IE8: what’s up with security?

Posted on September 6, 2008 by

Microsoft just recently released Beta 2 of Internet Explorer v8, the latest incarnation of the most used web browser. There’s a lot to like about IE 8, and I covered the new features that affect the user experience in this week’s VistaNews editorial (www.vistanews.com, #35).

One thing that I didn’t address in detail in that article is the unseen but important "feature": security. The guys who post to the MSDN IE Blog did an excellent multi-part examination of IE 8 security issues. Here’s a brief summary of some of the security improvements:

DEP/NX memory protection helps prevent code marked non-executable from running in memory, making it more difficult to exploit buffer overrums and other memory-related vulnerabilities:
http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx

Changes to ActiveX isolate controls installed by a user from the overall system (called per-user ActiveX), so that if one user installs a malicious control, the whole system won’t be affected. The feature can be disabled via Group Policy if desired. Per-site ActiveX determines whether installed controls are allowed to run on particular web sites.  Allowed controls can be configured via Group Policy.
http://blogs.msdn.com/ie/archive/2008/05/07/ie8-security-part-ii-activex-improvements.aspx 

The SmartScreen filter replaces the IE 7 phishing filter and is faster, has a better UI, better Group Policy support, anti-malware support and new heuristics.
http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iii-smartscreen-filter.aspx 

The XSS filter makes it harder for attackers to exploit cross site scripting vulnerabilities in web sites, which have the potential to allow an attacker to control what a user does on a web site, steal cookies and even monitoring keystrokes.
http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx 

Summary of security mechanisms designed to protect against three categories of threats: web application vulnerabilities, browser and add-on vulnerabilities and social engineering exploits.
http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx 


deb@shinder.net

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s