“Security zones are groupings of sites that give them different levels of access to the local system. The zoning system has been an achilles heel for Explorer in the past, with malicious sites able to gain access to the user’s system by tricking the browser.”
More like, “The zoning system has been the achilles heel for attackers…”. There is no question that the zoning model needs to change in Internet Explorer. However, the changes they are developing are on only modifications to the existing model. The zone model needs to be completely redesigned, not just given a facelift. Example:
“One of the most significant changes for enterprise users will be the elimination of the intranet zone.”
Okay, so you removed a zone that uses a worn out buzzword. This does little to improve the security of the browser. But wait, there’s more:
“If a user wants to re-enable their intranet zone, they’ll be able to.”
Nice! There are some positive changes:
“By default Explorer 7 will assign “trusted sites” a “Medium” security level, the level given to Internet-zone sites under Explorer 6, Microsoft said. Users will get the option of manually lowering the trusted-sites security settings back to the Explorer 6 level via Internet Options or through policy settings, Microsoft said.
This is a step in the right direction. However, if the trusted zone still exists, and the user has the ability to allow sites to run in its context, attackers could also find a way to allow their sites to run in it too. I really do hope version 7 helps to improve the security of the browser. However, in order to keep pace with Firefox their going to have to add new features, which means new code to exploit :-)
You can find more information about all things IE on the IE Blog from Microsoft (What, has Security Weekly lost his mind? He’s linking to Micro$oft? Yikes!)
.com