Security and Internet Explorer

Security and Internet Explorer

  • Comments 4
  • Likes

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

image

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.


image

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

4 Comments
You must be logged in to comment. Sign in or Join Now
  • Gisabun
    5 Posts

    OK. I've seen just too many people are getting those fake anti-virus software on the systems. Some are nastier than other. So far all I've seen are Windows XP users. What is out there that can properly detect and clean them?

  • Tommyinoz
    46 Posts

    The big issue with IE is that it is the most targeted browser by malware developers in the world.  This is because IE is integrated into the Windows OS and cannot be uninstalled. IE does not provide me with good control of the content that I download from web pages.  It also does not have a good AddOn culture like the way FireFox does.  I don't feel safe using it.

    The performance of SmartScreen is disappointing when I compared it to FireFox with Ad Blocker and NoScript addons.  SmartScreen blocked an entire page because the page contained an advert which contained malicious code.  There was nothing wrong with the page itself, it was only  the advert that was the issue.  Despite this fact, IE with SmartScreen blocked the entire page. FireFox on the other hand showed the entire page minus the malicious advert.  

    The other annoying thing with IE is that when you receive a Security Update for it and you choose to install it, Windows wants to reboot your machine for the update to take effect.  How annoying!  Every other browser you just restart the browser for the updates to take effect.  Why on Earth do I need to restart the entire OS just because I installed updates to a web browser?  I can understand why an OS needs to be rebooted for the updates to take effect, but why a web browser?  I hope you didn't do something stupid like integrate a web browser into the OS?

  • Ali8
    3 Posts

    IE is not the most secure browser.

  • abm
    268 Posts

    No doubt IE is the most secure browser. Thanks for the nitty-gritty of the security measures taken.

    Incidentally, before we get the final release, is there any chance that this old ticket (connect.microsoft.com/.../create-download-in-ie9-download-manager) gets addressed in IE9?

    Also, there is a shortcoming (of very trivial nature i guess as compared to the features you guys have implemented over the passed few months) in the F12 developer's tools' HTML view. When we try to edit some tag by selecting the tag and pressing edit button, it shows the innerHTML of the entire body rather than innerHTML of the selected tag. Another one is, from the same HTML view of F12 dev tools, at the right side where the styles applied to the selected tags are shown, adding new property is little unfriendly (as compared to FF's firebug... jmho; it would be a treat for web designers to adjust the pixels, adding-new-property/defining-new-rule etc. in IE as fluidly as they do in fb… and viewing the image preview on hovering the background-image both in separate and inline styling … would be awesome too!)

    Thanks and keep the great work coming IE-team !!