In many ways, IE8 contains functionality similar to Firefox 3 — except for one of the features: anti-clickjacking, which in terms of security, could turn out to be one of its most influential innovations. The feature lets sites put a tag on a page to detect attempted clickjacking.
“Clickjacking is one of those extremely difficult security problems to tackle because solving it would likely negatively impact the way the web works,” said WhiteHat Security founder and CTO Jeremiah Grossman, who last year was among the first researchers to present findings on clickjacking, which involves placing an invisible button under an internet user’s mouse pointer just above the viewable content of the web page.
He added: “It’s commendable that Microsoft is being proactive in trying to address wide-reaching security problems before they are maliciously exploited on a wide scale.”
Some of the other security features, according to Microsoft, that will be in IE8 include:
InPrivate Filtering. This gives users control over a number of third-party tracking mechanisms — not just cookies. It works in any browser session so that users do not have to enter a special mode. Another feature, InPrivate Browsing, lets users browse the web anonymously.
DEP/NX Memory Protection. This enables memory protection to help mitigate online attacks (also known as data execution prevention or DEP).
ActiveX improvements. A user will be able to install ActiveX controls in their own user profile without requiring administrative privileges. And if a user happens to install a malicious ActiveX control, the overall system will be unaffected, as the control affects only the user’s account.
The XSS (cross-site scripting) Filter. This operates as an IE8 component that has visibility into all requests/responses in the browser. The browser can block certain malicious scripts from executing.
Comprehensive protection. Web application, local browser, and social engineering defenses are built into IE8 to provide protection from malicious sites. For example, when a string of HTML is passed to a new function, any potentially executable script constructs are removed before the string is returned.
The SmartScreen Filter. This is a feature that replaces IE7’s Phishing Filter. The new capability offers faster performance, new heuristics and anti-malware support.
In an earlier blog post, Eric Lawrence, program manager for Internet Explorer Security, said: “The IE8 SmartScreen Filter is designed to combat both phishing and malware sites while protecting your privacy and enabling high-performance browsing.”
Microsoft said the current Phishing Filter blocks more than a million phishing attacks weekly.