Microsoft has outlined new security features it will add to Internet Explorer (IE) next month, including anti-malware protection to block most cross-site scripting attacks.
Internet Explorer 8 Beta 2, which Microsoft has slated for release sometime in August, will include two new security tools, said Austin Wilson, the director of Windows client product management.
One, dubbed "SmartScreen Filter" by Microsoft, adds malware blocking to the anti-phishing protection already embedded in IE7. The new feature, which will resemble the defences already used by rival browsers Firefox 3.0 and Opera 9.5, will warn users when they're about to visit a site known or suspected of spreading malicious code and then block any download from that site.
Unlike Mozilla's Firefox, however, which retrieves a blacklist several times daily, then stores it locally to compare against URLs, IE8 will dynamically determine whether the site is potentially dangerous by pinging remote servers each time a user tries to reach a page.
Microsoft will use multiple third-party sources to compose the blacklists for both phishing and malware-hosting sites, said Wilson, and will also draw on data gathered by Windows Defender, the company's free anti-spyware tool. Wilson would not disclose the third-party information providers, however.
"We get the data feeds, and update our lists multiple times a day," he said. "And IE8 makes the call to the URL reputation service servers, and if it's a phishing or malware site, the browser navigates away from the page and displays a warning."
He denied that the process would have a noticeable impact on IE8's performance. "Our choice was to make sure that the user has the most recent data possible," he said. "We do an asynchronous call, so the page rendering takes place while the call is made to the reputation servers."
Also to debut next month in IE8 Beta 2 is an integrated filter that Microsoft said would prevent most cross-site scripting attacks.
"Today, the end user can be doing all the right things, checking the URL to make sure it's legitimate, only going to trusted sites, but because of vulnerabilities on the web server side, they can still be compromised," said Wilson, referring to cross-site scripting attacks, which are most commonly used by identity thieves and have been on the upswing.
"When IE8 sees a cross-site scripting attack, it stops that script from being reflected to the server, and stops the attack at the client," Wilson added.
IE8 will have the cross-site scripting filter enabled by default, and will not need to deal with pop-up warnings or other dialogs, added David Ross, a security software engineer at Microsoft.
"When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server's response," said Ross in a technical posting to the IE team's blog today.
Ross, however, acknowledged that IE8's cross-site scripting filter won't completely protect users. "The XSS [cross-site scripting] Filter defends against the most common XSS attacks but it is not, and will never be, an XSS panacea," Ross said.
IE8 Beta 2 will ship next month, Microsoft's Wilson confirmed, although he declined to set a more specific date.