Back at the beginning of March, Microsoft released the first public Beta of its next iteration of Internet Explorer, namely IE8 Beta 1
. Designed to deliver an evolution in comparison with IE7, Internet Explorer 8 Beta 1 brings to the table a range of
improvements, including security enhancements. In this regard, some of the modifications introduced into Internet Explorer 8 impact directly the way that the browser handles one of the most common avenues for web-based attacks: ActiveX add-ons. This is why IE8 Beta 1 features such improvements as Per-User (Non-Admin) ActiveX, ActiveX Opt-In and Per-Site ActiveX.
Per-User (Non-Admin) ActiveX means that "running IE8 in Windows Vista, a standard user may install ActiveX controls in their own user profile without requiring administrative privileges. This improvement makes it easier for an organization to realize the full benefit of User Account Control by enabling standard users to install ActiveX controls used in their day-to-day browsing. If a user happens to install a malicious ActiveX control, the overall system will be unaffected, as the control was installed only under the user's account. Since installations can be restricted to a user profile, the risk and cost of compromise," explained Matt Crowley
, Program Manager for Extensibility with Internet Explorer.
ActiveX Opt-In is not new to Internet Explorer 8, it has only been perfected as Microsoft introduced the security mitigation in IE7. Crowley justified the need for an ActiveX Opt-In as the best way to decrease the attack surface created by all binary extensibility mechanisms. As a direct consequence, the vast majority of controls on a user's machine are disabled by default by the ActiveX control. It is the end user of IE7 and IE8 that will have the final say in what ActiveX controls are enabled as soon as certain websites require them.
Via Per-Site ActiveX, "when a user navigates to a Web site containing an ActiveX control, IE8 performs a number of checks, including a determination of where a control is permitted to run. This check is referred to as Per-Site ActiveX, a defense mechanism to help prevent malicious repurposing of controls. If a control is installed, but is not permitted to run on a specific website, an Information Bar appears asking the user whether or not the control should be permitted to run on the current website," Crowley added.
Internet Explorer 8 Beta 1 is available for download here
Internet Explorer 7 is available for download here