Microsoft is planning to add a series of new security features to the next version of its Internet Explorer browser, including protection against cross-site scripting attacks.
A beta version of IE 8 is due out in August, and along with the XSS filter, it will include a filter designed to provide better protection against phishing attacks, features that make it easier for developers to request resources and share information across domains, and some changes to the way that ActiveX controls are handled by the browser. Specifically, developers will be able to write controls that are only available for the individual user who downloads them.
The announcement of the new security features in IE 8 came just a week after the release of Firefox 3, the latest version of IE's main competition in the browser world. Firefox 3 also includes updated antimalware and antiphishing capabilities and several other security updates. Microsoft has been fighting to repair the security reputation of IE for several years, since the initial release of Firefox, which the Mozilla Foundation has positioned as a more secure alternative to IE.
But Microsoft has been making steady progress on the security of its ubiquitous browser in recent versions, and IE 8 serves to further that cause. The most intriguing and potentially most useful feature in the new browser is the XSS filter, which is built to protect against Type-1 XSS attacks. These attacks are among the more common ones online right now, and many non-technical users have little idea that they even exist, let alone what to do about them. The XSS filter in IE 8 monitors all of the requests and responses made by the browser and automatically disables XSS attacks when they're detected. Users will see a modified version of the requested page, showing them that the attack was blocked.
"Ultimately we have taken a very pragmatic approach -- we choose to not to build the filter in such a way that we compromise site compatibility. Thus, the XSS Filter defends against the most common XSS attacks, but it is not, and will never be, an XSS panacea. This is similar to the pragmatic approach taken by ASP.NET request validation, although the XSS Filter is able to be more aggressive than the ASP.NET feature," David Ross, a security software engineer at Microsoft wrote in an announcement of the new features.
Also, in the new version of IE, the Data Execution Protection (DEP) feature will be enabled by default on machines running either Vista SP1 or XP SP3. DEP is designed to prevent malicious code from writing to addressable memory space. The feature has been in previous versions of IE, but was disabled by default because of compatibility issues and other considerations.