Security strategy for IE7: Beta 1 overview, Beta 2 preview

Security as a feature can be hard to measure. I
want to provide some insight into our security strategy so our customers and
partners can understand the direction we’re heading with Beta 1 and beyond to
Beta 2. All of the work the IE security team has done for IE7 is designed to
make you safer while you browse. While some of our work is front and center
like the Phishing Filter, a lot of the features are “under the hood” like
Low-rights IE and we hope you will never see them, just know that they are
there protecting you.

We started out designing the new security changes
for IE7 by understanding the risks or the "threats" that browsers
face from a malicious web site.  “Threat
” as we call it, is one part of the
Security Development Lifecycle
and is really like performing a risk
evaluation to find, and then eliminate or mitigate, security threats in

We found places where we can enhance security by
changing parts of IE’s architecture. Beta 1 includes powerful but mostly
invisible changes to how IE handles URLs and script in sensitive functions.
Those changes will continue forward in Beta 2 but we have established a major
beachhead in Beta 1 against these classes of vulnerabilities. You’ll be hearing
about these in posts coming soon from Eric and myself (Marc would post but he’s
on his honeymoon somewhere in the Caribbean). You may have already read some
about how Internet Explorer for Windows Vista will run in a new “Protected Mode
(formerly known as Low-rights IE) to help prevent malware from installing on a
user’s system through a vulnerability.

Powerful add-ons like ActiveX controls are part
of what make browsing such a rich experience but any extensibility can also
introduce threats to browser security. In IE7 Beta 1, you’ll be able to use IE
in “No Add-ons” mode. In Beta 2 we’ll continue to enhance the user interface
for “Manage Add-ons” to make it easy for users to be in control of Add-ons. We
know that our user base depends on the rich scenarios that they get with
Add-ons. Our goal is to help users take control of important decisions while
maintaining a rich, consistent, easy-to-use experience.

There’s also a threat that a malicious web site
will try to trick you into letting it do something dangerous. The most
upsetting example of this is the recent epidemic scam-tactic known as “phishing”.
The scam usually starts with a bogus email that urges the victim to visit to a
fake banking site. After the victim visits the site and enters their password,
the site uses it to steal money from the victim account. Tariq from my team
will be telling you about how we built a Phishing Filter to fight back against
this threat. The Phishing Filter will be able to take you away from a reported
phishing site but, even if a site hasn’t been reported yet, Internet Explorer
will warn you about sites that might look a “little bit phishy” because they
use some features commonly used on phishing sites. We want your feedback on how
the Phishing Filter performs and Tariq will tell you how to submit feedback
directly through the UI. We’ve also made it easier to check the lock icon for
legitimate banking and secure sites. Eric will tell you more about that. We’ll
continue to improve the user interface in Beta 2 with additional features to
make security decisions easier.

We believe that security is never done but that
we can make a huge difference in this release. We’re proud that we get to
tackle these threats head-on in IE7. We’re hoping for lots of feedback from the
security and developer communities - we want to make sure IE7 is rock solid. As
always, if you find a vulnerability, please report it
, this helps protect the other people like you working with us
on this beta.

- Rob Franco

Comments (65)

  1. Anonymous says:

    The IE Blog is on a roll!

    Some very cool stuff is talked about, mainly security in Internet Explorer…

  2. Anonymous says:

    “little bit phishy” — I hope you keep that exact phrase when waring the user!


    / ! Microsoft Internet Explorer

    —– believes this page to be

    a little bit phishy! Do not

    trust it!

  3. Anonymous says:

    "we hope you will never see them, just know that they are there protecting you."

    So, big brother is there, you just can’t see him…

    Honestly I think this is a bad idea. When you have 90% of people using your operating system and provided software (IE), you have a huge responsibility. Dumbing down the features or making them hard to find isn’t helping anyone in the long-term. 85% of those users who use your software often are complete computer novices. They have no idea what "phishing" is and why your software tries to prevent it. The best route is to either put all of the features into a neatly arranged menu or leave it like it is and provide a very user-friendly help file.

  4. Anonymous says:

    If security really is a concern, then please, please, PLEASE make it so the phishing detector does not "phone home" to Microsoft. The second I read that that is how it works, I turned it off – and I can assure you that many other will too. My browsing is nobody’s business. Microsoft has no reason to be notified of the sites I visit and I’m sure this will be the general consensus among users. To be honest, there really is no difference between this and spyware. Many spyware claim to be providing security and enhancement features, many spyware claim to not sell your information, but how do we know? For all I know, Microsoft will be selling my browsing history to marketing companies. Therefore, I turned the phishing detection off. I’d rather have a "possible" security breach by being baited to a bad site, rather than a "definite" security breach by sending my information to MS.

  5. Anonymous says:

    Speaking of security, will windows update work in Beta 2?

  6. Anonymous says:

    The "phone home" thing is indeed too evil, no matter how good your purposes are. Nobody is going to like it.

    The Right Thing ™ IMO would be to include that functionality in Microsoft Spyware – a database (updated frequently) with all the "evil sites" so IE know what it has to block.

  7. ieblog says:

    Codemastr: we take security and privacy to heart in all our features. Tariq will blog more details about the anti-phishing work we’re doing later, but to answer your basic question: just like many Microsoft products (Windows Media Player, Windows Messenger, etc.) it is currently our plan to allow users to opt in our out of any feature that "phones home." The point of our Beta programs is to get feedback, so if you think we should change the defaults, etc., let us know what you think they should change to, and why!

    -Christopher [MSFT]

  8. Anonymous says:

    just like many Microsoft products (Windows Media Player, Windows Messenger, etc.) it is currently our plan to allow users to opt in our out of any feature that "phones home." The point of our Beta programs is to get feedback, so if you think we should change the defaults, etc., let us know what you think they should change to, and why!


    I don’t think the default should be changed, I think the system should be changed. I kind of like Diego’s idea, integrate it into antispyware. If not, I still say a database should be used. When I download a file, Norton Antivirus doesn’t sent it to Symantec to be scanned, it uses a local database. The same holds true for my spam filters and my spyware filters. Why can’t phishing be handled the same way?

    Automatically using the server lookup helps protect you automatically but you can also set the phishing filter to work manually.


    I understand a post will be forthcoming that will probably explain this, but, what happens if the Microsoft server is down? Lets face it, MS is a target, someone is going to DoS the phishing database server one day. Is IE going to notify me that it can’t ensure the security of the site? Or is it going to report that the site is legit? The reason I ask is, this means I’m not "protect[ed …] automatically." On the otherhand, if the database was local, I’d be fine. Rob mentions that phishing sites change constantly as a rationale, however I don’t buy this. Viruses come out on a daily basis and yet all of the virus scanner companies still manage to handle scanning with a local database. I mean, you could have IE request an updated file every X hours, even every X minutes if it changes that much! Even with that, the load on your servers for an "Are there updates?" and a "No" response would have to be less than notifying you of a URL to check each time I browse.

    I’d also like to see more info about how the URL is transmitted to MS, is it at least encrypted – it’s bad enough MS sees it, but at the very least, we should be sure others aren’t as well. Does it send the entire URL, or just the hostname? Etc. I’d like to know exactly what information you’re receiving about me and how.

  9. ieblog says:

    Jack, what I mean by "you’ll never see them" is that some security improvements are infrastructure improvements and users won’t need to "find them" as you suggest. For example, there won’t be any UI for the architectural improvements to URL and script handling.

    More visible are features like the Phishing Filter and the interface for seeing SSL information. Your feedback here is dead-on: we want the UI for these features to be useful for every user. We have done usability testing on these features but the feedback on the beta will be important for us to get usability right.

    Rob [MSFT]

  10. ieblog says:

    codemastr, you’re right that the Phishing Filter checks a Microsoft server for known phishing sites. The reason it needs to check with a server this is that phishing attacks move around very quickly and the list of phishing sites has to be constantly updated. Automatically using the server lookup helps protect you automatically but you can also set the phishing filter to work manually. If you set phishing filter to work manually, you can control exactly when IE checks the server. As I just mentioned above, we need to make sure that users understand the UI for the phishing filter, the decision to use it and how to disable it if they choose. We’ll go into a *lot* more detail about how this works in a post all about the Phishing Filter.

    Rob [MSFT]

  11. Anonymous says:

    I agree wholeheartedly with codemastr and Diego. A local database for the phishing filter is the way to go.

    Allowing users to opt-out of a server lookup simply mutes the effectiveness of this feature. It does nothing to address several good objections already raised here — objections which would be met quite sufficiently by a local database.

  12. Anonymous says:

    Nice work on the redesign of the site – nice and clean.

  13. Anonymous says:

    Yes. Security is nice and a requirement. With all the problems that IE has had, I’m appalled that it has taken THIS LONG to go about fixing them.

    Show’s where Microsoft’s priorities are at, doesn’t it?

    Would you please, FIX IE (low rights, about bloody time) so that not only is it a secure and fast browser, but also a standards compliant browser that supports the most up to date W3C specs?

  14. Anonymous says:

    If you wanted to encourage responsible reporting, you could offer cash rewards for discovering and reporting vulnerabilities… Exploiting software has become a business, perhaps you should fight fire with fire.

  15. ieblog says:

    Codemastr: I love that you’re concerned about this. Given that we haven’t released too many details about how our anti-phishing features work, I’d ask you to hold your questions about specifics until after Tariq gets a chance to talk about his feature. Having him blog about it will give us a common framework to talk about (much the way Chris Wilson’s post about standards have settled many people’s fears). However, to touch on a point that Rob Franco made in these comments – the ability to contact an MS server to check for a phishing site is an option, not a requirement, and we do it to keep our anti-phishing features nimble. However, it’s not the only line of defense (so, if the MS server goes down or is attacked, our customers aren’t defenseless). I’ll wait to answer any more questions about our specific implementation until Tariq blogs about it.


    -Christopher [MSFT]

  16. Anonymous says:

    I don’t have a problem with it "phoning home" personally. I’m not exactly sure how a local database would even work… would it sync up every few hours or so? It might be difficult to keep the local copy relevant and up to date without forcing people to download too often. Also, I’m not sure how the current anti-phishing works (as I’m not an MSDN subscriber), but there’s a lot to be said for more intelligent alogirthms for detecting phishing attacks in addition to site checking.

  17. Anonymous says:

    Okay! We are almost getting somewhere!

    1.) This Blog, please, when user clicks the "post a comment" link, send them to an anchor, e.g. ‘<a name="comment_form">’ so that posting is at least somewhat intuitive!

    2.) Security. If you are offering a "No Addon" mode, good. However, once again, this does not solve the problem, but rather creates a new option, that will confuse people more.

    2.a) User is in this mode, visits WindowsUpdate… what do they see?

    i.) Nothing (not good)

    ii.) Error (not good)

    iii.) "you must switch to the ‘useable’ zone to do this" (which, defeats the purpose of creating a "safe" zone, if the user needs to leave it, to do anything functional!)

    2.b) Ditto for every other site, both good and "evil".

    3.) (anti)-Phishing. Again, I commend the effort, but I’m very weary of the "phone-home" nature of this. In effect, you are asking us, the users, to trust you (Microsoft), in providing the "secure list of evil sites". "Security" hasn’t always, (and let me check my magic 8 ball… won’t always) be Microsofts strong point. Many in the "global village" will see this as letting the "fox" guard the "hen" coop, and will steer clear of it at all costs.

    4.) I hope, that there will be NO ZONE, that will automatically allow any ActiveX to install, and that user interaction will ALWAYS be required to install an ActiveX. (Read: Physically Impossible due to Architectural layout/Sandboxing).

    5.) Same as point 4.

    6.) Same as point 5.

    7.) Uh, did I mention point 4?


  18. Anonymous says:

    How does Low-Rights IE compare to simply running exe file with "Run as…" option using locked-down user account? Does Windows XP allow some uncontrollable privilege escalation of such programs? (through dll, or something?)

  19. Anonymous says:

    IE7 security changes: Rob Franco of Microsoft provides guidance on some of the security work being done in IE7. The first beta, now in private release, adds additional constraints on some uses of URLs and browser scripts. Rob also describes…

  20. Anonymous says:

    I’ve already come across a couple of sites that IE7 beta 1 has reported as being ‘phishy’

    One was on (eek!) and the other I can’t remember now. I tried to submit both as "not suspiscious" but apparently "The Passport network is experiencing technical difficulties"

    I’ll try again soon. And keep up the good work.

  21. Anonymous says:

    This is great news – absolutely. But if you take security so seriously, why are there so many unpatched security vulnerabilities in Internet Explorer? I would prefer getting these problems fixed before adding new security features …

  22. Anonymous says:

    @MSFT people: Is there a similar Vista blog to this? As you can see blogging about next Microsoft products and activities brings a lot of attention and feedback. I think it would be great to have a general Vista blog (such as this one) for the same purpose.

    You should tell your boss about this 🙂

    Anyway, that’s my 2 cents. Keep up the good work and happy honeymoon to Marc 🙂

  23. Anonymous says:

    this is a usability request rather than security… but anyway… in the Options dialog some items say ‘(requires restart)’ next to them.. i’d suggest you specify browser or system there, otherwise the user could be confused about what they need to restart if they change that option.. i cant remember myself what DOES need to be restarted, but i hope its the browser…

  24. Anonymous says:

    My thoughts on the phishing:

    It’s pointless to default this to off. 99% of people who would benefit from this will never switch it on.

    It’s unacceptable to phone home by default too. This sort of privacy invasion must be by choice.

    There is a middle ground. Instead of reporting back the URIs to Microsoft, simply report back a one-way hash, e.g. MD5 or SHA1.

    This way, Microsoft doesn’t know where you are surfing (no privacy violation) but can detect when you visit a website already in their phishing database (all the protection).

    I think this sort of approach would be suitable to be switched on by default and is the best of both worlds.

  25. Anonymous says:

    One other thing: are you planning on exposing a public anti-phishing web service? It seems to me, working *with* everybody else, instead of locking it into Internet Explorer only, will share the work to maintain this database amongst many people, not leave it all up to you.

  26. Anonymous says:

    Jim’s idea (above) is the smartest thing I’ve seen anyone post on these forums. Send URLs by one way hash. And it HAS to be on by default because average-Joe will never realise he should turn it on.

    I expect it’s a bit late to think about at this stage in development, but integration with your Anti-spyware stuff sounds like a good plan too. If the spyware is going to come from anywhere, it’s going to be via the browser, so if the user has anti-spyware installed you might as well scan whatever they’re trying to install before you let them.

    Nice job with rendering bugs in IE, look forward to seeing what you do with CSS2 and standards in Beta 2.

    If you haven’t seen it yet, take a look at Doug Bowmans interesting article at You might like to forward this on to your friends in the web development team. Have a nice day.

  27. Anonymous says:

    Great Blog and i really like the (new) openess of the IE-Team!

    Just one question: When can we expect the open beta of IE 7? I would like to try IE 7 too 😉

  28. Anonymous says:

    <<Jim’s idea (above) is the smartest thing I’ve seen anyone post on these forums. Send URLs by one way hash>>

    Alas, that’s not likely to work due to wildcard DNS. You could send multiple hashes, one for each label, but you’re not really buying a lot there. How long do you think it would take to generate the one-way hash of all of all registered domain names (answer: not long at all).

    Vis-a-vis requires restart: These all mean "requires restart of browser". They should update the UI.

  29. Anonymous says:

    The feasibility of hashing urls depends entirely on the implementation though Will, if MS have implemented this as a huge database of exact urls that they just do a string comparison against, hashing would work fine..

    Either way, I don’t see it happening as I’m sure the marketing/search/advertising departments are loving the idea of having browsing statistics reported to them.. cynical perhaps but I doubt I’m wrong

  30. Anonymous says:

    > Alas, that’s not likely to work due to wildcard DNS.

    My completely uninformed guess is that they’ve implemented this as a list of domains and/or IP addresses. Phishing websites and legitimate websites virtually never share the same domain, do they?

    In this case, wildcard DNS wouldn’t be a problem. If they’ve implemented it as a list of hostnames, then yes, phishers could circumvent it by sending a random subdomain to each victim.

    > How long do you think it would take to generate the one-way hash of all of all registered domain names

    Yes, but that would require specific effort on Microsoft’s behalf to break into people’s data. I think there’s enough legal red tape associated with crossing that line that beauracracy will save us 🙂

  31. Anonymous says:

    I have to say that I always thought the test "requires restart", meant a full on Windows restart. Is it really only a browser restart that this text refers too? If so, could I suggest a slight change in the wording, for clarification – such as "requires browser restart".

  32. Anonymous says:

    Chris: If so, could I suggest a slight change in the wording, for clarification – such as "requires browser restart".

    Or better yet, fix it so that you don’t have to restart anything! 🙂

  33. Anonymous says:

    Is there any chance Beta 2 or final will allow total customization of every toolbar position? I myself prefer the File menu below the title bar.

    How about a confirmation (enabled by default and can be disabled) before closing multiple tabs?

    Nice work otherwise, looking forward to final.

  34. Anonymous says:

    There is a middle ground. Instead of reporting back the URIs to Microsoft, simply report back a one-way hash, e.g. MD5 or SHA1.

    This way, Microsoft doesn’t know where you are surfing (no privacy violation) but can detect when you visit a website already in their phishing database (all the protection).

    This still doesn’t solve the issues of it slowing your internet connection nor the issues of when their servers are down. NO program should ever have to send information to a 3rd party.

    There would still be ways for Microsoft to gather our browsing habits from this, you would have to trust that the MS database only contains the hashes of "bad" sites. For example, we send 12345 (, a competitor to MSN search) what says that the MS database doesn’t have a 12345 entry that is flagged as "not phishing" but is used only to keep track of how many IE users visit google vs how many go to MSN search? We have no way of knowing this. Even if they don’t know specific sites, they know other things. They know how frequently we browse, what hours of the day we browse, etc. All of this is information that MS has no business knowing.

  35. Anonymous says:

    Sending URLs as a one-way hash mitigates some privacy issues (and drastically decreases effectiveness) but it doesn’t remove them entirely. Let’s say the FBI wants a list of people who have browsed a terrorist website. They can generate the same hash and ask MS for the list of people who have phoned-home the same hash. No privacy there. The complete list of unique urls (or hosts) is not that large that a dictionary attack couldn’t be mounted… crawl the web, get a list of URLs, hash them, and match that up to the browsing profile that MS has based on phishing phone homes.

    If MS wanted to know where you are browsing, hashing data won’t stop them from making that determination.


  36. Anonymous says:

    WinXP/SP2 – Could this be called "Security Strategy"?!

    Dear Rob Franco an all in the IETeam,

    It seems to me that in WinXP/SP2 almost any HTML document ( including those residing in the local machine ) with Script is, by default, blocked and labeled as "pontentially dangerous"!!! This simply can not be called "security strategy"!!! This is rather an indication of a deep equivocation and, in fact, of a frank incapacity of distinguish beetween really malicious Scripts and well-intentioned and task-oriented ones. I simply can not understand why people do not feel them intelectually offended with such a detestable and incredible thing…

    Microsoft, wake up while there is time!!!

  37. Anonymous says:

    <<"requires browser restart". >>

    A good idea, although we’re tight on space.

    <<Or better yet, fix it so that you don’t have to restart anything!>>

    The problem there is that many of these settings really cannot be changed while the browser is running, because certain codepaths have already been executed. For instance, it doesn’t really work to change "Enable 3rd party browser extensions" while the browser is running, because the extensions have already been loaded. Forcing unload would be equivalent to killing processes in Task manager.

    Overall, the expectation is that Advanced Settings are not often changed. If you find you’re constantly switching one of these settings on and off, please let me know which one. Thanks!

  38. Anonymous says:

    I’m reading interesting article about subject:!1pdVO89fmNKwqmwfervd6IGg!964.entry.

    What IE Team think about it?

    IE 7.0 will prevent this vulnerability?

  39. Anonymous says:

    I wrote about the evil script detection problem here:

  40. Anonymous says:

    Is it just me, or does HTML Help (chm) no longer work once IE7 is installed? The help files for several programs I use just return about:blank.

  41. Anonymous says:

    Well didn’t take you long to fix the Windows Update problem – good work .


  42. Anonymous says:

    The issue that a server can look at your keystrokes when you type in the webpage has nothing to do with Ajax, although Ajax is one way of accomplishing the attack (see Google Suggest, for instance).

    If you have script enabled at all, you can perform this attack without using XMLHttp. You can simply do something like

    <body onkeypress="someimagetag.src=’‘+window.event.keyCode;">

    And whammo, there you go.

  43. Anonymous says:

    2 EricLaw:

    Thanks, for your response. I had another question now (or suggestion):

    In IE Security Settings, i may enable/disable/prompt: Active scripting, Allow paste operation via script, Allow status bar updates via script. But i can’t control sending information to server via script (without user interaction).

    Allow user to take a decision about this action (enable/disable/prompt – more than enough).

    What do you think?

  44. Anonymous says:


    As Eric’s example demonstrates, you can send data to the server with even seemingly benign client-side scripts.

    There are many, many ways in which to do it – XMLHttpRequest, inline frames, image swaps, object elements,, window.location, Flash, Java applets… the list goes on.

    If you are concerned about this, nothing short of disabling Active Scripting altogether, along with many plugins, will address your concern, and you can already do this.

    There’s no practical way for Microsoft to have a setting like you describe, because virtually any useful client-side feature will have the possibility of communicating with the server.

  45. Anonymous says:

    The refresh button on IE is way too small, and it’s out of the way. Maybe most users use the F5 key or something, but please make that button a little bigger.

  46. Anonymous says:

    Jack, I’ll tackle a few of your questions:

    2) You asked about “No Add-ons mode” and possibly confusing the user. “No Add-ons mode” is currently intended as an advanced tool users might use in case of emergency. You are absolutely correct that not confusing users with it is critical.

    2a) Yes, you can use Windows Update in No Add-ons Mode, in fact No Add-ons mode has a special start page with a link to Windows Update. Getting a security update is one scenario when we expect people might want No Add-ons mode.

    2b) “No Add-ons mode” is a whole separate way to run IE, its not applied based on zone of the page you are visiting.

    3) I hear your feedback about the Phishing Filter. We’re working to earn and maintain your trust. More from Tariq soon.

    4,5,6 & 7) I hear you saying that silent download of ActiveX controls is a “threat” in any zone. Specifically, you might be talking about a scenario where a user lowers their security slider to “Low” and they get ActiveX controls installed on their machine. I agree, I think this is the kind of mistake that some folks make. I look forward to telling you more about how we’re improving the security UI in Beta 2 as soon as possible.

    KL, You asked about Low-rights IE compared to starting IE using “Run as…” a different user. That scenario is in fact conceptually similar to “Protected Mode” (formerly Low-rights IE) because it prevents IE from writing to certain sections of the file system. We’ll give you more details about Protected Mode as soon as possible.

    Marcus, you asked why XP SP2 puts the information bar on innocent HTML pages. First off, I’m glad to hear you aren’t writing malicious pages! Since the HTML you write is "good", you might not need the all the power granted to HTML in the Local Machine Zone. By moving your HTML to another zone, you reduce its capability but you also will avoid getting the Information Bar.

    You can change the zone of a local HTML file to a less powerful zone simply by adding an HTML comment, called "mark of the web", that indicates the security zone you want to run in. This is a little extra effort for you but if your HTML doesn’t need that extra power, this is a safe choice. Here’s more info on Mark of the Web:

    As you know, you can still use powerful HTML in the Local Machine Zone by clicking on the information bar or by using one of the other workarounds for Local Machine Zone Lockdown:

    Thanks folks for all of the feedback and good questions!

    Rob [MSFT]

  47. Anonymous says:

    (Marc would post but he’s on his honeymoon somewhere in the Caribbean)

    That’s the most interesting part of the post, lol 😛

  48. Anonymous says:

    Are there any plans to implement something similar to Shane Hird’s suggestion?

  49. Anonymous says:

    Internet Explorer 7 includes a new URL handling architecture known internally as CURI.&amp;nbsp; The new…

  50. Anonymous says:

    Where can I try this out as our students on campus are bound to intergrate this w/out our knowledge and I am sure I will need to "tech" it kmackles (the @)

  51. Anonymous says:

    My last post was intended to introduce our overall security strategy and the specific features in IE7…

  52. Anonymous says:

    Hi, my name is Tariq Sharif and I am a Program Manager on the IE Security team. One of the threats users…

  53. IEBlog says:

    As we’ve described

    previously, we’ve made some major architectural improvements to improve browsing…

  54. IEBlog says:

    While Rob Franco and Chris Wilson were presenting and getting feedback at PDC, I spent most of my time…

  55. IEBlog says:

    Hello, I’m Marc Silbey,&amp;nbsp;a Program Manager focused on IE security. I’m back from my honeymoon and…

Skip to main content