The security enhancements in IE7 included the ability to better spot phishing Web sites and a reduction in the attack surface of ActiveX. But it was "protected mode," a sort of wall setup between the browser and the underlying OS, that really sent IE7 security to an entirely new level. In protected mode, the browser is largely prevented from changing system settings and installing apps without user knowledge and approval. Unfortunately, protected mode was only made available to Vista users.
Next month, according to this story by J. Nicholas Hoover, IE8 will improve security against cross-site scripting attacks, which have been growing in popularity and make it possible for attackers to steal cookies, passwords, and just about anything the user types into the browser.
Internet Explorer 8 also will have what Microsoft is calling the SmartScreen Filter, an update to the phishing filter already available in IE7, which will include malware defenses. Both Firefox and Opera have similar features.
The Data Execution Prevention enhancements will help mitigate many memory-related attacks, including buffer overflows (the engine of many memory resident worms). This is very welcome protection against one of the most prevalent exploit vectors.
In all, the security enhancements in IE8 appear, at first blush, to be an improvement over the already tremendous improvements found in IE7 running on Vista in protected mode.
They also leapfrog over Mozilla's security enhancements in Firefox 3. For starters, the anti-phishing technology in Firefox 3, as pointed out earlier by Mitch Wagner, is woefully inadequate. The feature failed more than half the time in testing and could lull more neophyte users into a false sense of security.
We'll see how well Microsoft executes on its promises, hopefully, soon.
