Risk
7/3/2008
05:48 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Microsoft Readies Most Secure IE To Date

Next month, should Microsoft make good on its promises, Internet Explorer 8 will pack some considerable security enhancements. Could Microsoft deliver not only the most widely used Web browser, but also the most secure?

Next month, should Microsoft make good on its promises, Internet Explorer 8 will pack some considerable security enhancements. Could Microsoft deliver not only the most widely used Web browser, but also the most secure?In the fourth quarter of 2006, Microsoft released what was then a long-overdue update to IE6. It was IE7 that finally brought tabbed browsing to IE, which previously had only been available for Firefox users, as well as native RSS feeds. While I welcomed those usability enhancements, as a security guy, it was the security improvements that caught my attention. When it comes to sheer performance, Firefox 3 (at least on my Mac Pro) screams.

The security enhancements in IE7 included the ability to better spot phishing Web sites and a reduction in the attack surface of ActiveX. But it was "protected mode," a sort of wall setup between the browser and the underlying OS, that really sent IE7 security to an entirely new level. In protected mode, the browser is largely prevented from changing system settings and installing apps without user knowledge and approval. Unfortunately, protected mode was only made available to Vista users.

Next month, according to this story by J. Nicholas Hoover, IE8 will improve security against cross-site scripting attacks, which have been growing in popularity and make it possible for attackers to steal cookies, passwords, and just about anything the user types into the browser.

Internet Explorer 8 also will have what Microsoft is calling the SmartScreen Filter, an update to the phishing filter already available in IE7, which will include malware defenses. Both Firefox and Opera have similar features.

The Data Execution Prevention enhancements will help mitigate many memory-related attacks, including buffer overflows (the engine of many memory resident worms). This is very welcome protection against one of the most prevalent exploit vectors.

In all, the security enhancements in IE8 appear, at first blush, to be an improvement over the already tremendous improvements found in IE7 running on Vista in protected mode.

They also leapfrog over Mozilla's security enhancements in Firefox 3. For starters, the anti-phishing technology in Firefox 3, as pointed out earlier by Mitch Wagner, is woefully inadequate. The feature failed more than half the time in testing and could lull more neophyte users into a false sense of security.

We'll see how well Microsoft executes on its promises, hopefully, soon.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.