NEWS
On Wednesday, Microsoft announced new security features within the upcoming release of Internet Explorer 8 Beta 2.
The features are designed to combat the rising tide of drive-by downloads - software downloaded on a computer without the user's knowledge or intervention - and malicious scripts contained within carefully crafted links embedded in email and web pages. Most of the new features require systems to be running Windows Vista SP1 or Windows XP SP3.
Bill Gates caught on camera
Check out 30 years of tech's most famous name here
Plus don't miss out on Gates getting creamed…
Perhaps the most anticipated addition is Internet Explorer's new anti-malware protection. Opera 9.5 and Firefox 3 both recently added anti-malware protection. Safari has so far not announced plans for similar protection. Using mostly its own anti-malware technology, Microsoft will block emerging threats by masking the entire IE 8 browser screen with a warning to users. The addition of malware protection to the existing anti-phishing protection will be rebranded as the Microsoft SmartScreen filter.
IE 8 Beta 2 will have a Cross Site Scripting filter, preventing scripts within a link from executing on the browser.
Previously announced features include highlighting domain names from the rest of the URL (so you can visually see that you are on eBay.com, for example, not some other site), and extended verification SSL.
IE 8 Beta 1 has already introduced several changes when handling ActiveX components. Components will be installed per user, which eliminates the need for everyone to have administrator privileges. In addition, you must acknowledge or opt-in for the component to run, eliminating drive-by downloads. Components will be per site and will only be available from site of origin. Finally, site developers can request killbits from Microsoft which can be sent via Windows Update to terminate risky or outdated components.
For developers, Microsoft is including improvements for better communication between the client browser and web server. Cross Domain Requests is a more secure way for the browser to pull data from other domains; and Cross Domain Messaging is a more secure means for a browser to send a message across a domain. Microsoft says it is working with other browser vendors to standardise these.
The public Beta 2 for Internet Explorer is expected sometime in August this year.
Comments
There is 1 comment. Join the discussion
1. Nick Cole
Acknowledging and then permitting a download, or script/activex execution is much of the problem. The difficulty is that dialogue only asks "Do you want to run it?" The absence of diagnostic information or explanation of what it is going to do means that we can not make an informed decision. In common with the arcane and meaningless error codes and fault boxes that Microsoft are so fond of.
Critically the problem is caused by the ability for applications to run code. If this was removed then the ability to do anything malicious would be almost eliminated. It is all very well having fancy facilities and complex processes but they all demand the ability to run some form of programming language which interacts with the desktop OS. As long as this persists then malware can never be prevented.
Ultimately we have never been given enough detailed information at the time of being asked the question to allow us to confidently say yes. And if we ask for prompts the number of times we get asked to authorise them is ridiculous. When did anybody in Microsoft count the number of prompts for script through its own download/update or technet websites? 40 or 50 is not unusual. And apart from when data needs to be carried forward through a cookie, these scripts do nothing other than provide fancy graphics.