IE7 Vs. Everyone Else

February 09, 2006

Review: Microsoft Internet Explorer 7, Firefox, And Other Browsers In Four-Way Shootout

IE7: Security And Privacy

By Ed Bott, Scot Finnie, Dennis Fowler, and Ron White

Courtesy of InternetWeek

Page 3 of 18

Security And Privacy
The biggest rap against Internet Explorer is its reputation as a vector for viruses and spyware. That's the argument you're most likely to get (usually accompanied by some serious table-pounding) when someone tries to convince you to quit using IE and adopt another browser instead.

If you're still running a version of Windows from the last millennium, that advice is right on the money. But if you're using Windows XP with Service Pack 2, the criticism that IE is a Petri dish for malware is a bum rap. Improvements to Internet Explorer 6 in SP2 effectively eliminated the most serious security problems by fundamentally changing the way IE handles ActiveX controls and downloads.

When you use an up-to-date version of Windows XP, site designers can't confuse you by repeatedly popping up inscrutable dialog boxes that entice you to download and install a piece of unwanted software; instead, you see an unobtrusive notification in the InfoBar at the top of the browser pane, and you get to decide whether to allow the software or to ignore it. That same version of IE6 also blocks pop-ups and provides an add-on manager, so you can get rid of unwanted toolbars and ActiveX controls that you decide you really don't want after all.

Still not feeling secure enough? You might feel a little better when you take a look at IE7. The update includes a long list of security enhancements that should make life miserable for malware.

A new URL parser is designed to foil common exploits that use a "carefully crafted" URL to create a buffer overflow. It also restricts scripts from interacting between sites or across domains. This type of organic approach is the right way to think about security, because it tackles the root of the problem instead of reacting to exploits that have already been released.

Most ActiveX controls are disabled by default. You have to specifically approve the use of any ActiveX control, even if it's part of the operating system. That simple precaution goes a long way toward blocking a common path for browser-based attacks.

Instead of being buried at the bottom of the browser window, security information shows up alongside the Address bar. That's where you'll find the padlock icon, which indicates that you've connected to a secure site; if the site is using a High Assurance certificate, which indicates that the certificate owner has undergone an extensive identity check, the Address bar glows green. If the certificate doesn't match the current Web site address or has another flaw, the Address bar turns red.

If a site doesn't have Microsoft's High Assurance certificate, the Address bar turns red. (Click image to enlarge and to see the Image Gallery.)

A new anti-phishing module promises some protection – it's too early to say how well it will work in practice – against sites that try to steal personal information. You can configure IE7 to check every Web site, or you can disable automatic checking and just submit individual pages that don't look right. In our tests, checking a site took up to 20 seconds. For a suspicious site, the Address bar turned yellow and displayed a warning label but still allowed data entry. For a site that had been flagged as a known phishing site, the Address bar turned red – well, pink, to be accurate – and replaced the contents of the page with a stern "don't go there" warning.

Among IE7's security enhancements is a warning when you've hit a phishing site. (Click image to enlarge and to see the Image Gallery.)

All of those security enhancements are available for free when you upgrade to IE7 on a computer using Windows XP SP2. Toward the end of this year, when Windows Vista finally hits the streets, upgraders will get some additional goodies not found in the XP version.

For starters, IE7 for Vista will work by default in Protected Mode, where it's isolated from the rest of the operating system. That means malicious Web sites won't be able to install software, muck about in the Registry, or change browser settings without explicit permission from an Administrator. By setting up Limited accounts for kids and technically naïve users, you can effectively limit their ability to install spyware, viruses, Trojan horses, and other malware. In addition, you'll have access to a full set of parental controls that you can use to restrict browser access and monitor which sites your kids are visiting.

Page 4: IE7: Tabbed Browsing

Page 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18