Microsoft is changing Internet Explorer 7's security zones in a bid to create a more attack-resistant browser, according to public blog entry written by three developers at the software giant.
Like its predecessors, IE 7 enforces security policies by clumping sites into four security categories, or zones, dubbed Internet, Intranet, Trusted Sites, and Restricted Sites. Typically, the Intranet zone comes with fewer restrictions than the Internet zone.
In the past, however, attackers have sometimes managed to fool IE into treating an outside site as in one of the less-secure zones; that's called a "zone-spoofing attack".
To prevent some of these attacks, IE 7 will instead treat all sites as being in the more-secure Internet zone, unless the PC is really part of a managed network (such as is often the case in a corporate environment).
"This change effectively removes the attack surface of the intranet zone for home PC users," wrote Vishu Gupta, Rob Franco and Venkat Kudulur, on the trio's "IEblog".
The Internet and Trusted Sites zones will also be tightened up in IE 7, said Gupta. In Windows Vista, the Internet zone will run in "protected mode", which prevents invisible installs of malicious code, while both versions of the browser — for Vista and Windows XP — will feature a new ActiveX Opt-In setting that reduces the likelihood of hackers using ActiveX controls.
IE 7 will also change the default of the Trusted Sites zone to "Medium", the same level of security as the Internet Zone in IE 6, added Gupta. (IE 6's default for the zone is "Low".)
Internet Explorer 7 is currently in limited beta testing, but a public beta that will include the new security features is scheduled to release in the first quarter of 2006.