Internet Explorer 8: Security Features for Enterprise Users

Over the past year, Internet Explorer has lost market share while browsers such as Mozilla's Firefox, Apple's Safari and even the nascent Google browser Chrome have made incremental gains.

Microsoft hopes to return IE to its past glory with Internet Explorer 8, which has been in release candidate since late January and has received praise for its security as well as criticism for being a memory hog.

Microsoft is not saying when it will call the IE8 code done and release IE8 to manufacturing. But TechARP.com, a Web site that correctly named the RTM dates for Windows editions in the past, is predicting it will happen this month.

New security and privacy features in Internet Explorer 8.

As more business applications go online, the security of browsers has become a top priority for IT managers and the debate lingers on about which browser is safer: IE or Firefox.

Mike Nash, VP of Windows product management, recently discussed the new security and privacy features in IE8 that Microsoft hopes will keep business users productive and safe from hackers.

Automatic Crash Recovery

Everybody has had to deal with a crashing browser, resulting in lost data and a reboot.

Microsoft promises that Internet Explorer 8 has been architected so that crashes will be limited. If a Web site does crash in one tab then only that tab is affected, while the browser itself and other open tabs carry on as if nothing has happened.

"In the past, if there was a bug in a Web page and it crashed it would cause the entire browser or even the operating system to crash," says Nash.

He adds that IE8 will automatically restore a tab that has crashed once it has identified the problem and then return you to the site you were on before the crash.

SmartScreen Filter

The SmartScreen Filter has been reinforced in IE8 to combat the increasingly complex ways that hackers and malicious sites send viruses and steal personal information.

The SmartScreen Filter blocks imposter sites that may download malicious software. The user has the choice to enable or disable SmartScreen, though Nash highly recommends it be enabled.

When it is enabled and you try to visit a site that is considered unsafe, a Web page with a red screen appears recommending you do not continue to the Web site. It does give the option "Disregard and continue (not recommended)" but IT managers can remove this option to "keep users from having to make a decision of trust without the knowledge to make a decision of trust," says Nash.

One of the major threats to users, adds Nash, are bad sites disguised as good sites.

"A lot of Web sites try to make themselves look like anti-spyware sites when in fact they are downloading spyware," Nash says. "The SmartScreen Filter will recognize them as a hoax and alert users that they should not go there."

Cross-Site Scripting Filter

Cross-site scripting (XSS) attacks are some of the leading exploits against Web users. XSS allows malicious code to be injected into Web pages that can lead to information disclosure and identity theft.

What's most unsettling about XSS: everything looks normal to the user while unauthorized access is being given to a hacker and sensitive data is being stolen.

The XSS Filter, new in IE8, can monitor all requests and responses flowing through a browser. When it recognizes an XSS in a request, IE8 blocks the malicious script from executing.

"It recognizes that a Web site is doing something that looks inappropriate and simply blocks it without giving the user a whole lot of notice," says Nash.

Clickjack Prevention

New in the IE8 release candidate, Clickjack Prevention allows Web content owners to put a tag in the page header that will block clickjacking, a type of cross-site scripting that uses embedded code to tricks users into clicking on a link that appears to perform another function.

With clickjacking, the user thinks he or she is clicking the visible buttons, while actually performing actions on a hidden page. The danger of clickjacking is that clicking on a hidden Web element can result in a transaction that you didn't want. IE8 will detect this and show an error screen saying that the content from a certain host is being used by somebody else.

Adds Nash: "For example, if someone tries to embed your bank's Web site into another Web page, IE8 will recognize that your bank's Web content is part of a clickjacked page and shut it down."

Domain Highlighting

This is the most visible new feature in IE8, but could be the best for keeping users on their toes.

Using domain highlighting, IE8 automatically blackens the domain of a URL in the address bar while the rest of the address is grayed out. If the blackened domain is the true domain, such as bankofamerica.com, users will know that the site is legitimate and not a phishing site.

For example, in the IE8 address bar, this site would be trustworthy:

http://www. cio.com/article/482306/Windows_The_Six_Versions_Explained

And this one would not be trustworthy:

http://www. fakeciosite.com/article/482306/Windows_The_Six_Versions_Explained

Nash said this feature is an easy way for both business and home users to avoid having their personal information compromised by a fake site.

"We've all seen those long URLs where it's hard to tell what site it's going to," Nash says. "Here the real domain name stands out. It's a cool feature that's also about safety."

Source: CIO