Security

How Secure Is Internet Explorer?

Security spec sheet

IE has all the usual security features: anti-phishing, pop-up blocking, private browsing sessions (called Inprivate Browsing), cookie security, MIME content-type sniffing, anti-XSS (cross-site scripting), and so forth. IE won't allow files to be automatically downloaded or helper programs to be automatically launched, and it can globally prevent images, sound files, animated images, and other objects from downloading. Only Opera can compete with IE on content blocking.

IE 8's updated anti-phishing filter, called SmartScreen, now also blocks sites confirmed by Microsoft host malware, regardless of whether phishing is involved. Like the anti-phishing features in Firefox and Opera, SmartScreen is not yet accurate enough to be completely relied upon. You'll still need anti-malware software and common sense.

One of the smallest, but best security improvements is IE 8's highlighting of the true domain name in the address bar when the name is embedded in a much longer URL. Phishers often embed the spoofed target's domain name inside a much longer fake domain name string. This one small change makes it significantly easier to recognize phishing sites Microsoft has not yet confirmed. Chrome has this feature, but in addition to the domain name, it highlights the Web server name, which is often spoofed by phishers as well. Microsoft's choice is more discriminating.

IE has always had good protections around privacy and cookie handling. By default, all first-party cookies are allowed, as are third-party cookies if the originating site has an explicit and available privacy policy (many don't). Either way, IE restricts personal information gathered by both first- and third-party cookies. Cookie policies are applied on a per-security-zone basis, and they can be set on individual sites as well.

IE 8's new Inprivate Blocking feature attempts to prevent other types of third-party tracking besides the normal cookie tracking techniques. If IE 8 notices a single third party tracking you over 10 Web sites, it will give the user a chance to block the tracking. You can also enable Inprivate Subscriptions, which implements Inprivate Blocking lists updated by Microsoft.

Add-ons and ActiveX

Only IE and Firefox have an add-on manager, and IE's is easily the best. As in Firefox, add-ons can be globally enabled or disabled by clicking a single button. But IE 8 allows add-ons to be restricted to running on a single site or be used by any Web sites. The initial decision is made during the add-on's first download, but can also be modified later. IE's add-on manager will show which add-ons are currently loaded, which have been used, and which have not been used.

IE users have always been able to disable ActiveX controls or allow only signed ActiveX controls to launch. (Java and JavaScript can also be enabled or disabled on a per-zone basis.) Microsoft now allows vendors to restrict the use of their ActiveX controls to certain Web sites via a feature called SiteLock ATL. Thus, even if a third-party vendor unknowingly creates a control found to be vulnerable to malicious exploitation in the future, it would only be usable from the vendor's Web site, which could be trusted not to contain malicious commands.

A new feature that has sparked great controversy is IE 8's support for per-user ActiveX controls. Formerly, most ActiveX controls require that the end-user be logged on as Administrator to install them. Now, vendors can repackage their existing ActiveX controls (or code new ones) to allow installation into the current user's profile without needing elevated permissions. Microsoft is attempting to promote more software products that can be installed without admin rights, which in turn means the underlying OS kernel will be harder for rogue applications and malware to modify. This type of system access control has been available on other browsers (such as in Firefox extensions) and operating systems (Linux, BSD, and so on) for many years, but is now being promoted in the Windows world as well. Many security admins see per-user ActiveX controls as an additional security and management headache. In any case, Microsoft allows per-user ActiveX controls to be disabled using the normal methods, and it's hard to argue with flexibility.

IE is one of the few browsers to have built-in Parental Controls, which block objectionable content as defined by a rating system. The settings are password protected and apply to all users, although a master password can be entered to temporarily bypass the default settings. There are several different categories of potentially objectionable content, and the administrator can choose whether to block all related content (for example, all nudity) or to allow exceptions (such as educational and art-related nudity). You can choose from various rating systems, and you can whitelist specific Web sites.

Subscribe to the Security Watch Newsletter

Comments