Microsoft officially released Internet Explorer 8 today with a number of new security features to improve privacy and protect against phishing and cross-site scripting (XSS) attacks.
Microsoft and other browser makers have been deploying additional security features to address a growing number of attacks being carried out through the browser. IE 8 and its bolstered security defenses have been in beta testing for about a year.
But attackers have been able to successfully stay a step ahead of browser makers. A flaw in a beta version of IE 8 was successfully exploited this week at the CanSecWest security conference. Still, Microsoft is showcasing how the browser's security features help successfully mitigate many serious threats and help prevent users from making missteps that could lead to malicious code execution.
Security experts praised the security improvements, but said attackers will continue to own the browser as an attack vector. Mozilla will continue to struggle with Firefox, researchers continue to find holes to exploit in Apple Safari and Google continues to plug holes in its new Chrome browser. Attackers also continue to take advantage of flaws in Flash and Java-based Web applications, making browser security even more difficult to address.
Internet Explorer security:
8 beta security features may mark improvements for browser security: Despite Microsoft's
previous best efforts to build a more secure browser, some users may have been discouraged with
Internet Explorer 7.
Microsoft makes privacy a priority in IE 8: Privacy enhancements in Internet Explorer 8 will include a private browsing mode called InPrivate.
"All the protections being architected are wonderful and great, but they're three years behind the curve," said John Strand a senior security researcher with Black Hills Information Security. "Basically if you allow your users to touch the dangerous frying pan we call the Internet, they're going to get burned."
Browser makers will also never be able to eliminate the human factor, which is used by attackers to gain access to known browser flaws, said Matt Watchinski, director of vulnerability research at Sourcefire Inc.
"With these browsers the best thing [you] can say to new security features is 'welcome,' but it won't be long until hackers actually test them," Watchinski said. "People will still click on just about anything [you] send them."
Microsoft is trying to mitigate some of the common issues with an XSS filter, which protects against Type-1 XSS attacks. The filter in IE 8 monitors all of the requests and responses made by the browser and automatically disables XSS attacks when they're detected. When an attack is blocked, users will be alerted with a modified version of the requested page. The browser also has a built-in feature that analyzes URL strings and highlights the top-level domain in the address bar to prevent a person being victimized by website spoofing.
The SmartScreen filter was redesigned to make it more difficult for users to click through to a malicious Web page. A dialogue box that opens if malicious code is detected has also been redesigned with a red banner and one-line summary to make the danger easy to understand at a glance, Microsoft said.
"At the end of the day for all these browsers, it's about stopping Joe user from being phished and preventing malware from getting on his system," said Jason Miller, security data team manager at Shavlik Technologies LLC. "From what we've seen, it's been a big challenge and a challenge that so far hasn't been met."
Microsoft also addressed the growing need for privacy while browsing certain websites. A new feature called InPrivate browsing mode, enables users to control whether IE saves a record of their browsing session. Similar to the Incognito mode in Google's Chrome browser, InPrivate in IE 8 won't save cookies, passwords, browsing history or any other record if it is enabled. Microsoft said InPrivate also prevents form data, passwords and temporary Internet files from being stored, keeping the session completely private.
IE 8 also includes a feature to block clickjacking attacks, preventing users from clicking an obscured or hidden Web element. The feature detects a website header designed by Web developers that declares how many frames a sensitive Web page can contain. Microsoft says the technique is not perfect, but will substantially mitigate the threat of clickjacking on sensitive websites.
ActiveX controls have also been tweaked. A new ActiveX feature in IE 8 analyzes websites containing an ActiveX control to determine if the control is permitted to run. Users will be alerted with an information bar if a control is suspected as malicious. The browser also has a killbit feature for Web application vendors. It blocks use of specific controls within the browser if a vendor suspects a vulnerable control has been exploited.
A number of memory-type exploits are also addressed in IE 8. The browser carries over a data execution prevention feature in IE 7, but now enables it by default. Data execution prevention blocks code from running in memory that is marked non-executable.
AJAX rendering has also been improved. A cross document messaging feature gives AJAX developers the ability to improve secure coding. Using the feature, IE 8 can ensure that confidential messages are delivered only to the intended recipient.
Finally, IE also includes an automatic crash recovery feature, which will bring users back to the point of failure. Crashes are also now isolated to an individual tab in the browser, Microsoft said.