Microsoft adds clickjacking protection to IE8 RC1

26.01.2009
Protection against malicious Web attacks and tweaks to a feature that lets users browse the Internet privately are among updates Internet Explorer users can test in the first release candidate for IE8, which Microsoft made available Monday.

As first reported by the IDG News Service Friday, Microsoft released the feature-complete version of IE8 Monday. Microsoft added performance tweaks to existing features and one major security update to block Web attacks known as "clickjacking" that the company said makes IE8 the only Web browser to offer such protection.

Clickjacking lets hackers put a transparent filter on sites so they can view what information a user is accessing and what activities that user is doing, said James Pratt, an IE senior product manager at Microsoft. For example, if someone is on a bank Web site, attackers can use clickjacking to see the user's bank information and acquire passwords, and the user will not know the information is being viewed remotely, he said.

The security feature that thwarts clickjacking in IE8 RC1 allows Web-site content owners to put a tag in a page header that will help detect and prevent clickjacking. If a site that uses the IE8 tag detects clickjacking, it will give Web users an error screen letting them know that the content host has chosen not to allow that content, and gives them the option to open the content in a new window that is protected from the attack.

Microsoft also in RC1 expanded the functionality of a feature it introduced in the IE8 beta 2 release called InPrivate. InPrivate has two settings -- InPrivate Browsing, which lets users browse the Web without creating a record of where they've been or enabling cookies, and InPrivate Blocking, which has been renamed in RC1 to InPrivate Filtering.

InPrivate Filtering lets people set a threshold for how many times third-party content appears on sites they are browsing before the feature allows them to view information on how those third-party content owners are collecting information about browsing habits. That threshold can be set between three times and 30 times.