Wednesday, July 2, 2008

Thoughts on IE8

I read quite a bit of stuff on the IE8Blog today. Most interesting to me are the improvements surrounding ActiveX controls. Among the big changes here are Per-User (non-Admin) controls and Per-Site Controls.

Per-User Controls are installed by standard users without the need to elevate privileges. Administrative rights will no longer be required because the control will only be exist within the profile of the user who installs it, preventing exploitation of other users of the system.

More importantly, Per Site controls allow users to white list certain sites to use certain controls. This is a great break through in the fight against ActiveX re-purposing attacks, where malicious web sites abuse functionality in legitimate controls. Where security conscious developers once had to maintain their own white-listing code within the control, IE8 will do this for them by default.

This is great for complex web applications (like SSL VPNs) that use ActiveX controls to perform sensitive/dangerous actions on the client. Unfortunately, there are still many organizations out there that haven't even embraced IE7 yet, so these defenses may not help the users who really need them for quite some time.

On the XSS front, IE8 will also have a few new tricks. One of them is a client side black-list XSS filter (like a wimpy NoScript) that will block attacks and notify users. Unfortunately, to avoid "breaking the web", it appears from this post that the filter will only block the most obvious SCRIPT tag injections.

Another new feature is the toStaticHTML() JavaScript method. This looks like another blacklist, but is intended to allow a web site to render third-party Web2.0 content safely in the browser. Hopefully it uses a robust black list!

Another new feature that I'm really excited about is domain highlighting. In order to prevent phishing and other social engineering attacks, IE8 will highlight what it determines to be the owning domain name in the address bar. Anything site controlled, like sub-domains and URL text, will be grayed out, so that the user can more easily key in on the important parts: the protocol and domain name. Simple, but effective.