Microsoft Debuts IE8, Only to Have It Hacked
Microsoft introduced its new version of Internet Explorer on Thursday, touting its new security features such as the SmartScreen phishing filter. However, the new features weren't enough to keep a the browser from being hacked at the CanSecWest conference.
03/19/09 11:56 AM PT
Microsoft's unveiling of Internet Explorer 8 on Thursday was marred by news that the browser, touted to be its most secure ever, already has been hacked.
IE8 was cracked at the 10th annual CanSecWest conference in Vancouver, Canada, Wednesday by a hacker who identified himself only as "Nils." To be fair, the first browser to go down at the hacking contest at CanSecWest was Apple's Safari.
"Microsoft is investigating reports of a possible vulnerability in Internet Explorer 8," a Microsoft spokesperson said. "While we're not aware of any actual attacks using this possible vulnerability or of any customers affected, if the vulnerability is confirmed, we'll take action to help protect our customers."
Security and IE8
This is not the first time a security vulnerability has been discovered in IE8 --in February, Microsoft released a security bulletin for IE8.
Announcing IE8's release Thursday, Microsoft said it "offers leading-edge security features in direct response to people's increasing concerns about online safety," and quoted CEO Steve Ballmer as saying that IE8 "provides protection that no other browser can match."
Does that square with the facts? Probably, Jason Miller, security and data team manager at network security and patch management vendor Shavlik Technologies, told TechNewsWorld. "They have SmartScreen Filter, which they haven't had before, and there are reports that it's catching a lot of malware," he explained.
SmartScreen Filter is an extension of IE7's phishing filter. When a user visits a site that has been labeled harmful, IE8 will put up a warning and suggest the user not visit the site.
Still, all software has vulnerabilities and is prone to hacking, Miller said.
Browser Wars Reignite
IE8 has lots of nice new stuff. These include accelerators, a version of selection-based search that lets users invoke an online service from any other page using just the mouse. IE8 also has Web Slices, which are snippets of a page that a user subscribes to. The browser will automatically update the snippets, which users can view directly from the Favorites bar.
This could kick off a new round of browser wars, as other firms offering Web browsers have revved up their efforts recently.
Google has just unveiled a new beta of Google Chrome, which it claims in a blog is almost twice as fast as the original beta. It also has several new features, including form autofill, full page zoom and autoscroll, and lets the user drag tabs out to get a side-by-side view of Web pages.
Meanwhile, Mozilla rolled out the mobile version of its Firefox browser, called "Fennec." This has impressed reviewers at first sight because of the variety of features it offers.
More Trouble Coming?
The browser wars could lead to more security issues, Shavlik's Miller warns. "As you add new features, there will be new areas for vulnerabilities to exist," he said. "The more bloated these browsers get, the more areas there are to attack."
Miller predicts that hackers will unleash a torrent of attacks on IE8 over the next few weeks. "There's a lot of money in this for the hackers, and they'll want to find a way in."
The situation won't be helped by the fact that hackers are now targeting browsers more heavily. "Over the past couple of years, browsers have overtaken e-mail as the area where users spend the most time, and attackers are putting out traps on Web sites," Paul Judge, chief technology officer at Web security application vendor Purewire, told TechNewsWorld.
"There's no shortage of vulnerabilities out there," Judge added.