Hi, I’m Tony Chor, the Group Program Manager for the Internet Explorer team. As you may know, we’ve been working hard on IE for Windows XP Service Pack 2, and we signed off on it last week. You can get a very detailed description of the changes on MSDN. (This is lovingly referred to internally as the Book of Springboard – Springboard was the codename for XP SP2.) However, I thought I’d give a high level description of the kinds of changes we made and why.
First, as with any project, we set our goals and scoped the project; we couldn’t possibly do everything we wanted to in this timeframe. Therefore, across Windows, we focused on security, specifically in preventing users from having their machines taken over by malicious code. There were a bunch of other good things that happened, but security was clearly the focus.
Specifically for IE, we had two big buckets. The first were architectural changes to help prevent attackers from getting through the barriers that protect users and their computers. The second were a set of changes to help users make better decisions about what sites and downloads to trust.
To understand the architectural changes, let me first describe the security model for IE (parts apply to all browsers.) First, IE permits web pages to do different things depending on how much you trust them. IE bases that trust decision on where the page came from. Files from the Internet, for instance, cannot directly access files on your hard drive. Files that are already on your hard drive, by comparison, can. IE divides the world into five zones (shown from least privileged to most privileged) – Restricted, Internet, Intranet, Trusted, and Local Machine Zone (LMZ). Attacks that allow malicious sites to move from zones of lower privilege to one of higher privilege are known as zone elevation attacks.
Second, IE puts up walls between domains (like microsoft.com) so that the script and controls from one site cannot access the information on another site. This is important so evil.com cannot get your username and password from mybank.com, for instance. Attacks that break through this barrier are known as cross domain attacks.
In XP SP2, we strengthened the barriers between zones and between domains. This makes it much harder for hackers to get access to your computer. Perhaps more significantly, even if an attacker gets through the new barriers and gets into the LMZ, s/he will encounter yet another barrier. We give the user an opportunity to stop the attack by blocking active behaviors in the LMZ and thereby stop the attackers from really utilizing the capabilities of the LMZ.
Basically, consider this real world analogy: we have improved the fences and doors that separate your yard from the street and your yard to your house. If someone manages to get through the barriers, s/he will find your valuables locked in a safe inside the house. We have made it harder to break in and less interesting if you do.
User Experience Changes
Despite the architectural changes we’ve made, users will still need to make decisions whether to trust a site or a download. To do this, the user needs good, understandable information. For IE in XP SP2, we had two primary design principles around our UI. First, users need accurate information to make trust decisions. Second, users should have more control over their web browsing experience.
To help users make better trust decisions, we made it harder for malicious sites to spoof IE’s UI and provided clearer dialogs around key activities like installing software. For instance, some bad guys today cover the IE UI like the address bar or prompt dialogs with a chromeless window (an IE window with no window frame). They then make the UI look like it said something else, like a different URL or “This is totally safe. Install it now!” In XP SP2 IE windows cannot cover IE UI nor is it as easy to create chromeless windows.
We give users more control over their browsing experience in a few ways. First, we block most things from coming up without some user action; for instance, pages can no longer automatically start a download unless the user clicks a link or accepts the download via our new Information Bar UI. We also came up with a very original idea – popup blocking. J Sites can now no longer open windows except when the user clicks a link or button to initiate it. Similarly, sites cannot change your home page without a user click as well.
To reuse my house analogy, with our user experience changes, we have made it easier for you to identify who is at the door so you can decide whether to open it, and we took the doorknob off the outside of the door, so you can only open it from the inside.
There are a whole lot of other changes around reliability, Group Policy support, and a myriad of others, but those are the big themes for our work in Windows XP SP2. IE in XP SP2 stops all currently known critical exploits, so it’s a heck of a lot more secure than pretty much any other browser. We’re really excited about it, and hope you will be too.
For those who don’t have XP SP2 yet, the easiest way to get it is to follow the instructions for turning on Automatic Updates on http://www.microsoft.com/athome/security/protect/default.aspx.
For those who are already running XP SP2, tell us what you think!