MICROSOFT has added several new security features to Internet Explorer 8 (IE 8) to improve privacy and protect against phishing and cross-site-scripting attacks.
While IE 8 and its added security defenses have been in beta testing for about a year, attackers have still been able to stay a step ahead with a flaw in a beta version of IE 8 being exploited this week at the CanSecWest security conference.
But Microsoft is showcasing the browser's new security features which help successfully mitigate many serious threats and help prevent users from making missteps that could lead to malicious code execution.
Security experts praised the security improvements, but said attackers will continue to own the browser as an attack vector.
Microsoft is trying to mitigate some of the common issues with a cross-site-scripting (XSS) filter, which protects against Type-1 XSS attacks.
The filter in IE 8 monitors all of the requests and responses made by the browser and automatically disables XSS attacks when they are detected. When an attack is blocked, users will be alerted with a modified version of the requested page.
The browser also has a built-in feature that analyses URL strings and highlights the top-level domain in the address bar to prevent a person being victimized by website spoofing.
The SmartScreen filter was redesigned to make it more difficult for users to click through to a malicious Web page. A dialogue box that opens if malicious code is detected has also been redesigned with a red banner and one-line summary to make the danger easy to understand at a glance, Microsoft said.
IE 8 also includes a feature to block clickjacking attacks, preventing users from clicking an obscured or hidden Web element.
The feature detects a website header designed by Web developers that declares how many frames a sensitive Web page can contain. Microsoft says the technique is not perfect, but will substantially mitigate the threat of clickjacking on sensitive websites.
A number of memory-type exploits are also addressed in IE 8. The browser carries over a data execution prevention feature in IE 7, but now enables it by default. Data execution prevention blocks code from running in memory that is marked non-executable.
IE 8 also includes an automatic crash recovery feature, which will bring users back to the point of the failure.