Security strategy for IE7: Beta 1 overview, Beta 2 preview

IEBlog

Internet Explorer Team Blog

Security strategy for IE7: Beta 1 overview, Beta 2 preview

  • Comments 65

Security as a feature can be hard to measure. I want to provide some insight into our security strategy so our customers and partners can understand the direction we’re heading with Beta 1 and beyond to Beta 2. All of the work the IE security team has done for IE7 is designed to make you safer while you browse. While some of our work is front and center like the Phishing Filter, a lot of the features are “under the hood” like Low-rights IE and we hope you will never see them, just know that they are there protecting you.

We started out designing the new security changes for IE7 by understanding the risks or the "threats" that browsers face from a malicious web site.  “Threat modeling” as we call it, is one part of the Security Development Lifecycle and is really like performing a risk evaluation to find, and then eliminate or mitigate, security threats in software.

We found places where we can enhance security by changing parts of IE’s architecture. Beta 1 includes powerful but mostly invisible changes to how IE handles URLs and script in sensitive functions. Those changes will continue forward in Beta 2 but we have established a major beachhead in Beta 1 against these classes of vulnerabilities. You’ll be hearing about these in posts coming soon from Eric and myself (Marc would post but he’s on his honeymoon somewhere in the Caribbean). You may have already read some about how Internet Explorer for Windows Vista will run in a new “Protected Mode” (formerly known as Low-rights IE) to help prevent malware from installing on a user’s system through a vulnerability.

Powerful add-ons like ActiveX controls are part of what make browsing such a rich experience but any extensibility can also introduce threats to browser security. In IE7 Beta 1, you’ll be able to use IE in “No Add-ons” mode. In Beta 2 we’ll continue to enhance the user interface for “Manage Add-ons” to make it easy for users to be in control of Add-ons. We know that our user base depends on the rich scenarios that they get with Add-ons. Our goal is to help users take control of important decisions while maintaining a rich, consistent, easy-to-use experience.

There’s also a threat that a malicious web site will try to trick you into letting it do something dangerous. The most upsetting example of this is the recent epidemic scam-tactic known as “phishing”. The scam usually starts with a bogus email that urges the victim to visit to a fake banking site. After the victim visits the site and enters their password, the site uses it to steal money from the victim account. Tariq from my team will be telling you about how we built a Phishing Filter to fight back against this threat. The Phishing Filter will be able to take you away from a reported phishing site but, even if a site hasn’t been reported yet, Internet Explorer will warn you about sites that might look a “little bit phishy” because they use some features commonly used on phishing sites. We want your feedback on how the Phishing Filter performs and Tariq will tell you how to submit feedback directly through the UI. We’ve also made it easier to check the lock icon for legitimate banking and secure sites. Eric will tell you more about that. We’ll continue to improve the user interface in Beta 2 with additional features to make security decisions easier.

We believe that security is never done but that we can make a huge difference in this release. We’re proud that we get to tackle these threats head-on in IE7. We’re hoping for lots of feedback from the security and developer communities - we want to make sure IE7 is rock solid. As always, if you find a vulnerability, please report it responsibly, this helps protect the other people like you working with us on this beta.

- Rob Franco

  • Loading...