Introducing Internet Explorer 8.0 Security

Applies To: Windows 7

This product evaluation topic for the IT professional describes security enhancements in Windows Internet Explorer 8 that help defend against:

  • Browser-based exploits

  • Web server vulnerabilities

  • Social engineering attacks

The Enhanced Security Configuration option is also improved for Internet Explorer 8 on server operating systems.

  • Changes in Internet Explorer 8 security

  • Changes to Enhanced Security Configuration in Internet Explorer 8 for server operating systems

Changes in Internet Explorer 8 security

Browser and add-on vulnerabilities

  • DEP/NX memory protection. Data Execution Prevention (DEP) or No-Execute (NX) helps to thwart attacks by preventing code from running in memory that is marked as non-executable. DEP/NX, combined with other technologies such as Address Space Layout Randomization (ASLR), make it more difficult for attackers to exploit certain types of memory-related vulnerabilities such as buffer overruns. The protection applies to both Internet Explorer 8 and the add-ons it loads. No additional user interaction is required to provide this protection, and no new prompts are introduced.

  • ActiveX. Two changes were made in how Internet Explorer 8 handles ActiveX controls:

    • Per-site ActiveX. Per-site ActiveX is a defense mechanism to help prevent malicious repurposing of controls. When a user navigates to a Web site containing an ActiveX control, Internet Explorer 8 performs a number of checks, including determining where a control is permitted to run. If a control is installed but is not permitted to run on a specific Web site, a message appears on the Information bar, asking the user whether or not the control should be permitted to run on the current Web site. IT professionals administering client computers running Internet Explorer 8 may choose to set allowed controls and their associated domains. Such settings can be configured by using Group Policy.

    • Per-user ActiveX. Standard users can install ActiveX controls in their own user profile without requiring administrative privileges. This improvement allows standard users to install ActiveX controls used in their day-to-day browsing. In addition, if a user installs a malicious ActiveX control, the overall system is not affected because the control was installed only under the user's account. IT professionals administering client computers running Internet Explorer 8 can use Group Policy to enable or disable this functionality.

  • Protected Mode. Protected Mode, first introduced in Internet Explorer 7, helps reduce the severity of threats to both Internet Explorer and extensions running in Internet Explorer by helping to prevent installation of malicious code. Unlike Internet Explorer 7, Internet Explorer 8 can host both Protected Mode and non-Protected Mode tabs within the same browser window. For improved performance and application compatibility, Internet Explorer 8 disables Protected Mode in the Local intranet zone. Internet Explorer 8 users and domain administrators can enable Protected Mode for the Local intranet zone.

  • Application protocol prompt. Application protocol handlers enable non-Microsoft applications, such as streaming media players and internet telephony applications, to start within the browser. This can increase exposure to attacks. To help ensure that users remain in control of their browsing experience, Internet Explorer 8 now prompts before starting application protocols.

  • File upload control. To block attacks that rely on stealing keystrokes to trick the user into typing a local file path into the control, the File Path dialog box is now read-only. The user must explicitly select a file for upload by using the File Browse dialog box and then Internet Explorer 8 submits only the file name, not the full path. The Include local directory path when uploading files security setting is disabled by default for the Internet zone.

Web application security improvements

  • Cross-site scripting. Internet Explorer 8 introduces a cross-site scripting filter that makes Type-1 cross-site scripting flaws, also referred to as non-persistent or reflected vulnerabilities, more difficult to exploit. Type-1 cross-site scripting flaws represent a growing proportion of overall reported vulnerabilities and are being exploited at an increasing rate. The cross-site scripting filter can identify a potentially malicious cross-site script and neutralize the attack by blocking the execution of the script from being reflected to the server and stopping the attack at the client computer. A notification message is displayed to the user on the Information bar.

  • Cross-site data aggregation. The XDomainRequest (XDR) object in Internet Explorer 8 makes a cross-domain data request within the browser instead of a server-to-server request. Cross-domain requests require mutual consent between the Web page and the server and require that the Web site support XDR and make the data available across domains. The XDR object integrates with the World Wide Web Consortium (W3C)'s Web Application Working Group's draft framework on client-side cross-domain communication.

    Internet Explorer 8 also introduces support for cross-document messaging (also known as postMessage), which enables IFRAME elements to communicate more securely while maintaining Document Object Model (DOM) isolation.

  • MIME-handling changes. The following changes are made to the Internet Explorer 8 Multipurpose Internet Mail Extensions (MIME)-type detection algorithms:

    • Restrict MIME-type detection. Internet Explorer 8 prevents the detection, or data sniffing, of files with image/* MIME content types into HTML or script. If a file contains script and the server declares that it is an image file, Internet Explorer 8 does not run the embedded script.

    • Prevent MIME-type detection. Web applications now can prevent MIME-type detection. Sending the new X-Content-Type-Options: nosniff header prevents Internet Explorer from using MIME-type detection to change the server-declared content type.

    • Force save. For Web applications that need to serve untrusted HTML files, Internet Explorer 8 contains a mechanism that forces users to save untrusted HTML files locally before opening to help prevent the untrusted content from compromising site security.

  • Defense against types of CSRF attacks. Internet Explorer 8 helps protect against types of cross-site request forgery (CSRF) attacks in which an attacker's Web page entices the user to click an object, such as a Next button, containing underlying code that performs a task that the user is not aware of, such as sending personal information to another Web site or e-mail address. These attacks render most anti-CSRF mitigations defenseless and can be used to reconfigure certain browser add-ons in unsafe ways.

Social engineering and privacy

  • Address bar domain highlighting. Internet Explorer 8 highlights the domain name of a site to help the user interpret Web addresses (URLs) and avoid deceptive or phishing sites. In the Address bar, the domain name is displayed in black characters and the remainder of the URL string is in gray. The user can more easily identify the true identity of the site. When coupled with other technologies such as Extended Validation SSL certificates, the improved Address bar in Internet Explorer 8 helps users more easily ensure that they provide personal information only to sites they trust.

  • SmartScreen Filter. The malware protection in the SmartScreen Filter focuses on identifying and blocking Web sites that are distributing malicious software. As a reputation-based feature, the SmartScreen Filter can block new threats from existing malicious sites, even if those threats are not yet blocked by traditional antivirus or anti-malware signatures. The SmartScreen Filter can block navigation or file downloads. This level of control allows Internet Explorer 8 to block entirely malicious sites, portions of sites, or a single malicious download (for example, on a social networking or file-sharing site). If a user attempts to download potentially unsafe software when the SmartScreen Filter is active, the user receives a prompt that lists alternate actions to take. IT administrators can administer the SmartScreen Filter by using Group Policy, including which alternate action users may choose from when they receive a warning prompt.

  • Privacy features. Internet Explorer 8 introduces several new or enhanced privacy features to give users more control over their personal information, all of which can be managed by using Group Policy.

    • Favorites and deleting browsing history. Internet Explorer 8 allows users to retain information associated with their Favorites menu when deleting their browsing history. This enables users to have more control over what is deleted from their browser history, such as cookies, saved passwords, and Web form information.

    • InPrivate Browsing. In situations where users are sharing a workstation, portable computer, or public kiosk, leaving a browser history trail behind for the next user can compromise privacy and security. InPrivate Browsing in Internet Explorer 8 eliminates this browser history trail by not storing history, cookies, temporary Internet files, or other data.

    • InPrivate Filtering. Over time, users' history and profiles can be unknowingly aggregated and tracked by malicious scripts or tracking cookies. InPrivate Filtering tracks these scripts and cookies that are encountered when visiting various Web sites and then automatically blocks them when they are encountered more than 10 times. InPrivate Filtering also allows users and IT administrators to manually choose sites to allow or block.

Changes to Enhanced Security Configuration in Internet Explorer 8 for server operating systems

In Internet Explorer, users can configure security settings for the Local intranet zone and the Trusted sites zone. By default, they cannot change the security setting for the Internet zone and the Restricted sites zone. Internet Explorer Enhanced Security Configuration assigns security levels to these zones as follows:

  • For the Internet zone, the security level is set to High.

  • For the Trusted sites zone, the security level is set to Medium, which allows browsing of many Internet sites.

  • For the Local intranet zone, the security level is set to Medium-low, which allows your user credentials (user name and password) to be sent automatically to sites and applications that need them.

  • For the Restricted sites zone, the security level is set to High.

Note

All Internet and intranet sites are assigned to the Internet zone by default. Intranet sites are not part of the Local intranet zone unless you explicitly add them to this zone.

Additional resources