Internet Explorer 8 provides the security features and protections needed for the modern Web.  Visit www.microsoft.com/IE8/enterprise today to download Internet Explorer 8 and experience these new features for yourself.