Quick update from Microsoft’s Financial Analyst Meeting (FAM): Microsoft Senior Vice President of Online Services and Windows, Bill Veghte, just told attendees that Microsoft will release the final version of Internet Explorer (IE) 8 to the Web “later this year.”
Microsoft has tried its best not to provide a ship target for IE 8 — like most of its Windows client family of products. Company officials did acknowledge last month that a second public beta of IE 8 is due out in August.
source- ZDnet
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
One of the AJAX improvements we adopted in IE8 from HTML5 is AJAX page navigations. In IE8 mode, we provide support for script to update the travel log components (for e.g. back/forward buttons, address bar) to reflect client-side updates to documents. This allows a better user experience where users can navigate back and forth without messing the AJAX application state.
For more information regarding the feature and sample code, refer to the Internet Explorer MIX08 Hands-on Labs for AJAX and IE8 Beta 1 for Developers. For an example of how this can be used to hook navigation in Silverlight (with sample code!), see Michael Scherotter’s blog posts titled How IE8 Enables Silverlight Deep Linking and Browser Back/Forward Navigation and IE8 Forward/Back in a Silverlight 2 (Beta 2) Application for further details.
Source- IE Blog
I’m excited to share with you details on the significant investments we’ve made in Security for Internet Explorer 8. As you might guess from the length of this post, we’ve done a lot of security work for this release. As an end-user, simply upgrade to IE8 to benefit from these security improvements. As a domain administrator, you can use Group Policy and the IEAK to set secure defaults for your network. As web-developer, you can build upon some of these new features to help protect your users and web applications.
As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don’t provide attackers with new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits.
Source- IE blog
Today we are releasing some details on a new IE8 feature that makes reflected / “Type-1” Cross-Site Scripting (XSS) vulnerabilities much more difficult to exploit from within Internet Explorer 8. Type-1 XSS flaws represent a growing portion of overall reported vulnerabilities and are increasingly being exploited “for fun and profit.”
The number of reported XSS flaws in popular web sites has skyrocketed recently – MITRE has reported that XSS vulnerabilities are now the most frequently reported class of vulnerability. More recently, sites such as XSSed.com have begun to collect and publish tens of thousands of Type-1 XSS vulnerabilities present in sites across the web.
XSS vulnerabilities enable an attacker to control the relationship between a user and a web site or web application that they trust. Cross-site scripting can enable attacks such as:
- Cookie theft, including the theft of sessions cookies that can lead to account hijacking
- Monitoring keystrokes input to the victim web site / application
- Performing actions on the victim web site on behalf of the victim user. For example, an XSS attack on Windows Live Mail might enable an attacker to read and forward e-mail messages, set new calendar appointments, etc.
While many great tools exist for developers to mitigate XSS in their sites / applications, these tools do not satisfy the need for average users to protect themselves from XSS attacks as they browse the web.
Source- IE Blog
As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs, I get a lot of spam. Of the spam I receive, a significant number of messages represent phishing attacks. Most of these lures aren’t very clever or convincing, but phishing has become a simple numbers game—hosting phishing sites is cheap, and even if only a few users fall for any given phishing attack, attackers will profit by increasing the volume of phishing campaigns.
In Internet Explorer 7, we introduced the Phishing Filter, a dynamic security feature designed to warn users when they attempt to visit known-phishing sites, and worked with partners to introduce Extended Validation certificates that light up the address bar when users visit sites with verified identity information. Beyond the Phishing Filter, Microsoft has also published educational materials on identifying phishing scams, and developed a strategy to attack phishing at multiple levels.
For Internet Explorer 8, we’ve built upon the success of the Phishing Filter feature (which blocks over a million phishing attacks weekly) to develop the SmartScreen® Filter, a replacement that improves upon the Phishing Filter in a number of important ways:
- Improved user interface
- Faster performance
- New heuristics & enhanced telemetry
- Anti-Malware support
- Improved Group Policy support
Source- IE Blog
The flaw focuses on IE’s inline frames, often used for serving ads, which typically come from a different domain than content that appears on the same Web page. Microsoft’s Internet Explorer 6, 7, and 8 beta 1 appear to contain a security flaw that could subject users who visit a malicious Web site or open a malicious e-mail message to arbitrary code. U.S. CERT has published a vulnerability note indicating Internet Explorer doesn’t handle document frames securely.
Document frames can be used to subdivide Web pages such that the content associated with each division comes from a different server or domain. These "iframes," or inline frames, often are used for serving ads, which typically come from a different domain than content that appears on the same Web page.
The problem, as U.S. CERT describes it, is that "Microsoft Internet Explorer fails to properly restrict access to a document’s frames, which may allow an attacker to modify the contents of frames in a different domain."
Source: InformationWeek
Today the IE team released the IE June Cumulative Security Update for Internet Explorer 8 Beta 1 for Developers on Windows Update. For detailed information on the contents of this update, please see the following documentation:
If you are using IE8 Beta 1 for Developers, we encourage you to download this security update through Windows Update or the Microsoft Download Center today.
Source- IE Blog
In what has now become a tradition, the Internet Explorer team sent a "Congratulations on Shipping!" cake to the Mozilla Foundation headquarters for shipping Mozilla Firefox 3.0. As you might be able to see in the picture, the ring around the Internet Explorer "e" is actually three-dimensional and it’s certainly more fancy than the cake they previously sent Mozilla for shipping Firefox 2.
Source: Ryan Paul at Ars Technica
Ankur Mittal | July 25, 2008
