IE 9 To Feature 'Do Not Track' Option

Microsoft's browser security and privacy offerings were under the microscope this week with the software giant's announcement that the next version of Internet Explorer, IE 9, will come with a feature that lets users prevent websites from tracking their online behavior.

The new Tracking Protection feature, which will be available in the upcoming IE 9 release candidate, comes on the heels of an FTC report calling for a possible "do not track" option for consumers. Microsoft officials say the privacy enhancements in IE 9 are an evolution of an existing feature and are in synch with the FTC's guidelines for privacy. "This puts users in control of what sites can get their [activity] data," says Dean Hachamovitch, corporate vice president and head of IE development.

Meanwhile, Microsoft's Protected Mode feature in IE 7 and IE 8 also was under fire this week; Verizon Business researcher Tom Keetch published methods he discovered for bypassing the security control. Keetch was able to cheat Protected Mode via remote IE Zone escalation and by escalating privileges in the browser from low to medium integrity.

When asked whether Microsoft would issue a fix for the issue in the upcoming IE 9 browser, Microsoft's Jerry Bryant, group manager of response communications, said the method in the Verizon report isn't a vulnerability. "Microsoft is aware of a report describing how Protected Mode in Internet Explorer can by bypassed. The issue discussed in the report is not a vulnerability. It is a method for bypassing a security mitigation," Bryant says. "In order to use this method, an attacker would first need to be able to exploit an unpatched vulnerability on the target computer."

Bryant says Protected Mode is for defending against elevation of privilege attacks as well as protection from malicious downloads by restricting where files can be saved without the user's permission. "Protected Mode is not a security boundary -- it does not provide direct protection, only a chance for a user to verify an action before it happens," he says. "Microsoft continues to encourage customers to upgrade to the latest version of Internet Explorer as it provides enhanced security mitigations to help protect customers from criminal activity."

Microsoft's new Tracking Protection feature in IE 9 is turned off by default, so users have to opt into it. It also includes an open platform for creating so-called tracking protection lists for IE, the equivalent of a "Do Not Call" list for sites users don't want tracking them. There's also an "OK to call" option for online shopping sites where customers want the vendor to keep tabs on their buying patterns for rewards programs or customization, for instance. Tracking Protection can be turned on and off by the user, and it stays active for an entire Web session, according to Microsoft.

"This is a great, pro-privacy and strategically savvy move on Microsoft's part. I am delighted to see companies competing on privacy, and building better features into their products. This announcement will likely have a significant impact on the current Do Not Track debate, and it will be interesting to see how the ad industry, the other browser vendors, and government regulators respond," wrote security expert Christopher Soghoian in a blog post today.

Meanwhile, the beta version of IE 9 released by Microsoft in September included the new Download Manager feature, which scans files for malware and issues warnings when it detects malicious code.

In the IE 9 beta, Microsoft integrated the Download Manager with its SmartScreen URL filter, a feature that first debuted in IE 8. SmartScreen is an anti-phishing and anti-malware filter that blocks badware in real-time, based on Microsoft's application reputation database. In IE 9, the browser's Download Manager now also blocks downloads from known malicious URLs: It flashes a warning in the browser's new notification bar as well as in Download Manager. The user then decides whether to download it.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.