Security Advisor

A Better Internet Explorer

IE8 won't break new ground, but it will feature some notable security improvements.

It seems like an eternity since Microsoft last updated Internet Explorer, but version 8 is just around the corner. As you would expect, it contains a number of security enhancements. This month's column will prepare you for what's in store.

The browser wars have slowed down. When Microsoft was fighting Netscape for browser market share, changes to Internet Explorer were frequent and dramatic. Today, IE's main competition is Firefox. Browser market shares are fairly stable, and changes to browsers tend to be evolutionary, rather than monumental.

Not surprisingly, IE8 is not a groundbreaking update, and that's a good thing. Microsoft has taken the time to refine a number of features and make IE more compatible with emerging Web standards, but users and administrators won't have to learn new ways to perform common tasks. IE6 and IE7 had to be rushed to market because they were designed to address some major security issues. This time around, the IE team at Microsoft has more time to better test its browser in a longer, more thorough beta program. Many of the new features in IE are related to usability and standards support, but it also contains a number of security issues that are significant.

Private Browsing
One problem with browsing the Internet on a shared or public computer is that it leaves a trail behind from temporary files to the browsing history. That's not a problem when you're perusing a news site, but it can lead to the disclosure of confidential information when you're checking your Web mail. Manually deleting all traces of your browser session can be tedious. To address this, IE8 adds a private browsing mode.

When opening a site in in Private Browsing mode, the browser won't save any data from that session. But even if you're browsing in the regular mode, you want to occasionally delete temporary Internet content. In older versions of IE this was an all-or-nothing procedure. With IE7, you can at least selectively delete temporary files, your browsing history and other content. All too often, however, you still end up losing data-such as cookies from trusted sites-that you want to keep. IE8 gives you even more control over what to delete and what to keep. The main benefit of this is that you won't have to set up preferences for your favorite Web sites again after cleaning up.

Confidentiality is further enhanced by better blocking of methods that companies use to track user behavior across multiple sites. Older versions of IE already contain options to let you block third-party cookies, which are the most common method for tracking users, but this feature was not very reliable and allowed only for minimal configuration. The new inPrivate Blocking feature makes the blocking more robust and is easier to configure than the old cookie blocking.

That Isolated Feeling
IE7 added browser tabs, which let you open multiple Web pages in the same window. An annoying and problematic side effect of this was that a misbehaving Web site in one tab could affect other tabs and crash the entire browser session. Even worse, I experienced many cases in which IE had to be restarted altogether, including other browser windows. IE8 offers tab isolation, which is designed to isolate a misbehaving Web site or add-on from affecting other tabs and windows, letting you close just the affected tab. While running the IE8 beta for the last two months, this feature worked most of the time, but the behavior was not entirely reliable. Hopefully, Microsoft will have this fixed by the time the product is released.

One of the main reasons for the success of Firefox is IE's reputation for being vulnerable to a wide range of exploits. Many of the fixes that Microsoft has made over the last few years have improved IE's resiliency to security threats, and by most measures IE today is no more vulnerable than other browsers. This means that today the most vulnerable component is the user who does the browsing.

Despite education of corporate and home users, too many people blindly click dangerous links, unknowingly download malicious software and respond to phishing scams. IE7 tried to address this issue by presenting warnings to users when a potentially unsafe operation was performed or when users visited suspected phishing sites. Unfortunately, these warnings were still not obvious enough, so IE8 attempts to make the warnings even more difficult to ignore. Microsoft uses the label SmartScreen Filter for all these settings.

For example, when visiting an unsafe Web site, IE not only changes the address bar to red but also displays a stark warning on a red background in the browser window. Also, for all Web sites, the site name in the URL is highlighted in the address bar so you can easily confirm which Web site you are viewing, even if the URL is long and convoluted. Unfortunately, most users will pay little or no attention to the address bar, and many will continue to visit an unsafe Web site, no matter how obvious the warnings are. Still, the new behavior is an improvement and, when combined with user education, will result in fewer user actions that jeopardize network security.

One problem with this protection is that it's only completely effective if you let IE check Web sites you visit against a list of known dangerous sites. This raises some privacy questions. Theoretically, Microsoft could get a history of your browsing behavior, and despite Microsoft's strict policies on keeping this information confidential, some people might still be concerned about the privacy implication.

Unsafe ActiveX controls and other browser add-ons are a major source of attacks against IE. Version 8 adds more control over which add-ons can be installed and lets admins configure how much control users get over what they can install. Additionally, a number of architectural enhancements are designed to prevent malicious software from performing its dirty deeds.

While moving to IE8 won't require a lot of user training, there are many more settings that can be configured. This may lead to some confusion for end users and administrators alike. After all, you don't want an adventurous employee to disable the security settings you configured. Traditionally, the IE Administration Kit (IEAK) was the best tool for locking down browser settings. Group Policy, which is much easier to use, was only available to enforce a subset of the browser settings. With IE8, you can lock down almost all browser settings using Group Policy. You'll need to download and install an ADM template to configure all these settings.

IE8 is not a groundbreaking release, but it introduces a number of important changes that make it appealing to organizations and individuals alike. To prepare for it, you should start testing the beta 2 release. While it's not yet stable enough to use for all your Web activities, it's usable for most. Also, you should download the documentation for the new Group Policy settings and start planning for implementing IE8 in your organization so that you're ready for deployment when Microsoft releases the final version in the coming months.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.


comments powered by Disqus