Matt Heller

Matt Heller
Internet Explorer Product Management
Microsoft Corp

IE 8 is feature complete.

Evolution and Change

Web has envolved a lot the last 2-3 years. Things change, Web 2.0, privacy … Mashups are getting common. Users use frameworks for that. This creates new vulnarabilities.

Users need to get control over things, especially this goes for privacy. User Preferences/Control. EU is coming with law/rules giving consumers privacy rights.

Growth in ecommerce depends on consumer trust. Consumers need to trust the sites they are visiting, but also the browser they use.

Shifting Threats and Exploits

Social Engineering

Phising Filters

Email Authentication

Browser Vulnerabilities

Web Server & Applications

The world beyond the browser.

Malvertising

More leveraged and efficient target

Reducing limitations with spam traps or phising filters

Threat Trends and Diversification

Attacks Getting More Sophisticated

  • Spyware
  • Rootkits
  • Application attacks
  • Phising (Smart Screen filtering) / Social engineering

 

Vulnerability Class

70 % of the vulnerabilities out there (XSS), are things that trad. browsers could not do anything about. MS tries to do things against them in IE 8.

XSS Exploits

XSS are the most prevalent vulnerability (41%)

XSS exploits are the new buffer overflow

Internet Explorer 8

Freedom from intrusion

  • Social engineering and exploits: Emerging threat vectors, attacking multiple targets (users, businesses, brands and site owners), devirsification of attacks
  • Reduce unwanted communications

Protection from harm

  • Browser and web server exploits
  • Deceptive websites, malicious code, fraud, identity theft

Control of information

  • Choice and control
  • Clear notice of information use
  • InPrivate Browsing
  • Deleting Cache

 

ActiveX Enhancements

Security, compatibility and functionality

Who? Per User. Doesn’t require elevating admin privileges. No longer installed per machine, but per user. Therefor admin acceptance is no longer needed. Installs to current user.

Can it be used? Opt-in. Before it can be used

Where? Per site. Developers can restrict to their site

Exploit Controls. ActiveX Killits. Pre IE 8. Can be requested by control publisher.

The Acitive X Enhancements can be configured via Group Policy.

IE 8 XSS Filter

Cross-site scripting attack

MS is only identifying the scripts. Known XSS scripts get changed to the point that it doesn’t run.

The domain name is in IE8 highlighted.

XSS Decision Process Flow – Photo made, available later.

More Secure Mashups

Typical for mashups is that the communication is cross domain.

  • Cross Domain Request (XDR)
  • Cross Document Messaging (XDM) – Part of the new HTML 5 draft

 

Third Party Content Serving

Over time, users’ history and profiles can unknowingly be aggregated:

  • Any 3rd party contect can be used like a tracking cookie
  • Unclear accountability with 3rd party security and privacy policies

 

User control

  • InPrivate Browsing
  • InPrivate Blocking
  • InPrivate Subscription

 

Resources

Check out http://www.ie8demos.com

http://www.microsoft.com/ie8

http://blogs.msdn.com/ie