Jul

23

Internet Explorer 8 Improves Security

Filed Under Internet Explorer 

Internet Explorer 8 Beta 2 will be with us soon…

Whilst the IE software team at Microsoft are building powerful new features like “Activities” and “Web Slices” into the browser, new Security features are coming too!

Out of all their planning work, they have classified threats into three major categories:

# Web Application Vulnerabilities
# Browser & Add-on Vulnerabilities
# Social Engineering Threats

For each class of threat, they have developed a set of “layered” mitigations to provide defense-in-depth protection against these exploits. (In plain English new security features to keep you safe online.)

…here are some of them.

Cross-Site-Scripting Defenses:

Over the past few years, cross-site scripting (XSS) attacks have surpassed buffer overflows to become the most common class of software vulnerability. XSS attacks exploit vulnerabilities in web applications in order to steal cookies or other data, deface pages, steal credentials, or launch more exotic attacks.

IE8 helps to mitigate the threat of XSS attacks by blocking the most common form of XSS attack (called “reflection” attacks).

Safer Mashups:

While the XSS Filter helps mitigate reflected scripting attacks when navigating between two servers, in the Web 2.0 world, web applications are increasingly built using clientside mashup techniques. Many mashups are built unsafely!

The IE team have introduced two security methods “Cross-Document-Messaging” and “XDomainRequest” to help secure clientside mashup techniques. However a critical threat still remains and that is why they are introducing:

HTML Sanitization (helps prevent potentially executable scripts from running) and JSON Sanitization (used to prevent script injections).

MIME-Handling Changes:

Each type of file delivered from a web server has an associated MIME type (also called a “content-type”) that describes the nature of the content (e.g. image, text, application, etc). For compatibility reasons, Internet Explorer has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource.

The team have made a number of changes to Internet Explorer 8’s MIME-type determination code to prevent malicious file would be downloads and script injections, all to help make surfing the web safer.

Local Browser Defenses:

While Web Application attacks are becoming more common, attackers are always interested in compromising ordinary users’ local computers. In order to allow the browser to effectively enforce security policy to protect web applications, personal information, and local resources, attacks against the browser must be prevented. Internet Explorer 7 made major investments in this space, including Protected Mode, ActiveX Opt-in, and Zone Lockdowns. In response to the hardening of the browser itself, attackers are increasingly focusing on compromising vulnerable browser add-ons!

For Internet Explorer 8, the have made a number of investments to improve add-on security, reduce attack surface, and improve developer and user experience. The BIG 4 improvements are:

Add-on Security, Protected Mode, Application Protocol Prompt and File Upload Control.

Social Engineering Defenses:

As browser defenses have been improved over the last few years, web criminals are increasingly relying on social engineering attacks to victimize users. Rather than attacking the ever-stronger castle walls, attackers increasingly visit the front gate and simply request that the user trust them.

For Internet Explorer 8, Microsoft have invested in features that help the user make safe trust decisions based on clearly-presented information gathered from the site and trustworthy authorities.

So IE8 will have Address Bar Improvements and the new SmartScreen Filter!

In Closing:

Security is a core characteristic of safer browsing online, and Internet Explorer 8 includes major improvements to address the evolving web security landscape. While the bad guys are unlikely to ever just “throw in the towel,” the IE team is working to help protect users and provide new ways to enhance web application security.

You can read the IE Security blog here.

Marc Liron

 

 

 

 

Kind Regards

Marc Liron
Microsoft MVP
www.marcliron.com

.

Comments

Leave a Reply

You must be logged in to post a comment.