• On TechRepublic: Five super-secret features in Windows 7
August 27, 2008 1:33 PM PDT

IE 8 beta gives other browsers a run for their money

by Robert Vamosi

Don't count Internet Explorer out just yet.

On Wednesday, Microsoft released the second public beta for Internet Explorer 8. If anything, this release brings IE up to par with alternative browsers such as Opera, Apple's Safari, and Mozilla's Firefox in terms of security and features. It also pushes Microsoft a little ahead of the competition.

The user interface hasn't changed much since Internet Explorer 8 Beta 1, except to add a Security pull-down menu between Page and Tools on the main toolbar. In addition to blocking phishing sites, IE 8 now highlights the main domain of any Web site you visit. Thus if you think you are on eBay's site and something other than ebay.com is highlighted, chances are you are on the wrong Web site.

Click for gallery

IE 8 also contains a cross-site scripting filter, one of the first in a mainstream browser. Cross-site scripting allows an attacker to execute script on a user's browser without them knowing. When the IE 8 filter finds a Web page with a cross-site scripting request, it changes the content on the page with a notice. Users are not presented with an option; IE simply blocks the malicious script from executing and then displays the rest of the page.

In another feature, known as InPrivate, Microsoft allows the user to suspend caching functions while you surf. The scenarios for using InPrivate include when you're using someone else's computer, like for instance, when you need to buy a gift for a loved one without ruining the surprise, or when you're at an Internet kiosk and don't want the next person to know which Web site you visited. While you can currently clear the browser cache with a mouse click, it's an all-or-nothing action. InPrivate temporarily suspends the automatic caching functions, allowing you to keep the rest of your browsing history intact. Apple Safari has offered this feature for a while, but Mozilla Firefox does not.

IE 8 Beta 1 has already introduced several behind-the-scenes security changes. For example, ActiveX components will be installed per user, which eliminates the need for everyone to have administrator privileges. In addition, you must acknowledge or opt in for the component to run, eliminating drive-by downloads. Components will be per site and will only be available from the site of origin. Finally, site developers can request killbits from Microsoft which can be sent via Windows Update to terminate risky or outdated components.

Also, IE 8 Beta 1 included Microsoft's own brand of malware protection. Earlier this year, Opera added Haute Secure malware protection, and Mozilla enhanced its Google and StopBadware malware protection in Firefox 3.

See also:
Internet Explorer 8 Beta 2 screenshots
Review: Internet Explorer 8 beta 2
Daily Debrief video: The newest IE 8

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

News

Tags:

security,

Microsoft,

Internet Explorer,

cross-site scripting,

XSS,

privacy,

ActiveX,

InPrivate,

IE 8

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
Microsoft patches critical hole in Windows kernel
Panda's Cloud Antivirus leaves beta behind
Apple plugs holes for domain spoofing, other attacks
Microsoft launches Forefront Protection 2010
'60 Minutes'--Cyberwar: Sabotaging the system
Microsoft to fix holes in Windows, Office
Google privacy controls: Most people won't care
Zero-day flaw found in Web encryption
Related
Mozilla releases first beta of Firefox 3.6
After 5 years, Firefox faces new challenges
IOBit 360 refreshed for Windows 7
Google Chrome 4.0 graduates to beta status
Chrome and others nibble away IE usage
Firefox gains Windows 7 features
Released!: Opera Mobile 10 beta for Symbian
Microsoft puts its 'signature' on PCs
Add a Comment (Log in or register) Showing 1 of 2 pages (60 Comments)
by rapier1 August 27, 2008 1:47 PM PDT
Anyone get a chance to run it against ACID yet?
Reply to this comment
by irperez August 28, 2008 6:06 AM PDT
It passes the Acid2 test with flying colors. As for Acid3, obviously it does not pass it, but the score improved from beta1 which is some improvement. I would assume the next release of IE will target the Acid3 test just like all the other browsers.

But let me say that they got it right with this release. The privacy controls, the Acelerators are awesome!!! I love it. The one gripe that I have is that it does not have a builtin spell checker. Wish it had one.
by Penguinisto August 27, 2008 1:53 PM PDT
That's cool - so what's the ACID score? Still Windows-only? What kind of resource usage does it require (as opposed to, say, IE7, or even the previous beta)? The Acitve X -per-user thing sounds intriguing, but how would that stop a privilege escalation flaw in ActiveX from working? Does a webmaster of a compromised site running ActiveX always have to go to Microsoft now, or can't he/she just fix the script...? Does this "inPrivate" thing also stop Live.com from tracking you as well, or just every site who isn't Microsoft-owned?

Seriously - if you're going to write an article touting improvements, could you do more than just list whatever features were spoon-fed from Microsoft's PR office?

/P
Reply to this comment
by rapier1 August 27, 2008 2:11 PM PDT
Actually, whats kind of cool about the InPrivate thing is that one aspect of it effectively blocks 3rd party tracking as well. Essentially it monitors the use of techniques like google analytics that allow for cross realm tracking. If the users hits more than 10 sites that are using that technique it blocks further access. http://blogs.msdn.com/ie/archive/2008/08/25/ie8-and-privacy.aspx has more detail.
by rapchoore August 27, 2008 2:39 PM PDT
Acid3 test fails in Beta 2. Real nice.
by rapier1 August 27, 2008 4:10 PM PDT
I don't think its fair to complain about ACID 3 failing being that A) this is a beta and B) no one is really passing ACID 3 yet. Safari and FIrefox get further but I don't think anyone is hitting 100 yet.
by mikeburek August 28, 2008 5:03 AM PDT
It looks like this article was written the same day the beta came out. Like with many new programs, more details will follow, especially once it gets out of beta. With this as a beta, there may or may not be lots of changes for the final version. So running this version through ever test out there is probably not the highest priority.
by Penguinisto August 28, 2008 7:10 AM PDT
@mikeburek:

Actually, it's drop-easy to run it through the ACID testing (takes like two minutes), and since Mr. Vamosi presents himself as a security expert, it should be relatively easy for him to dig in a little for an hour or two before posting the article. Calling Microsoft and asking a few tough questions couldn't hurt either.

Also, Fox News (of all organizations) confirmed that InPrivate doesn't really clear your cache - "Although casual users cannot see the previous user?s search history, authorities such as the police will be able to access it if necessary."

ref: http://www.foxnews.com/story/0,2933,412161,00.html
by rapier1 August 28, 2008 8:00 AM PDT
Is there any confirmation for the backdoor aside from the foxnews article? For some reason I'm not willing to accept that on their say so.
by Vegaman_Dan August 28, 2008 9:03 AM PDT
Penguinisto wrote:


"Actually, it's drop-easy to run it through the ACID testing (takes like two minutes), and since Mr. Vamosi presents himself as a security expert, it should be relatively easy for him to dig in a little for an hour or two before posting the article."


It's rather ironic that Penguinisto, a self proclaimed security expert himself on Slashdot and Poser forums, would chastise a person for writing up their thoughts and views on a piece of software's abilities but hasn't done it himself. If it only takes "like two minutes," then perhaps Penguinisto should do this himself instead of taking someone else's word for it? I know that would mean installing IE8 on a Windows system and he has stated many times before that he has does not own or use any Windows products, but it would make sense for him to actually try to get the facts before casting barbs at someone for doing something that Penguinisto himself has not done.


I don't know- perhaps he should follow his own advice:


"Dig in for an hour or two before posting-"


Sounds like wise advice to me. Now only if he would heed it.


This is pretty common troll behavior otherwise. Treat it accordingly.

by Penguinisto August 29, 2008 11:24 AM PDT
Hiya Dan!

Getting frustrated already? All I did was chide Mr. Vamosi for not doing anything more than repeating PR spin. Or does repeating PR spin count as a "blog" nowadays?

(PS: I prefer DAZ|Studio over Poser ;) ).
by rmva August 27, 2008 2:28 PM PDT
This is just the security piece of the IE8 b2 story. Someone else is probably covering the rest.
Reply to this comment
by jture August 27, 2008 2:32 PM PDT
Would Micro$oft have made any of these improvements if other browsers hadn't beaten them to it? I'm not impressed.
Reply to this comment
by hlywd217 August 27, 2008 6:29 PM PDT
Oh, you put a Dollar sign in place of the S in Microsoft. How clever.
by Lerianis August 27, 2008 7:10 PM PDT
Yes, they would have made these improvements sooner or later. The fact is that a lot of times Microsoft doesn't want to innovate and add new features because whiners like you who get on their case for NOT doing that also get on their case when they DO that.
So, it's a lose-lose proposition for Microsoft, at least as far as people like you (chronic whiners) go.
by mikeburek August 28, 2008 5:05 AM PDT
This is good because so many people use IE by default on Windows. You can argue whatever you want, but it is still the truth. Maybe it's not impressive compared to other browsers pushing ahead first, but it is very good.
by nachurboy August 28, 2008 3:09 PM PDT
Would Safari added any of its features had IE not existed? Would Firefox exist if it wasn't for features in IE? Would any browser exist if Netscape didn't exist? I'm not impressed with you not being impressed.
by Correction_Firefox August 27, 2008 2:42 PM PDT
Correction: "InPrivate temporarily suspends the automatic caching functions, allowing you to keep the rest of your browsing history intact. Apple Safari has offered this feature for a while, but Mozilla Firefox does not."

Actually, Firefox offers the same privacy feature in a plugin called Stealther. What it does is temporarily disable the following:
- Browsing History (also in Address bar)
- Cookies
- Downloaded Files History
- Disk Cache
- Saved Form Information
- Sending of ReferrerHeader
- Recently Closed Tabs list
Reply to this comment
by timber2005 August 27, 2008 4:36 PM PDT
IE6 and 7 have addons for the same function.
But they are looking for "built in" here ;) And FF3 doesnt have it.
by Lerianis August 27, 2008 7:11 PM PDT
Yep, functionality like this should be built directly into the browser.... NOT as an add-on, and since I use Firefox as my main browser, I usually give Mozilla a pass but not in this case.
by sernst-cnet August 27, 2008 2:44 PM PDT
Image 3 in the slide show claims IE8 can delete individual items from the history but firefox can't.
This is untrue. Firefox doesn't have the cute little delete icon in the list, but you can simply press the Delete key while a site is highlighted in the 'awesome bar' dropdown to remove it.
Reply to this comment
by Lerianis August 27, 2008 7:12 PM PDT
You can? Funny, I tried this..... it didn't work the way you said it should. In fact, it actually did absolutely nothing in both the latest Minefield (the Mozilla test browser) and Firefox 3.01 itself.
by sernst-cnet August 27, 2008 7:30 PM PDT
I'm using firefox 3.01 out of the box, and delete works fine. Just wiped out this page.

Went to the address bar, typed in cnet, scrolled down to this article entry, pressed Delete (not backspace). Gone from the list and gone from history.
by Solaris_User August 27, 2008 2:49 PM PDT
Yes, it looks cool, but does it run on Linux?
Reply to this comment
by zer0efx August 27, 2008 3:44 PM PDT
Funny story! IE is really trying to say they have more security protection than FF or Safari, I highly doubt it. M$ is all talk. I am also not impressed. IE has been behind the game for years, stopped using IE 5 years ago except for web development testing, but that's all I use it for.
Reply to this comment
by rjw_mpwr August 27, 2008 4:53 PM PDT
"stopped using IE 5 years ago except for web development testing, but that's all I use it for. " how funny!!! That means you still have to have IE on your desktop. That means Microsoft still wins. That means you cannot live without Microsoft. So, stopp trashing Microsoft.
by DrtyDogg August 27, 2008 5:08 PM PDT
I stopped using IE 5 years ago also. As did a lot of people when 5.5/6/7 where released.
by Lerianis August 27, 2008 7:14 PM PDT
The fact is that Microsoft has been behind on security improvements, until the latest IE7 and IE8. I have to 'bash' Microsoft even as an admittant Microsoft fanboy, because that should NEVER have been the case that Firefox and Opera had to push IE to get better and safer.
by orphu August 28, 2008 6:52 AM PDT
No, 'IE' is not saying anything about security, the author of the article is. There are no quotes from MS employees or representatives. Whether you like MS (products, services, etc.) or not, their attempt at emulating security features of other browsers is, at least, a step in the correct direction.
by TV James August 27, 2008 3:50 PM PDT
One image shows the error message "Internet Explorer will now close." but the accompanying text says only the tab will close.

Uh...

But like someone else said, I'm more interested in how it handles ACID and whether it's any quicker / less bloaty.

The "accelerator" feature looks like a slicker version of Ubiquity, but probably less fully featured. (But, like most Microsoft products, good enough for mom and dad. *sigh*)
Reply to this comment
by n3td3v August 27, 2008 4:42 PM PDT
Does this one have more federal government back doors in it than the last one as well?
Reply to this comment
by Lerianis August 27, 2008 7:15 PM PDT
There are no federal government backdoors built into Vista or IE. Cut that ******** out right now! It is a TOTALLY false statement, coming from my cousin who works for the FBI trying to hack into child pornographer and other 'criminals' computers.... there is just no back door, period and done with.
I really hope that Microsoft finds your posting and sues you for libel.
by Penguinisto August 28, 2008 7:11 AM PDT
Yep: http://www.foxnews.com/story/0,2933,412161,00.html

Note the following: "Although casual users cannot see the previous user?s search history, authorities such as the police will be able to access it if necessary."
by magicmaster August 27, 2008 5:06 PM PDT
Shouldn't Microsoft scrap ActiveX all together? This piece of dangerous technology should be banished from the earth.
Reply to this comment
by Lerianis August 27, 2008 7:16 PM PDT
No, they should NOT scrap ActiveX all together. ActiveX is a very robust technology now, and most of the 'security holes' have been closed in IE7 and IE8 with the prompts before ANY ActiveX control is allowed to install and, in some cases, even run!
by Penguinisto August 28, 2008 7:20 AM PDT
The reason why it should be ditched has nothing to do with "dangerous" (though it is), but becuase it is a mono-platform closed-source solution that no one else can use. No webmaster in his/her right mind, looking for the widest possible audience, would bother using it for that very reason.
by DrtyDogg August 28, 2008 10:17 AM PDT
No, it is a very powerful and flexible platform that can be utilized in many many ways. If you don't like it you can easily turn it off in IE, which has been an option for a long time.

@Peng: nobody is saying that other browsers can't add a similar technology. Hey, it would probably be "innovative" if another company does it.
by The_Decider August 30, 2008 7:02 PM PDT
Yes they should. ActiveX is slow, buggy and a huge security hole. And yes, a web developer would have to be either insane or retarded to use it.

There is an architectural flaw in Vista that can be used to get around the lame memory 'protections' and completely own the machine.

No patch can fix it either.
by Philstera August 27, 2008 5:11 PM PDT
It passes the ACID 2 test
Reply to this comment
by skillingssucks August 27, 2008 5:42 PM PDT
I'm sure it doesn't do any better on Acid3 than did Internet Explorer Beta 1.
http://en.wikipedia.org/wiki/Acid3
Reply to this comment
by Lerianis August 27, 2008 7:19 PM PDT
Yes, it still fails the Acid 3 test. Only a 21 out of 100 on the Acid 3 test, but I really didn't expect any better from an IE8 BETA (key word there). Microsoft does have a long way to go with IE8 and Acid 3 compliance, but so does Firefox 3 and even Minefield.
by zed260 August 27, 2008 8:11 PM PDT
actuly it goes from a score of 18/100 to a score of 21/100

so a 3 percent imrpovement
Reply to this comment
by j_a_s_p_e_r August 28, 2008 9:43 AM PDT
Uh, its up 3 percent, it improved (21-18)/18 = 0.16666 -> 16.67% Basic math.
by nonicks August 28, 2008 6:36 AM PDT
IE8 Beta 2 is way way above the competetion. Earlier one of the beauties of Firefox were fast "getting-up" time and faster display of webpages.

IE8 has hugely improved on both terms and is at par or exceeds with Firefox.

Among many other features.. one prominents Feature which C|NET team missed is
- New Tab.

I loved the whole Idea of what microsoft has done with the new page.

say I accidentaly closed a tab which I reached from a series of other tabs. hey don't worry.

Just open a new tab and it will show you ur CURRENT browsing summary. No need to browse/seek from regular History tab. Simply open a new tab.

It's fantastic and shows the research on user habits - microsoft has done with IE8.

It's not all about being Technically marvelous but add to it - the User perspective.

That's IE8 for you.

kudos MS...
Reply to this comment
by dinojr August 28, 2008 7:59 AM PDT
Well I haven't used the beta but from your description that's not exactly new. Press control-shift-T in Firefox to reload the last closed tab or see the list of "Recent Closed Tabs" in the History menu.
by Penguinisto August 28, 2008 7:12 AM PDT
Err, "InPrivate" ain't really private, campers:

"Although casual users cannot see the previous user?s search history, authorities such as the police will be able to access it if necessary."

http://www.foxnews.com/story/0,2933,412161,00.html
Reply to this comment
by Vegaman_Dan August 28, 2008 9:04 AM PDT
And that's true of Opera, Safari, and Firefox. Don't forget to list those others as well.
by DrtyDogg August 28, 2008 10:21 AM PDT
it doesn't matter what browser you use that information is able to be seen if you have the right credentials.
by Penguinisto August 29, 2008 11:25 AM PDT
Sorry Dan, but the others actually do suspend such recording and caching (barring a keylogger or other intentional intrusive app).
by The_Decider August 30, 2008 7:04 PM PDT
"it doesn't matter what browser you use that information is able to be seen if you have the right credentials. "

Wrong

"And that's true of Opera, Safari, and Firefox. Don't forget to list those others as well"

Extremely wrong
by DrtyDogg August 30, 2008 7:39 PM PDT
You are a moron if you believe that check your ISP's privacy policy again.
by gminetos August 28, 2008 9:08 AM PDT
Robert, why would you start out with "Don't count Internet Explorer out just yet." ?! Why would you feebly attempt to convey that the browser with 85% (or more) of the market is somehow on the ropes ?! Why not just throw your credibility on the ground and stomp on it while you're at it. Seriously, what journalistic idgit would do this ?!
Reply to this comment
by Foggy August 28, 2008 9:23 PM PDT
What does it take for the people at CNET News to realize that if you are not already an IE user, who gives a rat's behind that there will be a IE 8. I'll download it when it comes out but I won't use it unless a website says I have to use IE to download software or a driver. I still use NETSCAPE 7.2 for 70% of my web BROWSING followed by FLOCK, then FIREFOX and NETSCAPE 9. They can come out with IE 232 and I won't use it.
Reply to this comment
by bajanx August 29, 2008 12:47 AM PDT
First of all, i am merely a casual user that like surfing the web and use both ie7 with ie pro7 installed and firefox3. Been using IE8 beta 2 now for about a day and a half and i have to say i am impressed with the browser. Msft seems to be taking the best features from the other browsers and adding more to IE8. Great job! Sounds like they are finally listen to the end-users about IE. Oh i am already a fan of the favorites bar and the accelerators. Oh the crash recovery is handled quit well.
Reply to this comment
by bajanx August 29, 2008 12:50 AM PDT
Oh speed is on par with firefox, but i also tauhgt it was really close with IE7 PRO plugin installed.
Reply to this comment
Showing 1 of 2 pages (60 Comments)
advertisement

After 5 years, Firefox faces new challenges

Mozilla helped reshape the Web since releasing Firefox 1.0 five years ago. Now it's got a reawakened Microsoft and Google Chrome to reckon with.

There's a map for that: GPS or smartphone?

Almost every handset comes with mapping software these days, but standalone GPS devices are becoming more affordable than ever.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET