9 Dec, 2013 No Comments Bobby Software Security

Internet Explorer 11 Logo

Microsoft’s newest version of their browser, IE11, is now released. Previously, I recommended that users upgrade to IE version 10, as it was the most secure version to date. Does IE11 further increase user security? Read on to find out.

New IE11 Security Features

There are no significant advances in security techniques with IE11, though it has added a few minor additions. For a more complete list, make sure to check out my article on IE10 security features, as IE11 still includes everything that the previous version had. The following features are new to IE11 only.

Note: Unfortunately, most of these new security features only work in Windows 8. I specify which these are.

1. Enhanced Protected Mode turned on by default

First included in IE7, EPM (also called “sandboxing”) runs web pages in their own little world, isolating them from the rest of the computer. This prevents any malicious code contained in the website from modifying your system files. The only change in IE11 is that EPM is now turned on by default. Only available in IE11 on Windows 8.

2. Third-party cookie blocking

Implemented a while ago on other browsers, IE has finally caught up. Third party cookie blocking allows you to block cookies from being inserted into you browser by third parties, like advertisers or malicious websites. This is a good security feature to have. Unfortunately, this feature is only available in IE11 on Windows 8. If you have Windows 7, it’s still possible to block third party cookies, but it’s a much more cumbersome affair. It requires overriding automatic cookie handling, which can be a headache. From Microsoft’s site:

Note that overriding automatic cookie handling also requires you to explicitly choose to Accept, Block, or Prompt for first-party cookies as well, so any preexisting first-party cookie settings you had (like the more finely-tuned settings adjusted according to your selected Low/Medium/High Internet zone settings (from Internet Options, Privacy tab) will be overridden.

3. Do Not Track exceptions

Not a new privacy feature, but a modification to an existing one, websites are now able to ask you if they can track your activity online. If you allow it, an exception will be added to the “Do Not Track” list, if you have DNT enabled. DNT does not, nor has it ever, forced websites to comply, but only informs them that you don’t want to be tracked. It’s completely up to the website if they want to honor that request or not. In my opinion, that makes this a worthless privacy feature.

4. Support for WebCryptoAPI

The W3C Web Cryptography API allows web developers to perform cryptography functions with JavaScript. From the abstract: “Uses for this API range from user or service authentication, document or code signing, and the confidentiality and integrity of communications.” IE11 adds support for this API. Only available on IE11 in Windows 8.

5. Support for WebGL (not a security feature)

I wasn’t going to include this, but some reports are calling IE11’s support of WebGL a type of security feature. So I just want to clarify that this is not an improvement in security for IE. WebGL is a JavaScript API for rendering graphics in browsers. Microsoft has not included this before, claiming that it has security problems. Apparently, they have improved their implementation enough to feel comfortable including it in IE11 (for both Win 7 and 8). Really, adding support for WebGL increases the attack surface of IE, actually creating more possible vulnerabilities.

Should I Upgrade to Internet Explorer 11?

If you’re running Windows 7, there’s no purpose in upgrading to IE11 for security reasons alone. If you have Windows 8, it’s probably worth it eventually, but I would hold off for a while until the early bugs get fixed. And if you’re running Windows 8.1, then you already have it. Of course, I always recommend using an alternate browser instead, like Mozilla Firefox or Google Chrome.