Security Advisor

Putting a Positive Spin on Microsoft's IE Zero-Day Flaw

The IE vulnerability incident presents Microsoft with a perfect occasion to brag about the new security features hitting Windows 8 and Internet Explorer 10.

While noise that a flaw is being actively exploited for Windows users running Internet Explorer isn't something the Redmond execs really want to brag about, there's at least one positive nugget Microsoft can take away from this whole incident: Windows 8 and Internet Explorer 10 are safe from the flaw.

This is good news, as Microsoft has somewhat of an uphill battle trying to convince tech-savvy consumers that IE is worth trying again, and Windows 8 has more going for it than a strange, new interface.  

And nothing lights a fire under consumer's butts to upgrade like the promise of safer, more secure software.

So what makes Internet Explorer 10 more secure than 9? Microsoft claims that the shift to HTML 5 will come with new security features to the HTML5 sandbox attribute.

"The sandbox attribute enables security restrictions for iframe elements that contain untrusted content. These restrictions enhance security by preventing untrusted content from performing potentially malicious actions," Microsoft wrote in a FAQ.

Simply put, when iframe elements are placed in the sandbox, pop-up windows are disabled, links can't be opened in new windows and automatic navigation to Web sites can't happen -- all tools attackers use to hijack your machine.

IE 10 will also come with a feature called Enhanced Protected Mode. This is an additional new layer of Web security that basically separates the Web browser from the rest of your system by locking down its access to parts of the computer that it has no reason to have access to (like system settings). It'll be a bit difficult for hackers to load up a system with harmful malware when there's nowhere to put it.

Something else that the Enhanced Protected Mode does that's noteworthy is the way that it protects your data from those who may be actively mining for it. Say you have your name, address, social security number and U.S. nuclear codes all located in a Word document that you want to e-mail. Internet Explorer will first ask you permission before gaining access to the part of your hard drive that is storing the Word document, and then cut the connection once the action is done.  

As for Windows 8, here's some of the new features that Microsoft's new OS will be packing in the way of protection:

  • Secure Boot -- Just like IE's Enhanced Protected Mode, this will separate Windows from the rest of the computer it has no need to have access to, like the BIOS menu. This should stop attackers from trying to hide those nasty Trojans where antivirus software has trouble finding.
  • A full-blown antimalware feature built right into its surprisingly effective Windows Defender.
  • SmartScreen filter -- Uses an online reputation to rate a new program file. And if it doesn't make the grade, look for the flashing lights and warning windows to alert you of a potential problem.

While these features do sound like a huge step in the right direction of having an incredibly secure system, it'll only be a matter of time until attackers start chipping away at IE 10's and Windows 8's armor. However it does sound like attackers will have to jump through a ton more hoops (and may have a lower success rate) than what they are used to.

What do you think? Been testing out Windows 8 or Internet Explorer 10? What security grade would you give them? Share below or send comments to [email protected].

Oh, and by the way, those concerned about Microsoft's current IE hole, just use a different browser until a fix is available. Easy enough.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube