New security features in IE8
Microsoft has announced interesting new security features that will be in Internet Explorer 8 Beta 2. They are following other browsers such as Firefox on some issues, and taking bold new steps on others.
- IE8 Security Part I: DEP/NX Memory Protection
- IE8 Security Part II: ActiveX Improvements
- IE8 Security Part III: SmartScreen® Filter
- IE8 Security Part IV: The XSS Filter
- IE8 Security Part V: Comprehensive Protection
Firefox users are already filing bugs asking for us to match some of these features.
July 4th, 2008 at 3:16 pm
“IE8 prevents “upsniff†of files served with image/* content types into HTML/Script. Even if a file contains script, if the server declares that it is an image, IE will not run the embedded script.”
“We were able to make this change by default with minimal compatibility impact because servers rarely knowingly send HTML or script with an image/* content type.”
So much for them working towards natively supporting image/svg+xml which allows javascript in SVG files (does this also break Adobe’s SVG viewer?)
July 4th, 2008 at 3:24 pm
I see their address bar now highlights the domain, making the rest of the URL grey. I seem to recall reading that this was removed from firefox nightlies because people found it annoying/harder to read, so I’m interested to see what happens with it in IE.
I do quite like the idea of isolated mode, though – it’s nice that different tabs can be loaded with different privileges according to the native OS, and that crashes are less of an annoyance. Conceivably this could help with reclaiming lost memory, such as when a plugin leaks memory, too.
July 4th, 2008 at 4:38 pm
The XSS thing is something NoScript already protects against.
I’d expect such a simple thing (whitelist JS execution) to be built into the browser by now since it’s been getting requested for X years, but as usual developer politics seem to be killing progress…
July 7th, 2008 at 1:35 am
From a usability point of view, lack of whitelisting JS execution is not about “developer politics”, it’s about the fact that websites stop working by default, and people don’t like that.