IE 7’s protected mode needs to be acknowledged as a security effort, but CanSecWest proved that it didn’t isolate Flash well enough. It’s not clear if a configuration issue was involved, but I don’t care—most people won’t configure it right either then. IE 7’s protected mode is a collection of good measures, such as applying least privilege and separation of privilege, and intercepting system API calls, but it is difficult to verify and explain how it all fits together, and be sure that there are no gaps. More importantly, it relies heavily on the slippery slope of asking the user to appropriately and correctly grant higher permissions. We know where that leads—most everything gets granted and the security is defeated.
Someone not only thought of a proper security architecture for web browsers but did it (see “Secure web browsing with the OP web browser” by Chris Grier, Shuo Tang, and Samuel T. King). There’s a browser kernel, and everything else is well compartmentalized and isolated. Similarly to the best operating system architectures for security, the kernel is very small (1221 lines of code), has limited functionality, and doesn’t run plug-ins inside kernel space (I’d love to have no drivers in my OS kernel as well…). It’s not clear if it’s a minimal or “true” micro-kernel—the authors steer clear of that discussion. Even malicious hosted ads (e.g., Yahoo! has had repeated experiences with this) are quarantined with a “provider domain policy”. This is an interesting read, and very encouraging. I’d love to play with it, but I can’t find a download.