Microsoft Internet Explorer 8 RC1 Improves Security

By Thomas Claburn

Updates include architectural changes that mirror features found in Google's Chrome, Apple's Safari, and Mozilla's Firefox.

Microsoft has released Microsoft Internet Explorer 8 RC1, a near-final version of its new Web browser that's stable enough for widespread public testing.

Assuming that no show-stopping bugs or significant vulnerabilities are identified between now and whenever Microsoft is planning to offer the official release of Internet Explorer 8, RC1 represents the final form of Microsoft's browser, at least until the next revision.

Internet Explorer 8 has some catching up to do. Its global market share, according to Net Applications, is just 0.82%, compared with Google Chrome (all versions) at 1.04%, Mozilla Firefox (all versions) 21.34%, and Apple Safari (all versions) 7.93%.

The various versions of Microsoft Internet Explorer have 68.15% of the global browser market, down from 91.27% in 2004.

Among IE8's selling points are various safety and security improvements. These include architectural changes that put Web pages in separate processes, privacy enhancements, and online safety measures.

Microsoft has referred to IE8's architectural changes using the term "Loosely-Coupled IE," or "LCIE." In Internet Explorer 7, with a few exceptions, each browser window had its own process. But tabs, toolbar extensions, browser helper objects, and ActiveX controls also were managed by the same process. Thus, a crash in any part of this system could crash the browser.

In a move away from monolithic browser architecture, IE8's loosely coupled system puts tabs in separate processes, which in theory leads to better browser stability and less susceptibility to potential exploits. Google's Chrome browser also takes this approach, through in addition to running tabs on separate processes, it also gives plugs-ins separate processes. IE8 supports Data Execution Prevention, a technology that aims to reduce the exploitability of buffer overflows, which are commonly exploited for injecting malicious code. If programmers write their code with DEP in mind, many potential vulnerabilities could be eliminated.

IE8 also offers a private browsing mode called InPrivate, which allows the user to "launch a new browser session that won't record any information, including searches or Web page visits," as Microsoft puts it. This means that during InPrivate browsing sessions, which must initiated by the user, cookies, searches, Web history, and other information aren't stored where they usually are on the user's computer. Apple's Safari and Google's Chrome both offer similar technology, as does the current Mozilla Firefox 3.1 Beta 2.

Local privacy settings like this may be useful for hiding online activities from members of one's household, but they don't prevent one's ISP or visited Web sites from recording the IP address or other transactional information.

InPrivate Browsing protections are disabled if Parental Controls are used.

IE8 also includes malware protection in the form of the SmartScreen Filter, the Cross Site Scripting (XSS) Filter, and Domain Highlighting. The SmartScreen Filter is a warning page that loads when the browser detects an attempt to visit an unsafe site. The XSS Filter attempts to detect malicious code on compromised Web sites. And Domain Highlighting highlights the domain name of a URL in black to reduce the effectiveness of deceptive URLs, which are often used for phishing.

In all, IE8 delivers significant security improvements over its predecessors. But given the extent to which cybercrime relies on social engineering, users of IE8, like other modern browsers, would be well advised to remain cautious in the sites that they visit and the information that they disclose online. It's only a matter of time before someone figures out a way around IE8's new defenses.