The problems became so serious and widespread that by 2004 the bad security
reputation Microsoft was acquiring threatened the popularity of Internet Explorer and
even Windows itself as users began to switch to Firefox. Recognizing the importance of
these issues, Microsoft put a great deal of security engineering effort into Internet
Explorer 7. This case study examines the following changes and new security features:
??? ActiveX Opt-In
??? SSL protections
??? URL parsing
??? Cross-domain protection
??? Phishing ?¬? lter
??? Protected mode
ActiveX Opt-In
As noted in Chapter 8, ActiveX controls have been a frequent source of security problems.
IE 7 attempts to reduce the exposure of potentially dangerous controls with the new
ActiveX Opt-In feature. The Opt-In feature disables ActiveX controls by default. If a user
browses to a web site that uses ActiveX, IE 7 will ask the user if she wants to run the
control. If the user approves the behavior, the message will not appear the next time she
visits the site. If the user grants permission, Authenticode information will be shown and
will then allow the control to run. The Opt-In model disables most ActiveX controls
unless the user actively approves it.
Pages:
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423