Last month, Microsoft rolled out the first major Windows 10 update for PCs and tablets. Today, the company is detailing one of the security improvements included within: Microsoft SmartScreen can now block drive-by attacks.
Microsoft SmartScreen is a security filter that is leveraged by a few of the company’s products, including Internet Explorer and Edge. Since SmartScreen’s release as part of IE7, the feature has protected users from “billions” of web-based attacks, the company said. It blocks phishing attacks and socially engineered malware, as well as warns of deceptive advertisements and scam sites.
Now SmartScreen can also handle drive-by attacks, which are essentially scenarios where you’re browsing on a trusted site but something manages to exploit a vulnerability in your browser or some other software without you doing anything. That means you don’t have to click on anything, download, or execute a malicious file.
Drive-by attacks make use of services known as exploit kits (EKs) to scale effectively. These are tools that first check your PC for software vulnerabilities (tracked publicly as CVEs) and then try to exploit them. The vulnerabilities can be either newly discovered ones — also known as 0-days — or ones that have already been fixed in popular software. Over the past year, we’ve seen EKs moving faster to target vulnerabilities in apps with available patches, while also exploiting 0-day vulnerabilities more frequently as well.
Microsoft uses data from Edge, IE, Bing, Windows Defender, and the Enhanced Mitigation Experience Toolkit (EMET) to spot these attacks “as they emerge.” SmartScreen can thus block drive-by attacks directly in the browser, preventing the device from getting infected, potentially even before a patch is available.
You might be wondering why it took Microsoft eight years to add such functionality. The company explained that all the threats SmartScreen has protected against until now can be blocked after web content is parsed and rendered.
That’s not the case for drive-by attacks, adding significant complexity to the problem, especially in terms of performance. To avoid browser slowdown, SmartScreen blocks drive-by attacks by using a small cache file that is periodically updated by your browser. That way, calls to the SmartScreen service are only made if IE or Edge believes “there’s a high probability of malicious content on a page.” The result is a red warning and no content being rendered:
SmartScreen can also warn you about potentially malicious frames, such as unsafe ads. Unsafe frames on a page used to result in a full-page warning, even if the webpage hosting the content was safe, but now SmartScreen can show you warnings for only the frames that are found to be malicious.
In this way, you can keep browsing the page even if it has malicious ads included, for example.
And of course, similar to Google’s Safe Browsing service (leveraged by Chrome and Firefox), you can skip the warnings. Just expand the More Information link on the SmartScreen warning page to bypass the warning or even report a site as safe to Microsoft. For warnings shown in frames, you can click the Unsafe Content badge in the address bar for the same options.
On the flipside, Windows 10 users can report sites they think are unsafe directly to Microsoft in both IE11 (tap or click the Tools button, point to Safety, and then choose Report unsafe website) and Edge (tap or click the More menu, choose Send feedback, and then choose Report unsafe website).
This is a big improvement on Microsoft’s part, though we can’t help but wish it was available to more users. Still, if you haven’t upgraded to Windows 10 yet, this is yet another reason you should take the plunge.