IE8 - information posted to the IE blog
The Internet Explorer team have published 3 new articles about IE8 that are well worth a read.
First, the SmartScreen filter:
IE8 Security Part III- SmartScreen® Filter
The feature that I want to call out about the SmartScreen filter is the antimalware support - SmartScreen not only blocks access to known phishing and malware sites, it will block downloads from known malicious sites, meaning that victims are protected even if they don't visit a known malware site directly. For example, if a victim is tricked into clicking on a link in an email or Instant Message window that will download malware, then as long as IE is your default browser, SmartScreen will block the download. I can think of a whole slew of fake security software aka fraudware aka betrayware that I believe should be blocked via the SmartScreen filter.
Of course, such blocking can be overridden if need be (for example, because of false positives). For those of you that are responsible for network management and security, you will be pleased to know that Group Policy can be used to stop users from overriding the SmartScreen Filter.
The SmartScreen user interface has also been improved.
Second, cross site scripting (XSS) vulnerabilities - XSS filtering
IE8 Security Part IV- The XSS Filter
"When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server’s response. Users are not presented with questions they are unable to answer – IE simply blocks the malicious script from executing."
Third, security improvements:
IE8 Security Part V- Comprehensive Protection
"As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don’t provide attackers with new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits."