REDMOND, Wash., June 3, 1997 — Responding to user and IT manager interest in improved browser security, Microsoft Corp. today announced five major enhancements that will give Microsoft® Internet Explorer 4.0 the most advanced and sophisticated security control of any browser. The new features make complex security issues easier for users to understand, while giving network administrators better management tools to control security policy within their company. The new features include these:
-
Security Zones. This breakthrough solution makes it easier to manage security policies for intranets, trusted extranets and the public Internet.
-
Certificate Management. Lets network administrators control which publishers’ Java
™
Applets and ActiveX
™
Controls are allowed to run on the network. -
Capabilities-based security for Java . Lets users or network administrators specify which potentially harmful capabilities of Java applications can execute.
-
Authenticode
™
technology 2.0. The second generation of the industry’s most widely used code-signing architecture, developed in conjunction with VeriSign Inc., provides support for time stamping, online status checks and revocation. -
Security check-up Web site. Educates users on security risks and ensures that they are using security features correctly.
“In the age of the Internet, there is no absolutely perfect security. Microsoft’s goal is to provide Microsoft Internet Explorer 4.0 with state-of-the-art security innovations to give users the safest possible browser,” said Brad Chase, vice president, application and Internet client group at Microsoft. “We want to make it easy for users to be safe by helping them understand and choose the security levels best for them.”
“Security is extremely important to us at Freightliner because we rely on our internal and dealer networks for business processes,” said Scott Richardson, Internet and intranet program development manager for Freightliner Corp. “Security Zones would enable us to be proactive with Internet security and provide a means to set access standards. At the same time, however, it would enable us to continue to develop intranet and Internet solutions with HTML, ActiveX or Java, without compromising the security of our organization.”
Security Zones Lead Innovative Security Features in Microsoft Internet Explorer 4.0
With Security Zones in Microsoft Internet Explorer 4.0, users and administrators can divide the Web into zones, each with separate security settings specific to the source, protocol, domain name or directory of the Web site they are viewing. While Microsoft Internet Explorer 4.0 comes with four predefined Security Zones (Intranet, Trusted Extranet, General Internet and Untrusted), administrators can customize the number and definitions of the zones to meet their specific needs. They can do the following:
-
Set higher security levels for pages and applications coming from the public Internet by assigning such sites to untrusted zones where scripts and applets can be tightly controlled so they cannot harm the user’s other files or programs.
-
Set higher levels of trust for pages and applications from the intranet and known extranet sites by assigning them to trusted zones where their ActiveX Controls, Java Applets, active content, plug-ins and scripting can have greater access to a user’s system.
-
Customize settings on a zone-by-zone basis for Java Applets, plug-ins, scripting, secure communications (SHTTP), content (PICS) and privacy.
For example, a corporation could assign its regular parts supplier to a trusted zone, enabling the downloading and running of inventory or parts-ordering controls or applets from the supplier. Similarly, a consumer could assign a known financial institution to a trusted zone with the stipulation that all sites in that zone must use secure HTTP (SHTTP), ensuring secure communications and online banking with that institution.
New Certificate Management Feature Integral Part of Trust Zone Model
The new Certificate Management feature in Microsoft Internet Explorer 4.0 allows corporate administrators to decide which third-party controls or other signed code to allow on their intranets. This feature is an integral part of the Security Zones model, so administrators can assign certain certificates of authenticity to specific security zones.
Capabilities-Based Security for Java
The new capabilities-based Java security support lets users or administrators
predetermine what capabilities and levels of access to give to Java Applets within security zones. For example, they can give Java Applets from known sources broad access to user files, while restricting applets from unknown sources to safe sandboxes where they can’t harm user files. With this feature, administrators and users can make better choices about what access to provide to Java Applets and manage those choices throughout the enterprise.
Microsoft Helps Make the Internet Safer With Authenticode 2.0
In addition to Security Zones, Certificate Management and capabilities-based Java security features in Microsoft Internet Explorer 4.0, Microsoft is also making the Internet safer through enhancements to its industry-leading Authenticode model for signing Internet software. The Authenticode 2.0 update adds status-checking features for the over 15 million current Microsoft Internet Explorer 3.0 users. It will also provide revocation features when fully implemented and operational in Microsoft Internet Explorer 4.0. The Authenticode status-checking capability provides an extra way to verify the validity of signatures by automatically confirming that the code was signed during the effective period of the publisher’s certificate license. To ensure that users can take advantage of the status-checking features immediately, Microsoft recommends that all Microsoft Internet Explorer 3.0 users download the Authenticode 2.0 update, which is available now at http://www.microsoft.com/ie/security/authent.htm.
“We’re excited to be working with Microsoft to help ensure trusted software distribution over the Internet,” said Anil Pereira, director of marketing for VeriSign, the leading certification authority for Internet commerce and communications. “By allowing developers to digitally shrinkwrap their code with a VeriSign Digital ID, Authenticode 2.0 provides users with the information necessary to make smart decisions before downloading software.”
If a software publisher abuses its code-signing agreement with VeriSign by, for example, creating malicious code, its publisher’s certificate can be revoked. The Authenticode 2.0 certificate revocation feature, which will be implemented in Microsoft Internet Explorer 4.0, automatically checks for certificate revocation before downloading potentially hazardous code.
New Web Site Makes It Easy for Users to Understand Security
The new Microsoft Internet Explorer security checkup Web site is designed to educate users on security issues so they can safely navigate the Web. This site includes an educational quiz that makes security approachable for the casual user and also contains easy-to-understand directions on how to set and modify personal security settings.
For a limited time, visitors to the security checkup site can enter the Security Checkup Giveaway to win a new Windows® CE operating system-equipped Compaq PC Companion Handheld PC (H/PC). Starting immediately, one H/PC will be given away per week, for four weeks. The Microsoft security checkup Web site is available at http://www.microsoft.com/ie/security/quiz/default.asp.
Availability
The new client-based Security Zones, Certificate Management and capabilities-based security features will be included in the next release of Microsoft Internet Explorer 4.0. Users of Microsoft Internet Explorer 3.0 (for Windows 95 and the Windows NT® operating system 4.0) should download the Authenticode 2.0 update immediately to take advantage of the new features in it, as well as to renew expiring certificates. The final release of Microsoft Internet Explorer 4.0 will incorporate the entire set of Authenticode 2.0 features. IT administrators will be able to access and configure the enhanced security and trust features for their organizations through the Microsoft Internet Explorer Administration Kit for Microsoft Internet Explorer 4.0 http://www.microsoft.com/ie/ieak/ and the Microsoft software development kit for Java http://www.microsoft.com/java.
For more information on the new security features in Microsoft Internet Explorer 4.0, visit the Microsoft Internet Explorer Web site at http://www.microsoft.com/ie/ie40/browser/security/. Additional information on security can also be found on the Microsoft Web Security Advisor Web site at http://www.microsoft.com/security/ or the Microsoft Internet Explorer security site at http://www.microsoft.com/ie/security/update.htm.
Founded in 1975, Microsoft (NASDAQ
“MSFT”
) is the worldwide leader in software for personal computers. The company offers a wide range of products and services for business and personal use, each designed with the mission of making it easier and more enjoyable for people to take advantage of the full power of personal computing every day.
Microsoft, ActiveX, Authenticode, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
Java is a trademark of Sun Microsystems Inc.
Other product and company names herein may be trademarks of their respective owners.
Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft’s corporate information pages.
