IE 8 To Include New Security Tools 177
Trailrunner7 writes "Internet Explorer has been a security punching bag for years, and rightfully so. IE 6 was arguably the least secure browser of all time. But Microsoft has been trying to get their act together on security, and the new beta of IE 8, due in August, will have a slew of new security features, including protection against Type-1 cross-site scripting attacks, a better phishing filter and better security for ActiveX controls."
By Neruos (Score:1, Informative)
I've used IE6.x for over 4 years with no ill issues. Though I know how to set security and options and I know when to scan and what websites are allowed to run things(cookies, activex, etc) and which shouldnt.
Not once has my computer been compromised due to IE.
Re:"Better" security for Activex? (Score:2, Informative)
Typing < will give you <
You have to escape the special html characters. Man I had to preview that 3 times to make sure I had the tags right!
Re:Security.. Thats all Microsoft knows how to upd (Score:3, Informative)
No, that's because they batch them in some gigantic 100mb+ update, instead of doing small updates for several applications, which is what Microsoft does.
Seriously, there's no reason why a security update should take several dozens of megabytes [apple.com]. This only ensures that dial up users will not install them and that people are more likely to delay installing patches due to the download time.
Also, most patches on Windows are released every month, on what is called patch Tuesday [wikipedia.org], which is the second Tuesday of every month. I'm not sure I fully agree with the idea of a fixed patch schedule as it gives the malware authors a one-month window to exploit, although it does give corporate deployments a chance to test patches prior to deployment on a sane schedule.
Re:This is a simple job (Score:3, Informative)
Re:Better security for ActiveX controls (Score:4, Informative)
Neither are sandboxed and both run with the same privs as the browser AFAIK.
The only real difference is that Firefox comes with a whitelist which prevents random sites from installing add-ons.
Re:Better security for ActiveX controls (Score:5, Informative)
There is an ActiveX plugin for Firefox: http://www.iol.ie/~locka/mozilla/plugin.htm [www.iol.ie]
Either browser could easily support ActiveX on Windows if they wanted to. The main reason they don't is for marketing reasons (because it's perceived to be insecure).
Aside from that ActiveX is actually a documented Open Group standard, and there are (were) 3rd party implementations.
Re:Sandbox javascript, flash etc ... (Score:5, Informative)
In IE7 on Vista, those bits (and everything you do, actually) are sandboxed. It's called protected mode [microsoft.com] and like everything well-written and intelligible in life, there's a MSDN article. ~~
If you can get to a Vista machine, boot up Internet Explorer 7. In the bottom-right hand corner, you'll see a "Internet|Protected Mode: On." Internet Explorer, and everything launched in/from IE, run under a low "Integrity Level", which means they only have access to the "Temporary Internet Files\Low" folder and "HKEY_CURRENT_USER\Software\LowRegistry" key.
Any file access is transparently redirected from these points: An ActiveX control trying to create "virus.dll" in "c:\windows\system32" will have it actually created "Temporary Internet Files\Low\C\Windows\System32". (Nothing in this folder is executable.)
Open up task manager. (CTRL+SHIFT+ESC) You'll notice an "ieuser.exe" process - should something need more privileges, like you saving a file to your downloads directory, this process will grant that one action regular, non-admin user privileges. Anything system changing has to pass through an "IEinstal.exe" process, which will trigger a UAC prompt.
My understanding is limited to some Vista beta-era documentation and the MSDN article I linked, but they pretty much sandboxed the entire browser with sub-guest-account privileges. It's relies on some new parts of the Vista kernel (you won't see the same sandboxing on IE7 in XP) but it's still pretty nifty, I think.
Re:This is a simple job (Score:0, Informative)
You're absolutely right, it's the testers fault that these [microsoft.com] things [googlepages.com] happen [xbox-linux.org] so [wikipedia.org] often [microsoft.com].
Yes, they're old. But the best testers in the world would have noticed the mistakes (?) the best coders in the world made.
In more modern operating systems, it's become well known that MSFT hid the facts [wikipedia.org] about how incredible their coders really are.
Re:Please say.. (Score:5, Informative)
Actually, you can't with Firefox 3. It will detect a looping script and give you the option of stopping it. If you use NoScript, you can block it entirely.
Re:Technically, IE7 is the most secure browser out (Score:4, Informative)
You *can* set up browsers under Linux to have the same types of permissions, using AppArmor or SELinux. It's not OOTB though, and not as easy to approve outside-the-sandbox actions (like saving a downloaded file to a non-temp folder).
It's also worth noting that this feature, called Protected Mode, is not available if UAC is disabled. If you honestly can't stand privilege escalation requests (for things that damn well should have them) then open the Local Security Policy management console (use the Start search, or look under Administrative Tools), find the UAC policy options, and set it enable automatic escalation for Administrators. You're still sort of protected, in that any app that was started as a non-admin will stay non-admin until it requests privilege escalation, but you won't be given a chance to deny that escalation.
Re:Better security for ActiveX controls (Score:1, Informative)
Firefox extensions are decidedly NOT the same.
Imagine that every single website you're doing business with - banks, online shops, ... - wanted you to install their own Firefox extension. If THAT was true, you'd have a case, since that's what it's like with ActiveX; but of course, it isn't like that, and I'm surprised you can't see the difference.