Internet Explorer (IE) has certainly had its share of flaws and vulnerabilities. Many of the most effective viruses and worms in the past couple of years owe their success to exploiting holes in Internet Explorer. A number of vulnerabilities have been reported to Microsoft that have yet to be patched, so the clock is ticking to see if hackers can exploit the flaws before Microsoft can fix them.
The security risks inherent in using IE have led many to migrate to new Web browser platforms, mainly Mozilla's Firefox. Of course, Firefox has its own share of highly critical flaws, so users shouldn't let down their guard just because they've made the switch. Users who migrate often think they are safe simply because they are using a different browser. That mentality puts them at greater risk than using Internet Explorer and being aware of its weaknesses.
Microsoft Internet Explorer represents a more prestigious attack to hackers, and it has a much larger population of users, so it is heavily targeted. To combat criticism of IE's security and stem the tide of users switching away from IE, Microsoft accelerated the release of Internet Explorer 7 (IE7) to the end of this year from its original scheduled release as part of Windows Vista, due in late 2006.
Internet Explorer 7, currently released in its beta testing version, offers a variety of new features and components, most of which have been "borrowed" from competing products such as Firefox. However, one of the central reasons for releasing IE7 is to improve security so the product is safer and the user experience as well. Below are a few of the key security updates included in IE7:
- Phishing filter: IE7 compares Web sites against a Microsoft-maintained database of known phishing sites and looks for clues that a domain name may be spoofed or otherwise illegitimate. It gives the user a warning or alert that the site they are on may be a phishing site.
- Cross-domain scripting: IE7 will append the originating domain name before running scripts and restrict the ability of the browser to interact with outside content or domains. These features will help protect against Web site and domain spoofing.
- Restricted privileges: The version of IE7 that will come bundled in Windows Vista incorporates the LUA (least-privilege user account) feature to ensure that the browser is unable to modify or execute files it should not. This feature is not available in the standalone, or Windows XP, version of IE7 though.
- More efficient history deletion: In IE6, erasing the browser history containing various site information that the browser has previously accessed, has required delving down a few levels through the Internet Explorer menus. IE7 includes a button for one-click deletion of browser history to erase personal data and passwords and more easily protect the user.
Internet Explorer 7 is still in beta testing. Microsoft is planning a refreshed release of Beta 1 before it even moves on to releasing Beta 2. As for Beta 1, there are still a number of features that have not even been incorporated yet, and a few of the existing features are a little buggy. Microsoft will continue to work out the kinks until the final production release toward the end of this year.
This first beta of IE7 shows a lot of promise. Microsoft will still not commit to making IE7 conform to some Web industry standards in terms of functionality, but in terms of security, the company seems to be moving in the right direction. I'd like to see the phishing alert displayed more prominently if Microsoft wants to get the user's attention, and there are a few other cosmetic changes I would like to see in Beta 2, but we'll just have to wait and see.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Bradley contributes frequently to other industry publications. For a complete list of his freelance contributions, visit Essential Computer Security (http://www.tonybradley.com).