IE Overhaul Part of Windows XP SP2

Microsoft’s soon-to-be-released service pack for Windows XP will come with a major security-centric overhaul to the company’s flagship Internet Explorer browser, including a new add-on management and crash detection tool and several modifications to the browser’s default security settings.

According to a document spelling out the
implications
of the XP changes for developers, Microsoft said the browser will be updated dramatically in order to thwart malicious hacking attempts and to offer a more secure browsing experience.

First up is a major change to the way security policies are applied to
deal with ActiveX Controls, the technology that is
automatically downloaded and executed by the browser. ActiveX
vulnerabilities are often found in IE; Microsoft said XP SP2 will
apply security policies consistently at the source of the URL binding:
URLMON.

“In the case of ActiveX controls, the ActiveX security model allows controls
to be marked as ‘safe for scripting’ or ‘safe for initialization’ and
provides users with the ability to block or allow ActiveX controls by zone,
based on those settings,” Microsoft explained. In earlier Windows versions, the software giant said the security framework was not applied in all cases where URL binding took place.

“Instead the calling code was responsible for assuring the integrity and security of the control, which could often result in security vulnerabilities. There are now a number of public exploit variations that exploit this exact issue by going through Internet Explorer to compromise vulnerabilities in the calling code, the company warned.

Once XP Service Pack is released (expected in the second quarter next year), Microsoft said IE will be tweaked to follow stricter rules to reduce the risk of attacks via MIME (Multipurpose Internet Mail Extensions) Handling . In the modified browser, IE will require that all file-type information provided by Web servers be consistent to avoid spoofing of the MIME-handling logic.

“If the MIME type of a file is “text/plain” but the MIME sniff indicates
that the file is really an executable file, Internet Explorer (will) rename
the file by saving the file in the (IE cache) and change its extension,” the
company said.

Microsoft also plans to modify the browser in Windows XP Service Pack 2,
in order to let all local files and content that are processed by IE have the security of the Local Machine zone applied to it. This is a significant difference from earlier IE versions where local content was said to be secure but had no zone-based security placed on it.

The updated IE will also block access to objects cached from Web sites. Script-initiated windows with the title bar and status bar would be constrained in scripted movement to ensure that “important and informative bars” remain visible after the operation completes. Microsoft has made this change to block scripts from positioning Web windows so that the title bar or address bar are above the visible top of the display.

A brand-new feature in the Windows XP SP 2 is an Internet Explorer Add-on Management tool that lets users view and control the list of add-ons that can be loaded by the browser. The add-on management feature also shows the presence of some add-ons that were previously not shown and could be very difficult to detect.

The company has also integrated an add-on crash detection feature in IE to detect browser crashes that are related to an add-on. When the add-on is successfully identified, IE will then present the information and give the user the option of disabling add-ons in order to diagnose frequent crashes and improve the overall stability of the browser.

The IE tweaks also include a Pop-Up Manager that blocks unwanted pop-up windows from launching. As previously
reported
, Microsoft will make the move to block the ad format and also
tweak the browser to allow end users and IT admins to let
specific domains launch programmatic pop-up windows.

Internet Explorer will also be fitted with a new Authenticode feature that lets surfers block content from a specific publisher from installing or running. A ‘Never Trust Content’ check box will be included in the Authenticode
dialog box to let a user decide whether to block code that is identified with the
publisher’s digital signature.

The IE security makeover comes as part of a major overhaul
to the Windows XP operating system which will include the ability to monitor
browsing, e-mail and instant messaging for malicious attachment or code.

Microsoft confirmed the XP update will disable unnecessary services that open ports to potential hacks by worms or spam and include protection against the ubiquitous buffer overflows, the most common software security flaw. New compiler technology will be added to XP to detect buffer overruns and stop malicious code from running on the computer.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web