"When IE8 sees a cross-site scripting attack, it stops that script from being reflected to the server, and stops the attack at the client," Wilson added.
IE8 will have the cross-site scripting filter enabled by default, and it will not need to deal with pop-up warnings or other dialogs, added David Ross, a security software engineer at Microsoft. "When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server's response," said Ross in a technical posting to the IE team's blog today.
Cross-site scripting is sometimes referred to by the abbreviation "XSS."
However, Ross acknowledged that IE8's cross-site scripting filter won't completely protect users. "The XSS Filter defends against the most common XSS attacks but it is not, and will never be, an XSS panacea," Ross said.
John Pescatore, a Gartner Inc. analyst, applauded Microsoft's plans. "It's good to see these kinds of things built into the browser," he said, adding that the two new features take different approaches against security problems on the Web.
The SmartScreen Filter is the "more reactive part" of the IE8 security upgrade, Pescatore argued. "You really have to protect the browser user against himself," he said, and one way is to block users from straying into dangerous places.
The concept behind the cross-site scripting filter and IE8's planned support for protocols designed to make intersite communications more secure is similar to the tools Microsoft and Hewlett-Packard Co. unveiled last week to help Web site developers and administrators secure their sites against SQL injection attacks. "You can't build everything into the browser," Pescatore said. "The browser has to be the thing that tries to protect the user, but it can't make up for all the Web security vulnerabilities."
IE8 Beta 2 will ship next month, Microsoft's Wilson confirmed today, although he declined to set a more specific date.
Beta 1, which launched four months ago, can be downloaded from Microsoft's Web site.