Is IE8 Actually Safer?

Internet Explorer 8 hits the wires today with a bevy of new security features, including more protection against hacked sites, ActiveX lockdowns, and a private browsing mode. And if you're wondering whether you should get it, then here's your short answer: Yes.

IE8's new security features aren't earth-shattering, and it's a safe bet that crooks will continue to find successful attacks against the browser. Case in point: The new browser was already hacked by a security expert at the ongoing CanSecWest conference, along with Safari and Firefox.

But while IE8 won't stop malware and computer hacks, its additional protections should help.   The new features include malware site blocking (SmartScreen), protections for site hacks that use cross-site scripting (XSS) or 'click-jacking' to steal your passwords or other data, and a simple but nice domain highlighting feature that can help you identify a phishing site. It also offers ActiveX control lockdowns, and a private browsing mode.

Microsoft says its SmartScreen filtering expands on IE7's anti-phishing filter to also block sites that are known to spread malware. I wrote about the feature, along with similar ones in Firefox and Opera, last summer. The feature uses a blacklist compiled from third-party partners, along with user submissions. No blacklist can block every bad site, since sites have to first be discovered and added to the list before they're blocked. But every additional opportunity to block a bad site helps.

The protection against 'click-jacking,' which could allow an attacker to trick you into executing some command of the attacker's choosing when you think you're clicking on a regular site button, requires that Web site operators add a special tag to their sites, and was panned by one of the reseachers who originally reported the risk. As with the additional basic protection against data-stealing XSS attacks, it won't be a panacea cure-all, but it may help. Same for the ActiveX options to allow a given control to only run for a particular user, or a particular site - buggy ActiveX controls have been a long-standing plague for IE security.

More clear-cut is the simple but welcome domain-name highlighting. IE8 will lighten some of the text in a URL so that it's easy to immediately pick out the real domain name, which can help foil a common phishing tactic of using long URLs that start with something that looks like a real bank site, for instance. Firefox users can (and should) get the same functionality with the Locationbar2 addon.

And finally, there's the InPrivate browsing, aka 'porn mode.' The feature allows you to surf sites in a new browser window without leaving a record of your surfing in the browser's history or cookie cache, and also turns off toolbars and extensions by default. I wrote about the feature, along with the related InPrivate filtering that can allow you to stop sites you visit from sharing information about your visit with third parties. I covered both features, along with private browsing features in Firefox, Safari and Google's Chrome, last fall.

If you currently use IE 7, then as my colleague Preston Gralla writes in his nice review of IE 8, upgrading is a no-brainer. Both for the additional security and other features. And if you're still using IE 6, then first re-install Windows, because you're probably already infected six ways from Sunday. Then install IE 8 on your clean install of Windows.

As to whether it will prove more secure than competing browsers such as Firefox, the jury's still out. For one thing, if it wants to wear the secure browsing crown, then Microsoft needs to improve the time it takes to close discovered holes. New risks constantly pop up for all browsers, but Mozilla tends to close those holes much more quickly than Microsoft.

But even if you use Firefox, Opera or something else as your primary browser, odds are you still have to fire up IE on occasion, maybe for an old company Web site that uses IE-specific code. So head to Microsoft's download site for the new browser.

Subscribe to the Security Watch Newsletter

Comments