May 8th, 2008
Microsoft shares more IE8 security details
When Microsoft officials released a first test build of Internet Explorer (IE) 8 back in March, they said they were intentionally refraining from talking specifics about new security features and functionality that would be part of the next browser release.
In the past few weeks, however, Microsoft has started providing more IE 8 security information via postings to the IE Blog.
This week, Internet Explorer Program Manager Matthew David Crowley blogged about the changes Microsoft is making around ActiveX controls with the next release of its browser. Specifically, IE 8 users running on Vista will allow “standard” users to install ActiveX controls in their own user profile without requiring administrative privileges. Crowley explained:
“This improvement makes it easier for an organization to realize the full benefit of User Account Control by enabling standard users to install ActiveX controls used in their day-to-day browsing.
“If a user happens to install a malicious ActiveX control, the overall system will be unaffected, as the control was installed only under the user’s account. Since installations can be restricted to a user profile, the risk and cost of compromise (and, in turn, the total cost of administering users on a machine) will be lowered significantly.”
In April, IE team members blogged about another security change Microsoft is instituting with IE 8. Microsoft will enable DEP/NX (Data Execution Prevention/No Execute) by default in IE 8 on Vista and Windows Server 2008. In IE7, DEP/NX is off by default — in order to avoid compatibility issues. But by turning on DEP/NX, Microsoft is expecting it will lessen the number of browser-based security hacks.
Microsoft released a public Beta 1 of IE 8 on March 5. Beta 2 is due out this summer. Microsoft still has yet to say when the final IE 8 release will be out.
