Two good resources on Firefox 4, IE9 security

There are two documents online that give a pretty good overview of security enhancements in Firefox 4 and IE9.

Let's start with Firefox 4, which I just upgraded to this morning. The best review of security features I've seen thus far was written by the SANS Institute's Johannes Ullrich. To read the full document, go to The SANS Internet Storm Center site.

"Like no other release before it, Firefox 4 includes a number of significant security features," he writes. "These features are addressing attacks that are in particularly hard to avoid by developers and in which the browser is more so the victim then the server."

He adds: "These attacks, Cross Site Scripting (XSS), redirects to HTTP pages from HTTPS and Clickjacking use vulnerable web applications more as a mirror to bounce attacks into the browser. The browser can provide meaningful protection against these attacks, unlike for more server centric attacks like sql injection, for which the attacker is in full control of the client."

The article goes on to list the specific features, such as the XSS and Content Security Policy (CSP) and strict-transport-security.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

For Internet Explorer 9, I found a great security overview by Jeff James on the WindowsITPro site.

"Some of the biggest improvements to IE9 came in the form of security and privacy improvements, with the three most significant being enhanced memory protection, improved defense against social-engineering attacks, and a new "pinned sites" features that adds multiple security improvements," he writes.

He goes into detail about the SmartScreen Application Reputation feature and several new security features introduced as part of the pinned sites feature introduced in IE9. Of the latter, he writes:

"The concept revolves around "pinning" icons of frequently-used (and trusted) sites to your browser toolbar which run in their own browser session, and don't load any additional toolbars or help objects. The pinned sites feature also helps 'avoid insecure HTTP to HTTPS redirections' and securely terminates connections if there are any problems 'with the security certificate presented when your browser contacts [another] Web site.'" (He quotes Eric Lawrence, Microsoft's senior program manager for Internet Explorer, in that passage and other parts of the overview)

CSO contributing writer Bob Violino is working on another analysis piece on the browser security upgrades. Meantime, if you know of other documents people should see on Firefox 4 and IE9, email me at bbrenner@cxo.com and I'll add your finds to this post.

--Bill Brenner

Copyright © 2011 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline