Jaa


IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Hello, I'm Alex Glover and I'm the test owner of the SmartScreen Filter in Internet Explorer 8. The SmartScreen Filter helps protect IE8 users against phishing scams and sites distributing malware. In a previous post, Eric described the SmartScreen features and improvements over the Phishing Filter in IE7, such as anti-malware support, new user interface, and better performance. Today I'm going to talk about how SmartScreen works with other features to combat malware, and describe the changes we've made in the IE8 Release Candidate to help keep you safe.

Real-World Malware Attacks
Malware authors are always trying to come up with new ways to infect your computer, and one common method is by tricking you into downloading what you think is a legitimate program. We recently saw an interesting example of such a trick, as reported by the SANS Internet Storm Center and the Grand Forks Herald. Fake parking tickets placed on cars around a city directed users to a website where they would need to install a toolbar to view pictures of their violation; the toolbar turned out to be malware. The database used by the SmartScreen Filter was immediately updated, and any user who tried to download this malware toolbar would have had it blocked, if they were running IE8 with the SmartScreen Filter enabled.

Malware Attacks in the Browser
Generally speaking, there are two ways malicious sites can attempt to infect your computer. One way is to exploit vulnerabilities in a web browser to automatically install malware without any user interaction, also known as a drive-by download. The other way is to lure or trick the user into choosing to download and run a program that is in fact malware, as in the example above. For complete protection, we must guard against both avenues of attack.

Several other features of IE8 and Windows Vista help protect against drive-by attacks that attempt to run without the user's knowledge or consent. These features include DEP/NX memory protection, ActiveX security improvements, and User Account Control combined with IE's Protected Mode. But none of these can protect the user from a program that they choose to download and give permission to run. That's where the SmartScreen Filter is important, as a defense against malware "coming in through the front door".

Improved Blocking Page
A common piece of feedback on the SmartScreen Filter in IE8 Beta 2, especially from the security community, was that it's too easy for users to click through the SmartScreen blocking page and end up at a dangerous website. We've acted on this feedback in IE8 RC1 and changed the SmartScreen blocking page to better protect and inform users. We want to encourage people encountering this page to make the safe choice, and also help them find additional information. Here's a screenshot of the new version:

SmartScreen blocking page in IE8 RC

By default, the blocking page has a single "Go to my home page instead" link. This makes the recommended next step clear, instead of presenting several options at once and forcing the user to read through them all and decide. Those users who are interested can click "More information":

SmartScreen blocking page after clicking More Information

After you click "More information", additional details and links appear. The "Learn more about phishing"/"Learn more about malicious software" link takes you to a page where you can find information about these risks and how you can protect yourself (that page is still in development, so currently the link points to the SmartScreen Filter FAQ).

You can still choose to ignore the SmartScreen warning by clicking the "Disregard and continue" link. By hiding this link initially, moving it to the bottom of the page, and requiring two clicks in total to get to the unsafe website, we hope to reduce the number of accidental or casual click-throughs. While some people may be curious to see the blocked site, the safe action is to simply go someplace else. Domain administrators can also use Group Policy to remove the "Disregard and continue" link and prevent users from overriding the SmartScreen warning.

Redesigned Unsafe Download Dialog
In IE8 Beta 2, we added protection against malware, malicious software that attacks your computer or steals personal information. If you start to download a file from a site known to distribute malware, the SmartScreen Filter will block the download and display a dialog warning you of the threat. Here's what that looked like in Beta 2:

Unsafe download dialog in IE8 Beta 2

While this dialog served the purpose of blocking the download, it didn't communicate the risk as effectively as it could have. In IE8 RC1, we've redesigned the dialog to be bolder, as you can see in this screenshot:

Unsafe download dialog in IE8 RC

The new dialog has a red banner and one-line summary at the top to make the danger easy to understand at a glance. Below that, we added an explanation of what it means for a download to be unsafe. As with the blocking page, domain administrators can remove the "Disregard and download unsafe file" link using Group Policy.

Conclusion
The SmartScreen Filter plays a critical role in keeping you safe online. As we see in news reports like the one I mentioned, malware authors are constantly thinking up new ways to attempt to get their code on to your computer. We've made changes to protect our users even better by making the risks of malicious sites clearer and discouraging people from clicking past the warnings. I encourage you to turn on the SmartScreen Filter in the IE8 Release Candidate, and continue giving us your feedback. Thanks!

Alex Glover
Software Development Engineer in Test

Comments

  • Anonymous
    February 09, 2009
    Please, give an option (Internet Settings, Advanced tab) to allow advanced users to have the "Disregard and continue" directly visible. Everyday I have to use "unsafe websites" like web-based VPN, secured with SSL certificates issued by my customers' organisations.

  • Anonymous
    February 09, 2009
    The comment has been removed

  • Anonymous
    February 09, 2009
    why was protect mode for ie7 removed from default for trusted sites

  • Anonymous
    February 09, 2009
    "Everyday I have to use "unsafe websites" like web-based VPN, secured with SSL certificates issued by my customers' organisations." In that situation I'd install the certificates in your trusted certificate store.  Otherwise you can't tell the difference between an untrusted certificate (self-signed by the customer) and an untrusted certificate (because of a man-in-the-middle attack)

  • Anonymous
    February 09, 2009
    IE 8 RC1 doesn't show a progress bar during installation with many third-party themes (ones where the progress bar is solid instead of segmented). Here's an example theme: http://tornado5.deviantart.com/art/Ambient-111330562 Maybe you can change the installer so that the progress bar will go all the way across once, instead of a few segments going across many times. Thanks!

  • Anonymous
    February 09, 2009
    The comment has been removed

  • Anonymous
    February 10, 2009
    @Rob Parsons - Here, Here! There should be no way that ANYTHING can install itself just by viewing a website.  It doesn't matter if it is the coolest software ever, installing without consent is disgusting and should be blocked (read the browser should never have allowed this behavior in the first place).

  • Anonymous
    February 10, 2009
    The comment has been removed

  • Anonymous
    February 10, 2009
    @Rob Parsons: SmartScreen will block (completely, with no override prompt) installation of malicious ActiveX controls. @Travis: I think you're overlooking the fact that nothing "installs itself."  The user must manually choose to install the FunWebProduct in order for the tool to be installed.  IIRC, the FunWebProduct has an accurate disclosure that explains what it does and an uninstaller that completely reverts its behavior, suggesting that it doesn't meet the definition of malware.   Obviously, Microsoft cannot just go around blocking software that we personally don't care for-- there are specific criteria around what will and will not be blocked.  Please see http://www.microsoft.com/windows/products/winfamily/defender/analysis.mspx for further detail.

  • Anonymous
    February 10, 2009
    The comment has been removed

  • Anonymous
    February 10, 2009
    To further discourage people from clicking the "disregard and download unsafe file (recommended)" link button and make a expand button to view that linked button instead. Instead of 1 click user now have to do two click.

  • Anonymous
    February 10, 2009
    The comment has been removed

  • Anonymous
    February 10, 2009
    Eric, on the one hand I agree with you that software that has clear policy etc. should not be blocked. BUT on the other hand I agree with hAl that IE should do SOMETHING before user installs that kind of software. I would suggest showing the user a prompt with big exclamation mark that this software was found unwanted by most users and he should REALLY consider before installing it. SmartFilter should really make users SMARTER :)

  • Anonymous
    February 10, 2009
    The comment has been removed

  • Anonymous
    February 10, 2009
    The comment has been removed

  • Anonymous
    February 10, 2009
    MS sure has low standards. FunWebProducts is clearly deceptive and does unwanted things to any Windows OS but you won't block it? I can't believe what I'm reading from a MSFT employee.

  • Anonymous
    February 10, 2009
    The comment has been removed

  • Anonymous
    February 10, 2009
    The comment has been removed

  • Anonymous
    February 11, 2009
    Indeed. If an addon/toolbar/program does not have a built in (un-hindered) uninstall that registers in the add/remove programs dialog then IT IS UNFIT for installation, PERIOD. If Rob Parsons' comments are correct, and the uninstall is blocked, then this software is officially malware. Every time I read this stuff I am so glad that Firefox is my default browser and where I install my addons.

  • Anonymous
    February 11, 2009
    The comment has been removed

  • Anonymous
    February 11, 2009
    The comment has been removed

  • Anonymous
    February 11, 2009
    The comment has been removed

  • Anonymous
    March 19, 2009
    Today we’re excited to release the final build of Internet Explorer 8 in 25 languages. IE8 makes what

  • Anonymous
    March 23, 2009
    The comment has been removed

  • Anonymous
    March 24, 2009
    The comment has been removed

  • Anonymous
    April 21, 2009
    I attended Scott Charney’s keynote this morning at RSA – Moving Towards End to End Trust