Internet Explorer 8 beefed up against hackers and phishers

Posted by Humphrey Cheung

Redmond (WA) – Microsoft is beefing up its upcoming Internet Explorer 8 browser with several security improvements against hackers and phishers.  Eric Lawrence, Microsoft’s program manager of Internet Explorer security, says IE 8 Beta 1 will have more defenses against cross-site scripting, malware protection and URL highlighting.  File upload paths will also be changed to read only.  This will prevent hackers from reading direct paths to important files.

Perhaps the most important addition will be the cross-site scripting or XSS Filter that will provide defense against exploits that can steal cookies, credentials and even keystrokes.  Despite this protection, Lawrence warns that web developers shouldn’t get too complacent about letting IE take care of security.  He adds, “because this feature is only available in IE8, it’s important that web developers provide additional defense-in-depth and work to eliminate XSS vulnerabilities in their sites. Preventing XSS on the server-side is much easier that catching it at the browser”

IE 8 will also include beefed up malware protection thanks to third-party reporting sites.  When you visit a site, the url will be checked against a database of websites known to contain malware.  Suspicious sites will come up with a red background and a very large and noticeable warning box.  This is designed to replace the rather innocuous warning box we currently see in IE 7 – the one that most people just ignore.  URL highlighting will further protect users by highlighting good web addresses in black, while suspicious ones will be in gray.

You’ve probably had to upload files from your browser at some point in your life and usually a nice dialog box or window pops up asking for the path to the file.  Lawrence says skillful hackers could trick users into sending the complete file path to valuable documents and files.  In order to counteract this threat, IE 8 now has file upload control.  When uploading a file, you can type/select the file name, but the directory path will now be read-only.  Lawrence adds that IE 8 will now only submit the filename and not the full file-path.

You can download IE 8 Beta version one on Microsoft’s website here.   The download weighs in at approximately 14.5 megabytes.  Lawrence promises version two should be available sometime in August.