Microsoft boosts IE8 security
By Barry Collins
Posted on 4 Jul 2008 at 08:03
Microsoft is making strenuous efforts to shed Internet Explorer's reputation for slipshod security in its latest browser.
Firefox has long been regarded as the browser of choice for the security-conscious - not least because it's far less widespread than Internet Explorer - but Microsoft seems keen to redress the balance.
The company has announced a number of new security measures for Internet Explorer 8, which is due to hit its second beta phase next month.
One new measure includes protection against cross-site scripting (XXS) attacks. "Over the past few years, cross-site scripting (XSS) attacks have surpassed buffer overflows to become the most common class of software vulnerability," Microsoft claims on the Internet Explorer blog. "XSS attacks exploit vulnerabilities in web applications in order to steal cookies or other data, deface pages, steal credentials, or launch more exotic attacks."
IE8 will automatically block "the most common form" of XSS attack, using an heurisitc filter to identify and prevent the malicious code from running.
Another newcomer is the so-called SmartScreen Filter. This builds on the phishing filter introduced in IE7 to include sites known to be distributing malware or stealing personal data.
"The SmartScreen anti-malware feature is URL-reputation-based, which means that it evaluates the servers hosting downloads to determine if those servers are known to distribute unsafe content," Microsoft claims. A new group policy setting will allow system administrators to prevent users from overriding SmartScreen warnings, potentially preventing employees from inadvertently, or even deliberately, infecting the network.
Add-on protection
Microsoft claims malware writers are increasingly targeting add-ons, rather than the core browser. As a result, it's beefing up its add-on protection, by turning DEP/NX memory protection on by default in IE8. "DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable," Microsoft claims, although the technology will only work on systems running XP SP3, Vista SP1 or Windows Server 2008.
Other improvements include a revamp of the Protected Mode introduced in IE7, measures to guard against exploits in web mashups and a new prompt to stop applications such as VoIP software running automatically from the browser.
Many of the new features will be implemented in the Beta 2 release at the end of August.
From around the web
advertisement
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
advertisement
Printed from www.pcpro.co.uk