Internet Explorer 7 Security Features Steve Lamb Technical Security Evangelist @ Microsoft Ltd [email protected] http://blogs.technet.com/steve_lamb Agenda Lessons learned from IE in Windows XP SP2 Overview of Internet Explorer 7 Detailed features and demo Timeline More information First, Let me ask… How many of you are using IE7 now? What build? How can we help you? Post Windows XP SP2 Strengths Big security investments were worthwhile Right balance of application compatibility and security Opportunities to improve Social attacks (phishing) as important as code execution Bad trust decisions don’t have an “undo” option Make life better for Web developers Everyone wants new features Internet Explorer 7 Major innovations in IE7 for Windows XP SP2 Enhanced functionality in IE7 in Windows Vista includes: Protected Mode Parental Controls integration Key areas of focus: Makes everyday tasks easier Dynamic security protection Improved platform and manageability IE7 – New Look Tabbed Browsing Quick Tabs Page Zoom Before After Shrink-To-Fit Printing Web Pages Automatically Formatted To Print Properly Inline Search RSS Feed Reader Enhanced Validation Certificates Clearer information about trusted sites Trust Badge rotates to show Certificate Authority Dynamic Security Protection Internet Explorer 7 Technology to protect against technology attacks Limit programmatic access Reduce attack surface Warn if settings insecure Simplified architecture Technology to protect against social attacks Anti-phishing service Secure site visuals and info Address bar anti-spoofing “One-click cleanup” Security Features Protecting the machine from technology attacks Unified URL parsing Cross-domain security enhancements Code quality improvements to reduce buffer overruns ActiveX Opt-in Protected Mode (Microsoft Windows Vista only) Protecting the user from social attacks Download scanning with Windows Defender Phishing Filter High-assurance SSL and address bar Dangerous settings notification Secure defaults for International Domain Names Parental controls (Windows Vista only) ActiveX Opt-in & Protected Mode Defending systems from malicious attack ActiveX Opt-in: puts users in control Disabled User Controls Enabled Controls Action Most controls disabled Windows Reduces attack surface ActiveX Opt-in Retain ActiveX benefits, increase user security Protected Mode*: reduces severity of threats IE process ‘sandboxed’ to protect OS Eliminates silent malware install Designed for security and compatibility Low Rights User Action IE Cache Broker Process My Computer (C:) Protected Mode * Windows Vista only Internet Explorer Running with Full Privileges Admin Rights Access Install an ActiveX control Exploit can install MALWARE IExplore.exe HKLM Program Files User Rights Access Change Settings, HKCU Download a Picture Exploit can install MALWARE My Documents Startup Folder Temp Internet Files Cache Web content Untrusted files and settings Broker Process Broker Process Integrity Control Protected Mode Internet Explorer Compat Redirector Protected Mode Runs with Lowest Privilege Admin Rights Access Install an ActiveX control HKLM HKCR Program Files Change settings, User Rights Access HKCU My Documents Save a picture Cache Web content Startup Folder Temp Internet Files Untrusted files and settings Redirected settings and files Security Status Bar Makes users aware of online security and privacy Enhanced Validation Trusted party has provided extensive verification for the authenticity of certificate holder Standard Security Website provided a certificate matching the server and appears trustworthy Incorrect Data There are errors in the certificate provided and the website should not be trusted Phishing Filter (Warn) The website contains characteristics found in phishing websites … proceed cautiously Phishing Filter (Block) A warning is displayed and users are navigated away from the website Phishing Filter Client-side heuristics, allow-list, and Web service URL Reputation Service URL Reputation Service https://urs.microsoft.com Known Good URLs IEAPFLTR.DAT Phishing Filter Populating the URL reputation service URL Reputation Service URL Reputation Service Grader Confirmed Sites Cyota Graders Mark Monitor Internet Identity Third Party Phishing databases End User Report Site Owner Report https://urs.microsoft.com Address Bar Everywhere Fix My Settings IDN Display Phishing Filter – Suspicious Site Phishing Filter - Blocked Site Fix My Settings Customer Call To Action Read the technology overview Upgrade to IE7 RTM Test LOB applications and public websites Provide feedback to Microsoft (mailto:[email protected]) More IE7 Information Download the IE7 RC1 at http://www.microsoft.com/ie Technical docs on IE Developer Center http://msdn.microsoft.com/ie IT Administrator information on Technet http://www.microsoft.com/technet/prodtechno l/IE/ieak7 More technical information on TechNet http://www.microsoft.com/technet/prodtechno l/IE Follow the IE Team Blog at http://blogs.msdn.com/ie Resources 1 Internet Explorer Blog http://blogs.msdn.com/ie/ Internet Explorer Feedback Alias [email protected] Internet Explorer Developer Center http://msdn.microsoft.com/ie/ Internet Explorer 7 Readiness Toolkit http://go.microsoft.com/fwlink/?LinkId=64421 Internet Explorer 7 App Compat Toolkit http://blogs.technet.com/all_things_appcompat/default.aspx Internet Explorer 7 External Bug Database https://connect.microsoft.com/site/sitehome.aspx?SiteID=136 Internet Explorer Administration Kit (IEAK) 7 Beta 2 http://www.microsoft.com/technet/prodtechnol/ie/ieak7/default.mspx Resources 2 Technical Chats and Webcasts http://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx MSDN & TechNet http://microsoft.com/msdn http://microsoft.com/technet Virtual Labs http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx Newsgroups http://communities2.microsoft.com/ communities/newsgroups/en-us/default.aspx Technical Community Sites http://www.microsoft.com/communities/default.mspx User Groups http://www.microsoft.com/communities/usergroups/default.mspx Steve Lamb Technical Security Evangelist @ Microsoft Ltd [email protected] http://blogs.technet.com/steve_lamb © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.