IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Hello, I'm Alex Glover and I'm the test owner of the SmartScreen Filter in Internet Explorer 8. The SmartScreen Filter helps protect IE8 users against phishing scams and sites distributing malware. In a previous post, Eric described the SmartScreen features and improvements over the Phishing Filter in IE7, such as anti-malware support, new user interface, and better performance. Today I'm going to talk about how SmartScreen works with other features to combat malware, and describe the changes we've made in the IE8 Release Candidate to help keep you safe.

Real-World Malware Attacks
Malware authors are always trying to come up with new ways to infect your computer, and one common method is by tricking you into downloading what you think is a legitimate program. We recently saw an interesting example of such a trick, as reported by the SANS Internet Storm Center and the Grand Forks Herald. Fake parking tickets placed on cars around a city directed users to a website where they would need to install a toolbar to view pictures of their violation; the toolbar turned out to be malware. The database used by the SmartScreen Filter was immediately updated, and any user who tried to download this malware toolbar would have had it blocked, if they were running IE8 with the SmartScreen Filter enabled.

Malware Attacks in the Browser
Generally speaking, there are two ways malicious sites can attempt to infect your computer. One way is to exploit vulnerabilities in a web browser to automatically install malware without any user interaction, also known as a drive-by download. The other way is to lure or trick the user into choosing to download and run a program that is in fact malware, as in the example above. For complete protection, we must guard against both avenues of attack.

Several other features of IE8 and Windows Vista help protect against drive-by attacks that attempt to run without the user's knowledge or consent. These features include DEP/NX memory protection, ActiveX security improvements, and User Account Control combined with IE's Protected Mode. But none of these can protect the user from a program that they choose to download and give permission to run. That's where the SmartScreen Filter is important, as a defense against malware "coming in through the front door".

Improved Blocking Page
A common piece of feedback on the SmartScreen Filter in IE8 Beta 2, especially from the security community, was that it's too easy for users to click through the SmartScreen blocking page and end up at a dangerous website. We've acted on this feedback in IE8 RC1 and changed the SmartScreen blocking page to better protect and inform users. We want to encourage people encountering this page to make the safe choice, and also help them find additional information. Here's a screenshot of the new version:

SmartScreen blocking page in IE8 RC

By default, the blocking page has a single "Go to my home page instead" link. This makes the recommended next step clear, instead of presenting several options at once and forcing the user to read through them all and decide. Those users who are interested can click "More information":

SmartScreen blocking page after clicking More Information

After you click "More information", additional details and links appear. The "Learn more about phishing"/"Learn more about malicious software" link takes you to a page where you can find information about these risks and how you can protect yourself (that page is still in development, so currently the link points to the SmartScreen Filter FAQ).

You can still choose to ignore the SmartScreen warning by clicking the "Disregard and continue" link. By hiding this link initially, moving it to the bottom of the page, and requiring two clicks in total to get to the unsafe website, we hope to reduce the number of accidental or casual click-throughs. While some people may be curious to see the blocked site, the safe action is to simply go someplace else. Domain administrators can also use Group Policy to remove the "Disregard and continue" link and prevent users from overriding the SmartScreen warning.

Redesigned Unsafe Download Dialog
In IE8 Beta 2, we added protection against malware, malicious software that attacks your computer or steals personal information. If you start to download a file from a site known to distribute malware, the SmartScreen Filter will block the download and display a dialog warning you of the threat. Here's what that looked like in Beta 2:

Unsafe download dialog in IE8 Beta 2

While this dialog served the purpose of blocking the download, it didn't communicate the risk as effectively as it could have. In IE8 RC1, we've redesigned the dialog to be bolder, as you can see in this screenshot:

Unsafe download dialog in IE8 RC

The new dialog has a red banner and one-line summary at the top to make the danger easy to understand at a glance. Below that, we added an explanation of what it means for a download to be unsafe. As with the blocking page, domain administrators can remove the "Disregard and download unsafe file" link using Group Policy.

The SmartScreen Filter plays a critical role in keeping you safe online. As we see in news reports like the one I mentioned, malware authors are constantly thinking up new ways to attempt to get their code on to your computer. We've made changes to protect our users even better by making the risks of malicious sites clearer and discouraging people from clicking past the warnings. I encourage you to turn on the SmartScreen Filter in the IE8 Release Candidate, and continue giving us your feedback. Thanks!

Alex Glover
Software Development Engineer in Test