What You Need to Know About IE 7.0 Security Features

By the time you read this, Microsoft presumably will have released a public beta version of Internet Explorer (IE) 7.0, its upcoming Web browser. IE 7.0 offers a number of improvements over today's IE 6.x versions, including a tabbed browsing interface, better management of browser plug-ins, and improved support for Web standards. But the big news this time around is security: IE 7.0 builds on the more secure version of IE that Microsoft shipped with Windows XP Service Pack 2 (SP2) last year. Here's what you need to know about IE 7.0 security features.

Two IE Versions
First, it's important to understand that there will be two completely different versions of IE 7.0. The first, which you can think of as the standalone version, will be available as a free upgrade to IE 6.0 on systems running Windows XP SP2, Windows XP Professional x64 Edition, or Windows Server 2003 with SP1. The second version, IE 7.0 Vista, will ship only with Windows Vista (formerly code-named Longhorn) in late 2006. Put simply, IE 7.0 Vista will be a true superset of standalone IE 7.0—it will contain all the features and functionality of the standalone version but will also include some unique features that rely on Vista's underlying security architecture.

Some of the new features that will be in both versions are tabbed browsing, improved Web standards support (including better support for Cascading Style Sheets—CSS—2.0 and transparent Portable Networks Graphics—PNG—files), integrated Web search that works with third-party search engines (including Google), integrated support for Really Simple Syndication (RSS) feeds, International Domain Name (IDN) support, and "shrink to fit" printing.

Antiphishing
One key security feature in IE 7.0 that applies to both the standalone and Vista versions is integrated antiphishing functionality. You're probably familiar with phishing attacks—spam email messages purporting to be from a major financial institution, such as Citibank, or a frequently visited e-commerce site, such as eBay or PayPal. When users click links in those messages, their Web browser delivers them to a malicious Web site that looks legitimate but that secretly tries to steal private information, such as credit card numbers.

To prevent such attacks, Microsoft has developed antiphishing technology for its email products, such as Exchange and Hotmail. But the company is also working to ensure that IE 7.0 can intelligently recognize these malicious sites and warn the user not to use them—or even block the user from visiting them under certain conditions. Like its antispyware technology, the Microsoft Phishing Filter in IE 7.0 uses a database back-end on Microsoft's Web farm that's stocked with community feedback to help determine which sites are legitimate and which are not.

IE 7.0's antiphishing technology issues two levels of warnings. The first, yellow, appears when a Web site behaves like a malicious Web site. The second, red, blocks a user from visiting a site that's known to be a phishing site. Users can opt out of this functionality, and it can be controlled through Group Policy in managed organizations.

Protected Mode
IE 7.0 Vista includes an important security feature that won't be available to users of the standalone version. Dubbed Protected Mode (formerly called Low Rights IE), this feature lets users run IE 7.0 with even fewer privileges than are typically available to a process running with Limited user account privileges. Furthermore, because Protected Mode IE runs without any plug-ins (which Microsoft calls add-ins) loaded, you can use Protected Mode even when the OS has been compromised, so you can safely download security fixes even at times of heightened security concerns. You can also run this version of IE to fix problems with malicious add-ins.

What's especially interesting about Protected Mode is that it will be enabled by default whenever the browser is in the Internet security zone. Users can opt to run Protected Mode IE manually using a shortcut in the Start menu as well.

Recommendations
Although I still feel that most XP users would be safer not using IE and choosing an alternative browser such as Mozilla Firefox instead, that's not always a realistic option, especially in corporate settings. For XP users who simply must use IE, version 7.0 will be a safer and more full-featured browser than IE 6.x, and management should evaluate and deploy IE 7.0 as soon as possible. IE 7.0 Vista, however, is another story altogether. Thanks to the underlying security improvements in Vista, IE Vista should be dramatically safer than virtually any browser on the platform. If security is any concern at all, you should start evaluating a migration to Vista. IE 7.0 Vista is only one good reason to do so.