Microsoft IE8 to have more defenses

Share this article:
For the upcoming version of Internet Explorer 8.0 (IE8), Microsoft has hinted at a number of security improvements.

According to a Microsoft spokesperson, the company's security teams investigated common attacks and potential trends for future attacks.  Microsoft classified the threats into three major categories: web application vulnerabilities, browser and add-on vulnerabilities and social engineering threats.

“For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits,” the spokesperson said.

Some of the changes in IE8 include the following:

A SmartScreen Filter, which will protect against a broader set of phishing threats.  In defending against an attack, a full URL string will be analyzed, providing detection that is more granular and improving IE8's ability to protect against more targeted and sophisticated attacks.  The SmartScreen Filter will also alert users when they attempt to download software that has been classified as malware.

To help prevent cross-site scripting (XSS) attacks, a new filter will be a browser component in IE8 that will be capable of blocking common cases of reflected attacks.  This feature will be available in IE8 Beta 2, and the XSS Filter will improve security by preventing unwanted disclosure of personal information to a malicious attacker.

IE8 also exposes a new method on the window object named toStaticHTML. When a string of HTML is passed to this function, any potentially executable script constructs are removed.

And for web applications that need to serve untrusted HTML files, with the new X-Download-Options header, the user is prevented from opening a file download directly; instead, he or she must first save the file locally. When the locally saved file is later opened, it no longer executes in the security context of your site, helping to prevent script injection.

Despite these and other security changes in IE8, there is some skepticism outside Microsoft.

Yuval Ben-Itzhak, chief technology officer of web security firm Finjan, told SCMagazineUS.com on Monday that Windows XP Service Pack 2 and Vista were released with a lot of hype but included a lot of vulnerabilities, and the same may happen with IE8.

“Yes, security techniques are always improving,” he said, “and IE8 has added some additional security improvements. But it is impossible to completely eliminate the bugs that will stop hackers.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.