Microsoft revamps browser security zones

Microsoft has detailed some significant changes in Internet Explorer 7's "security zones" that it claims will eliminate some of the browser's most notorious vulnerabilities.

Security zones are groupings of sites that give them different levels of access to the local system. The zoning system has been an achilles heel for Explorer in the past, with malicious sites able to gain access to the user's system by tricking the browser.

Microsoft's Vishu Gupta, Rob Franco and Venkat Kudulur, writing on the official IE Blog last week, said improvements such as URL parsing in Windows XP SP2 and Explorer 7 have been designed to limit such vulnerabilities. "If there is a flaw in IE's zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in," they wrote.

The changes to the zoning system are designed to reinforce these improvements by making the zones themselves less permissive, Microsoft said.

One of the most significant changes for enterprise users will be the elimination of the intranet zone. "We realized that the intranet zone (and its lower restrictions) is not relevant at all to the typical home user running IE," wrote Gupta, Franco and Kudulur.