Home : Networking : News

IE8 to get security boost

Microsoft looks to improve Internet Explorer's security in its next browser beta release.

By Barry Collins, 4 Jul 2008 at 11:15

Microsoft is looking to shed Internet Explorer's reputation for slipshod security in its latest edition of the browser.

Firefox has long been regarded as the browser of choice for the security-conscious - not least because it's far less widespread than Internet Explorer - but Microsoft seems keen to redress the balance.

The company has announced a number of new security measures for Internet Explorer 8, which is due to hit its second beta phase next month.

One new measure includes protection against cross-site scripting (XXS) attacks. "Over the past few years, cross-site scripting (XSS) attacks have surpassed buffer overflows to become the most common class of software vulnerability," Microsoft claimed on the Internet Explorer blog. "XSS attacks exploit vulnerabilities in web applications in order to steal cookies or other data, deface pages, steal credentials, or launch more exotic attacks."

IE8 will automatically block "the most common form" of XSS attack, using an heurisitc filter to identify and prevent the malicious code from running.

Another newcomer is the so-called SmartScreen Filter. This builds on the phishing filter introduced in IE7 to include sites known to be distributing malware or stealing personal data.

"The SmartScreen anti-malware feature is URL-reputation-based, which means that it evaluates the servers hosting downloads to determine if those servers are known to distribute unsafe content," Microsoft claimed. A new group policy setting will allow system administrators to prevent users from overriding SmartScreen warnings, potentially preventing employees from inadvertently, or even deliberately, infecting the network.

Microsoft claimed malware writers are increasingly targeting add-ons, rather than the core browser. As a result, it's beefing up its add-on protection, by turning DEP/NX memory protection on by default in IE8. "DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable," Microsoft said, although the technology will only work on systems running XP SP3, Vista SP1 or Windows Server 2008.

Other improvements include a revamp of the Protected Mode introduced in IE7, measures to guard against exploits in web mashups and a new prompt to stop applications such as VoIP software running automatically from the browser.

Many of the new features will be implemented in the Beta 2 release at the end of August.