Windows Internet Explorer 8 Security, Inside and Out

Matt HellerInternet ExplorerMicrosoftSIA315

Overview

Security (15 min)

Privacy (45 min)

Q&A (15 min)

Securityannouncing

Threat VectorsIncreasing Severity & Ways of Risk

2003Browser Exploits in the wild

2005Social Engineering

2006MalwareIE 7 & Phishing Protection

2008 +Blended Threats Web 2.0 Site Exploits

Blended threats shifting from the browser to sitesImpact to data governance & regulationsRapid pace of threat innovationConsumer & employee data at risk

Web 2.0 - Challenge or Opportunity? Efficiency, economics and expectations Syndicated content and ad business model enables sites and business Growth in ecommerce depends on consumer trust

Trust may be undermined by less than transparent collection of data and inadequate protection of privacy

Unknown accountability -1st party and 3rd parties

Potential backlash & heightened consumer concerns

Internet Explorer 8: Trustworthy Browsing

Confidently bank, communicate & shopExtended Validation (EV) SSL Certificates SmartScreen® Filter – Blocks Phishing & Malware Domain HighlightingEnhanced Delete Browsing History InPrivate™ Browsing & Filtering

Build on a secure foundationSecurity Development Lifecycle (SDL)Protected ModeActiveX ControlsDEP - Data Execution Prevention

Extends browser protection to the web server Http only cookiesGroup PoliciesXDomainRequest - Cross Domain RequestsXDM - Cross Domain MessagingXSS Filter - Cross Site ScriptingAnti-ClickJacking

Web Server & Applications

Browser Vulnerabilities

Social Engineering & Privacy

IE 7, IE 8

Domain HighlightingMore accurately ascertain the domain of the visiting The domain is black vs. other characters which are gray

EV SSL Certificates“Look for the Green”Provides consumers added user confidence and brands enhanced protectionImplemented by over 10,000 leading commerce, banking and transactional sites

Social Engineering

Emerging threat vector and diversificationAddress concerns of Users and Site owners SmartScreen® Filter

Integrated Phishing & Malware download protectionExamines URL string, preempting evolving threats Blocks 1 million+ weekly attempts to visit phish sitesSignificant malware site detection volumes ~10 x traffic as compared to phishing, (IE8 beta users).Group Policy support – Key IT requirement24 x 7support processes and feedback mechanisms

SmartScreen Filterdemo

Identifies and neuters the attackBlocks the malicious script from executing

.

IE 8 XSS Filter

Web Server & Applications

Cross Site Scripting Filterdemo

ClickJacking

Entices users to click on content from another domain without the user realizing it Evolving server exploit, mitigated by the SmartScreen Filter

Impacts all browsers, only IE 8 has integrated protection capabilities

Add an X-FRAME-OPTIONS tag in either the HTTP header or the HTTP EQUIV meta tagon pageDeny All or allow from same origin hosts

ClickJackingdemo

Privacydemo

Some Things that are "Creepy"

Smile to the cameras – you’re on them about 200 times/day

"We're steadily marching to a society where every moment that you leave your home will be monitored and videotaped. And that's creepy.”

• – Kevin Keenan, ACLU

Government online recordsMortgage documents, public state records, etc.

• -- Computerworld, Jan 29

Why are they so Creepy?

Having records online, using surveillance cameras – not necessarily illegalIt’s because “contextual integrity” is violated

Information is transferred in contextA context has a set of normsWhen information is transferred from one context to another without notice and consent, contextual integrity is violated.

Privacy is all about being in control

Control == Notice + Consent

Security vs. Privacy

SecurityCore engineering issuesProtection from harmProtection from fraud

PrivacyControl over preferencesControl over how information is shared

Phishing?

Web Privacy Issues Today – Some Examples

ISP Website 3rd-partiesIE8 User

- Privacy on Shared PC- Anonymization (or, IP Obfuscation??)- Third party content providers- ISP monitoring- Server-side data sharing

IE8 Privacy Goals

Put the user in control of the web browserShared PC

Delete Browsing HistoryInPrivate™ Browsing

On the WebInPrivate™ Filtering

Build, useful, convenient features to make it easy to stay in controlLeap ahead of the competition

InPrivate FilteringPreserve Favorites data

Delete Browsing History

Preserve data from Favorites sitesKeep the useful stuff, delete the no-so-useful stuffConvenient

Checkboxes!Delete browsing history on exit!Group policy!

Delete Browsing Historydemo

InPrivate Browsing

Creates a new browsing window that does not record browsing history

Some things that are turned offHistoryCookies (accepted, but downgraded to session-only)Suggested SitesForm data saving

Things that are deleted when you exitTemporary Internet FilesCompatibility View listActiveX Opt-In list

InPrivate™ Browsingdemo

InPrivate Browsing FAQ

Parental ControlsDisables InPrivate Browsing

IT ScenariosInPrivate Browsing can be disabled via GPDoes not interfere with proxy servers

Proxy servers will record sites browsed

Does not provide anonymizationAdd-ons

UI Toolbars, BHOs - not loaded by defaultAPIs are available for ActiveX Controls

Suggested sites feature is turned off

Third Party Content ServingOver time, users’ history and profiles can unknowingly be aggregated

Any third-party content can be used like a tracking cookieThere is little end-user notification or control todaySyndicated photos, weather, stocks, news articles; local analytics, etc….

Unclear accountability with third party security & privacy policies

User Visits Unique Sites

msn.com ebay.comamazon.com cnn.comcnet.com about.commsnbc.com

Prosware-sol.com3rd party Syndicator

Web server

nytimes.com

Some Analogies

CreepiestSurveillance camera scenario

Less creepyShopping mall scenario

Facts

Information exchange is goodBoth parties get value from behavior data

The online economy is fueled byhigh-tech advertisingWe also believe in Trustworthy Browsing

The user is always in control

InPrivate Filtering

Helps give you control over which 3rd-party content providers have a line of sight into your web browsing

Keeps a table of 3rd-party content and the first party sites the content was loaded fromAllows you to block content that passes a configurable threshold (10 1st-party sitesby default)

InPrivate Filteringdemo

InPrivate Filtering FAQ (Short List)

If I have a website, what do I do? Will my website break?

IE8 includes a javascript-accessible API (bool InPrivateFilteringEnabled()) that lets website owners detect when InPrivate Filtering is enabled

Not an ad blockerSome advertisements may be blockedInPrivate Filtering is a privacy tool It can only block content that has a “line of sight” into your browsing history

3rdParty.htmlPoints to the same directory as the third party objectUp to the content provider to create What to include*

Who is the third partyWhy allowedConsumer value & purposePoint to the privacy policyData collection and data sharing practicesContact info……..

Preparing for rolloutdeployment

Optimize Enterprise DeploymentPreparing for launch

1. Optimize using the IE Desktop Security Guide2. Turn on SmartScreen Filter by default3. Disable ability to click through phishing / malware warnings4. Prevent additions or deletion of sites from Security Zones5. Do not allow users to change policies from Security Zones6. Do not allow users ability to turn off Protected Mode7. Enable Prevent Ignoring Certificate Errors8. Test compatibility with intranet and internet sites9. Consider implementing group policies to disable

InPrivate Browsing

For Publishers and Content ProvidersPublish “thirdparty.html” pageTest all 3rd party code for XSSAdd no-frame tag for CSRF sensitive pages SiteLock your ActiveX controlsLeverage InPrivate Filtering session status through the windows.external DOM objectImplement EV SSL certificates for ecommerce and transaction related sitesLearn more about compatibility, accelerators and Web Slices

Internet Explorer ResourcesFeature Overview - www.microsoft.com/ie8 Engineering Blog - http://blogs.msdn.com/ie

IE 8 Desktop Security Guidehttp://sharepoint/sites/IE/Teams/mktg/security/default.aspx

Safety & Privacy Featureswww.microsoft.com/windows/internet-explorer/beta/features/browse-privately.aspx

Business Value of IE 8 & EV SSL Certificateswww.microsoft.com/ie/ev

User Control & Privacy Feature Guidewww.microsoft.com/ie/privacy

Toolkitwww.microsoft.com/windows/internet-explorer/beta/tech-resources.aspx

Internet Explorer Administration Kit (IEAK)http://technet.microsoft.com/en-us/ie/bb219517.aspx

IE Compatibility Center - http://msdn.com/iecompat

Conclusion

Privacy and Security are essential components of Trustworthy BrowsingIE continues to lead the way in Security with innovative new features, such as the XSS filter and ClickJacking protectionsThe IE team has made a significant competitive investment in privacy toolsIE8 is the most trustworthy browser to date

Internet Explorer 8 Feedback

"Microsoft's announcement is significant not because it's a major technological breakthrough, but because it's a breakthrough into making it easier for users to have real control over their privacy." Ari Schwartz of the Center for Democracy and Technology.

CDT Report www.cdt.org/privacy/20081022_browser_priv.pdf

“…Microsoft's next Web browser will be a major update with new usability, security, and developer-oriented features. Unlike the competition, IE 8 is enterprise-friendly…..This is an important browser, and one that all businesses, technical enthusiasts, and other power users should begin evaluating immediately…” Paul Thurrott

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Related Content

WUX 301 - Advanced Cross Browser AJAX Applications with Windows Internet Explorer 8

Hands-on Labs (session codes and titles)

Hands-on Labs (session codes and titles)

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.