Recently, Microsoft engineers detailed changes to Microsoft Internet Explorer (IE) 7's security model, which will include new security zones settings not found in IE 6. IE 7 is currently on track for a wide release in 2006, and an even more secure version will be included with Windows Vista.
According to a blog posting about IE by Microsoft's Vishu Gupta, Rob Franco, and Venkat Kudulur on IEBlog, IE 7 will increase its protection of security zones to prevent "zone spoofing" attacks, in which Internet-based code attempts to run under the lowered security rules of a different security zone.
"The Internet zone, where most users browse, will be tightened down with two very notable changes," the post reads. "The Internet zone will run in Protected Mode on Windows Vista, which helps provide defense-in-depth against some of the attacks IE has faced in the past. ActiveX Opt-In will also help reduce the attack surface of ActiveX controls in the Internet zone ... IE 7 introduces a new security level for these additional protections, Medium-high." Meanwhile, the default setting for trusted sites will be changed to Medium, the same level as the Internet zone in IE 6.
During a briefing last week, Microsoft Director of Windows Product Management Gary Schare explained how IE 7 would also help protect users who tried to lower the security settings in the upcoming browser. "One of the biggest problems we have today is that users often wind up with an insecure configuration because of drive-by downloads," Schare said. "Quite often, it's because someone gave them bad advice, they made a mistake, or they went to a Web site that needed lowered security settings in order for an application to run. Instead of adding that site to Trusted Sites, the user lowers the settings and then forgets to change it back, and they get spyware from a drive-by download. So what we've done in IE 7, on both Windows Vista and XP, is we've changed the way the browser reacts when you lower security settings."
Here's what will happen. When you change security settings in IE 7, a red warning immediately appears, along with a dialog box asking whether you're sure you want to make the change. Then, a gold information bar appears along the top of the IE window, warning you that you're running IE 7 with security settings that are lower than those Microsoft recommends. This information bar won't go away until the settings are returned to the recommended levels. In Vista, an additional warning appears: The integrated Security Center bubbles up a balloon window, and a General Security section details the problem. Users will be able to fix the problem either through IE or in the Security Center, Schare said.
These and other new IE 7 features will first appear in the December Community Technology Preview (CTP) release of Windows Vista, which is due in several days. Windows XP users will have to wait for the public beta version of IE 7, which will ship in the first quarter of 2006.