A history of Internet Explorer security
It has to be said that Internet Explorer is still battling to overcome the poor reputation its early versions had for security, and Microsoft's poor track record of providing fixes for even quite serious vulnerabilities. During the last five years, Microsoft has tightened its focus on software security and watched as Firefox's popularity grew among IT professionals. As a result, the release of IE 7 definitely represented a change in the approach to make the browser more secure.
The launch of IE 7 and Firefox 2 both trumpeted new or improved security features, and IE 7, which launched in October 2006, was certainly a huge improvement over its much-attacked predecessor, IE 6. Internet Explorer 7 boasted several antiphishing features, including Web address, page content and page structure analysis. Some other initiatives included better intervention to control downloads, as well as color-coded warnings on whether a site is trusted.
IE 7 was launched at a time when hackers really started to up their game, often driven by profit and backed by organized crime. Hackers receive the best ROI when they concentrate efforts on IE, the most popular browser. Adding to that, one valid criticism that IE 7's detractors certainly have forwarded is that the browser is directly tied to the operating system; an attack on IE means an attack on Windows itself.
The resulting number of exposed vulnerabilities helped to exacerbate the impression of IE as a poor second choice to Firefox. Mozilla has been lauded for handling new security issues quickly, and some users prefer its approach of pushing an updated version of the browser to users when a security fix is made, as opposed to an add-on patch download process used by Microsoft, which many deplore.
Moving on to IE 8
So how has Microsoft tackled these issues? Feature-wise, it has enhanced protection from malicious sites and malware. IE 8's new security features target three major sources of security exploits: social engineering and Web server and browser-based vulnerabilities. The browser's SmartScreen filter, for example, can detect more sophisticated attacks and block sites by analyzing full URL strings, while the Domain Highlighting function ensures the top-level domain in the address bar is clearly highlighted so users can easily confirm they are, in fact, at the site they intended to visit.
This approach of making security easier for the user is also reflected in the improved user interface. When active, the SmartScreen filter warns the user prior to a software download or a visit to a potentially unsafe website. Two privacy features that I like are InPrivate, which suspends caching functions while surfing at, say, an Internet kiosk, and InPrivate Blocking, which blocks content coming from third parties that can track and aggregate a user's online behavior.
In the battle to reduce the threats from browser-based vulnerabilities, Data Execution Prevention (DEP), which was turned off by default in IE 7, is now automatically activated when running on Windows Vista and Windows Server 2008. DEP is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running from a non-executable memory region, the primary benefit being to prevent code execution from data pages. It applies to all add-ons loaded by a browser as well.
It should be noted that research recently presented by Mark Dowd and Alexander Sotirov demonstrated a technique that can bypass these memory protection safeguards in the Windows Vista operating system. Running Vista in "protected mode," however, isolates IE from the operating system and other applications in order to protect against an attack that tries to overwrite files.
One feature of IE 8 that hackers will certainly be picking over is cross-domain requests. Cross-domain communication and the ability for websites to call services from one another is an integral part of Web 2.0 applications. Other browsers, including Firefox, have recognized the benefit of direct communication and are also implementing cross-domain request capabilities. The feature, however, provides benefits not only for developers, but also for attackers in potentially helping them compromise Web 2.0 services in ways that remain to be seen. IE 8 allows cross-domain requests (XDR) with support for XDomainRequest objects. These are, in fact, a more secure method for requesting public resources from another domain's server.
I think Microsoft turned the security corner with the release of IE 7, and IE 8 shows its continued commitment to security, particularly the problems resulting from actions initiated by naive users. For various types of threats, Microsoft is developing a set of layered mitigations to provide defense-in-depth protection against known and future exploits. It no doubt isn't perfect, but neither is Firefox. Vulnerability clearinghouse Secunia has collected multiple vulnerability reports for Firefox 3 already which can be used to bypass certain security restrictions.
About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in October 2008