Internet Explorer 10 Brings New Security Features to Windows
With each new upgrade of its Internet Explorer Web browser, Microsoft has brought in improved security features.
That pattern continues with Internet Explorer 10, which promises a number of new enhancements when it's released along with Windows 8 at the end of October. (The browser will also run in Windows 7.)
Internet Explorer hasn't always had the best reputation when it comes to security, although that's partly because many computer users still use out-of-date versions such as IE 6. Today, Internet Explorer also has to compete with Google Chrome and Mozilla Firefox, which are considered to be more secure.
However, having an up-to-date browser is far more important than which flavor of browser you use. Each new iteration of browser technology is always more secure than the previous version.
Under the hood
Michael Sutton, vice president of security research for Zscaler ThreatLabZ in San Jose, Calif., said many of IE 10's new security features are enhancements of what older versions offered. They include:
Enhanced Protected Mode: "Protected Mode" was first introduced with Internet Explorer 7 in 2006 and ensured that Internet Explorer ran with restricted privileges that limited its effect on other applications or on Windows.
Enhanced Protected Mode, introduced in IE 10, extends this further by ensuring that the browser has read/write access only when absolutely necessary.
One complication of this extended feature is that most browser add-ons are not yet compatible with Enhanced Protected Mode and will be disabled until they are updated.
InPrivate browsing: First introduced with Internet Explorer 8 in 2009 and designed to prevent storing a user's browser history, InPrivate Browsing — sometimes known as "porn mode" — will now be per-tab rather than per-session.
ForceASLR: Microsoft has enhanced memory-bed controls with each successive iteration of IE to prevent code injected into a running application from executing.
Address space layout randomization (ASLR) was introduced in IE 7 and randomized the locations in memory of various modules. That way, it's more challenging for malicious code to call various functions.
ForceASLR extends this concept by randomizing the location of all modules loaded into memory by the browser.
Yanking out the plug-ins
Internet Explorer 10 also addresses chronic security problems with two common browser plug-ins: Java and Adobe Flash Player.
In the old Web, Flash and Java enabled the first rich, cross-browser application experiences, far beyond what browsers alone could offer. Many games, video clips, remote desktop interfaces and browser utilities ran in Flash or Java.
"In the new Web, the emerging standards-based technologies, like those in HTML5, will offer capabilities similar to those plug-ins, natively in the browser," said Chris Weber, co-founder of Casaba, a software-security company in Redmond, Wash.
"The new Web will run cross-browser without the need for plug-ins, making for a reduced attack surface and more secure browsing experience," Weber said. "The emerging standards we call HTML5 are providing specifications for rich features previously only found in third-party plug-ins (e.g. Java, Flash, Silverlight). HTML5 is paving the way to a browser experience that doesn't require plug-ins."
Weber pointed out that Internet Explorer 10 has an integrated Flash player, similar to what Chrome has had for years.
However, IE10 comes in two variants — a "desktop" version that's not very different from IE 9, and a new "Modern" interface that's built for tablets and touch screens running Windows RT, a mobile version of Windows 8.
The Modern interface will permit only preapproved, "whitelisted" websites to run Flash.
"The simplest way to put this is that Flash will work in some sites, and not in others," Weber said. "Developers should be making efforts to move away from it, and move toward HTML5 standards which provide similar functionality."
Does that mean HTML5 is the answer to the security problems that seem to accompany some browser plug-ins? Perhaps it will be in the future, but not yet.
"HTML5 will try to replace all proprietary plug-ins eventually; however, Internet Explorer 10 will have to support Java and Flash because the majority of Internet users want to be able to use applications that rely on these plug-ins," said Marcus Carey, a security researcher at Boston-based vulnerability-management company Rapid7.
"Microsoft needs to recognize this and support both plug-ins for the foreseeable future if they want to maintain any kind of viable market share in the browser market," Carey said. "This is particularly true for business environments that rely on Java for productivity. … If IE10 can't support their needs, they will use alternative browsers such as Firefox or Chrome."
Tight race against Chrome
So how do the new security features in Internet Explorer 10 compare with those in other browsers? According to Weber, Chrome and IE run pretty closely together when it comes to security features; however, IE is pushing a few extra points when it comes to memory protection.
Firefox is lagging behind by not building in such major features as process isolation, or "sandboxing," which IE and Chrome have both featured for a while now.
The security experts agree on one thing: Only time will tell how well the security features and enhancements in IE10 work, and where IE10 fits into the crowded browser market.