The newest edition of the IE8 browser "includes new security features and concerns that require some attention," Joren McReynolds, a security researcher at vendor Websense, said in a blog posting.
One of IE8's security enhancements Microsoft has highlighted is an improved "phishing filter" that offers a feature called the "Safety Filter." According to the company, this protects users against phishing attacks as well as malware. The Safety Filter, Microsoft said, warns users when they visit a website infected with malicious software.
In his blog posting, Websense's McReynolds expressed concern that IE8 allows cross-domain requests. IE8's support for cross-domain requests means "malicious attackers can use content injection holes in websites a lot more efficiently," McReynolds said.
"Typically, when a site is vulnerable to XSS (cross-site scripting), an attacker will inject content to steal user information and relay it back [to the attacker],” he said.
"The attacker can simply insert script code that communicates directly to a malicious server," he added. "With direct communication, it is foreseeable that injection payloads will evolve in complexity and features."
According to McReynolds, this will allow attackers to build what he termed "malicious frameworks" that put the client device in constant communication with the malicious server to determine what actions to take next.
"Stealing user information is just the start of what can be achieved with new emerging technologies such as these," he said.
This concept of direct, external communication in Internet Explorer 8 is "nothing new," McReynolds noted. Similar forms of this are found in iFRAMES and Flash files, he said.
"It is also important to note that IE8's external communication policy is not unique and actually resembles Flash's – both retrieve policy information on the request host," he added. "The benefit of direct communication is so large in terms of product development and interactivity that other browsers, such as Firefox, are also implementing cross-domain request capabilities into their product."
IE8 also includes a number of non-security features intended to enhance end-user browsing capabilities. Among these are functions Microsoft has called WebSlices and Activities; and it has integrated the Links bar into the Favorites bar, with new features added.
WebSlices allow websites to connect to users by subscribing to content directly within a webpage, similar to an RSS feed. WebSlices, Microsoft said, act just like feeds in that users can subscribe to get updates and change notifications. Users can find WebSlices within a webpage, then add them to their Favorites bar, which is a row below the Address bar.
Activities, which require website operators cooperation to access and use, deliver functionality via IE8's right-click menu. These will offer information to users from a website or allow the user to interact with another website or service.
Users access Activities by placing their cursor over an area of a webpage, then right clicking to display a list of activities offered by the website. These could include defining a term on a page, offering translation.
Several website operators, including Microsoft, Facebook, Digg, StumbleUpon and Yahoo, have already built Activities.
Internet Explorer 8 also catches up with Firefox in another way: It now gives users the option of recovering from crashes and then restoring the session or tab that crashed.
See original article on scmagazineus.com
Microsoft releases Beta 1 version of IE 8, with new security features
By Jim Carr on Mar 13, 2008 9:45AM