Security Advisor

Putting a Positive Spin on Microsoft's IE Zero-Day Flaw

The IE vulnerability incident presents Microsoft with a perfect occasion to brag about the new security features hitting Windows 8 and Internet Explorer 10.

While noise that a flaw is being actively exploited for Windows users running Internet Explorer isn't something the Redmond execs really want to brag about, there's at least one positive nugget Microsoft can take away from this whole incident: Windows 8 and Internet Explorer 10 are safe from the flaw.

This is good news, as Microsoft has somewhat of an uphill battle trying to convince tech-savvy consumers that IE is worth trying again, and Windows 8 has more going for it than a strange, new interface.  

And nothing lights a fire under consumer's butts to upgrade like the promise of safer, more secure software.

So what makes Internet Explorer 10 more secure than 9? Microsoft claims that the shift to HTML 5 will come with new security features to the HTML5 sandbox attribute.

"The sandbox attribute enables security restrictions for iframe elements that contain untrusted content. These restrictions enhance security by preventing untrusted content from performing potentially malicious actions," Microsoft wrote in a FAQ.

Simply put, when iframe elements are placed in the sandbox, pop-up windows are disabled, links can't be opened in new windows and automatic navigation to Web sites can't happen -- all tools attackers use to hijack your machine.

IE 10 will also come with a feature called Enhanced Protected Mode. This is an additional new layer of Web security that basically separates the Web browser from the rest of your system by locking down its access to parts of the computer that it has no reason to have access to (like system settings). It'll be a bit difficult for hackers to load up a system with harmful malware when there's nowhere to put it.

Something else that the Enhanced Protected Mode does that's noteworthy is the way that it protects your data from those who may be actively mining for it. Say you have your name, address, social security number and U.S. nuclear codes all located in a Word document that you want to e-mail. Internet Explorer will first ask you permission before gaining access to the part of your hard drive that is storing the Word document, and then cut the connection once the action is done.  

As for Windows 8, here's some of the new features that Microsoft's new OS will be packing in the way of protection:

  • Secure Boot -- Just like IE's Enhanced Protected Mode, this will separate Windows from the rest of the computer it has no need to have access to, like the BIOS menu. This should stop attackers from trying to hide those nasty Trojans where antivirus software has trouble finding.
  • A full-blown antimalware feature built right into its surprisingly effective Windows Defender.
  • SmartScreen filter -- Uses an online reputation to rate a new program file. And if it doesn't make the grade, look for the flashing lights and warning windows to alert you of a potential problem.

While these features do sound like a huge step in the right direction of having an incredibly secure system, it'll only be a matter of time until attackers start chipping away at IE 10's and Windows 8's armor. However it does sound like attackers will have to jump through a ton more hoops (and may have a lower success rate) than what they are used to.

What do you think? Been testing out Windows 8 or Internet Explorer 10? What security grade would you give them? Share below or send comments to cpaoli@1105media.com.

Oh, and by the way, those concerned about Microsoft's current IE hole, just use a different browser until a fix is available. Easy enough.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • How To Remove the Windows 10 Action Center

    Microsoft meant well with Windows 10's Action Center, but the constant pop-up notifications are often more annoying than helpful. Here's how to get rid of them.

  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.