MI-80

Since Firefox restarted the browser wars innovations have been pouring in, and it appears the next generation or browsers will be no exception. While most of the new features in Microsoft’s upcoming Internet Explorer 8 focus on usability and performance, a couple of security enhancements have leaked into the limelight. The major announcement so far is IE8’s “Safety Filter” which builds upon the existing Phishing Filter. To recap the Phishing Filter uses a local white list and a server-side blacklist to check websites in real-time for the possibility that they’re trying to defraud the user. In IE8 this is being expanded to look for malicious code attempting to take control of the users’ computer. Microsoft explains “The Safety Filter continues to block known Phishing sites and now blocks sites known to contain malicious software that could harm users’ computer[s] or steal their information.” The user functionality appears to remain untouched, with no apparent additions or subtractions from the current Phishing Filter. Exactly how this security check is performed remains unclear. Some reports are saying it runs a more granular examination of the URL itself. It could also be another blacklist based system, possibly even using something comparable to signatures used in Intrusion Prevention Systems. However it works it’s a welcome change no matter how it gets the job done. The other major security highlight of IE8 seems underwhelming at first but makes great sense, especially when viewed from the “keep it simple stupid” philosophy. “Domain highlight” does just that – it highlights the top level domain in the address bar in black and dims the rest of the address in gray. This simple change makes it much easier to view the site you’re visiting at a glance to ensure it’s where you really intend to be. Beyond those two changes IE8 isn’t focusing on security. New rendering modes, better standards support, and an overhauled user interface are some of the biggest selling points. Regardless anything Microsoft can do to lock down the browser is welcome, even if it’s just evolutionary. Viewed against the bigger picture IE8’s lack of security enhancement does leave some wanting. The Mozilla Firefox team, currently beta testing Firefox 3, has a slew of security improvements in the pipeline. These range from simplifying security warnings to anti-malware blockers (similar to IE8’s Safety Filter) and anti-virus integration. Firefox also continues to have an architectural advantage with its lack of ActiveX integration, which continues to be a thorn in Internet Explorer’s side. With major security vendors already pushing their own browser add-ons to perform many of these tasks I’m at a loss why Microsoft doesn’t plan to integrate them into IE8. Perhaps Microsoft will compromise with the security crowd and change IE8’s ActiveX defaults to behave more securely?