Security Watch
Russ' IE 7.0 Wish List
Details about the next version of Internet Explorer are sketchy, but at least we can hope for the best.
The much-anticipated
keynote
address at this year's
RSA conference by
Bill
Gates took place last week was a letdown for many. Although he did announce
Internet Explorer 7.0, and that it would be available
for Windows XP SP2 users, he failed to provide any real details as to what it
will include. URL obfuscation and anti-phishing techniques seem like obviously
new features and were stressed as technologies Microsoft is currently working
on, but specifics just weren't there.
There are a number of features I'd like to see in IE 7.0. Some of the top ones
include:
- Something that makes a URL stand out when the underlying
link isn't based on the same URL as the covering link. In other words,
if the covering text says www.mcpmag.com, the underlying link must also start
with that URL. If it doesn't, the underlying link should be displayed together
with its covering text. I realize this could screw up text on a page, and
is problematic if the covering text is simply the words "click here";
still, we need to get people to realize that what's under a link isn't necessarily
what it says it is. It could come in the form of a pop-up warning indicating
that the link may not be taking you where you think.
- Don't render obfuscated links. If the URL is http://1234567890/fred.htm,
don't render it as a link. I can't think of a legitimate use of such a link
in the first place.
- A much stricter job of parsing HTML. The HTML
specification is pretty free and easy when it comes to what must be in what
parameters, or what can be in what tags. Gate's title for his RSA keynote
was "Raising the Security Bar"; but what we could use right now
is some "Lowering of the tolerance bar" when it comes to HTML specifications.
Much stricter interpretation of the HTML specification would dramatically
reduce, if not eliminate, many of the spyware/adware scams out there today.
Further, it makes content scanning more feasible, as there will be less variation
in the expected content structure.
Gates made several other positive announcements during his keynote:
- Microsoft's anti-spyware tool will be free to
all licensed users of Windows. Finally, a core product that will deal with
these miscreants and help prevent those evening phone calls from panicked
friends and family members. It doesn't matter to me whether the tool is the
most effective on the block; it provides a basic level of protection that
will only get better over time. Microsoft's Spynet
project should yield great results as more people opt in, giving more user
experience feedback and early warning about new threats.
- Microsoft is committed to providing a consumer anti-virus
solution, probably this year. It's one thing for Microsoft to realize
its platform is a feeding ground for viruses, Trojans, bots and worms; it's
another to be responsible for having a product that effectively protects that
platform. It should be very interesting to see how Microsoft deals with the
media over the issue of heuristics (the ability in anti-virus software to
detect a malicious piece of code without having seen it before). Microsoft
should be better at that than anyone else. Let's see if it succeeds.
- Microsoft's acquisition of Sybari is a great step
forward for enterprises. Sybari's product is not an anti-virus solution, but
rather an infrastructure for deploying and managing one or many anti-virus
engines. This means you can create your own multiple scanning environment,
so if one AV vendor doesn't catch something, maybe another's will. This is
an excellent way of minimizing the risk new and changing viruses can have
on an e-mail environment.
Want
More Security? |
This
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
|
|
|
Sybari is true plumbing, in the best sense of the word, which is one of Microsoft's
strengths. I've been told it's already integrated the
RAV
product (the European AV company it bought early last year) into Sybari, so
I expect to see the initial offering from Microsoft of the repackaged Sybari
product to include that engine by default. You can add engines from all of the
top AV companies.
Although his keynote lacked a lot of detail, Gates did mention that this was
another step in the "Trustworthy Computing" path he outlined several
years ago in his famous memo. I wish it wouldn't take so long; but hey, it's
a huge company and at that size, it's hard to be quick on your feet.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.