Microsoft has posted a very extensive article outling the security improvements to IE8. Improvements have been made to the following area's.
- Cross-Site-Scripting Defenses
- Safer Mashups (HTML and JSON Sanitization)
- MIME-Handling Changes (Restrict Upsniff and Sniffing Opt-Out)
- Add-on Security
- Protected Mode
- Application Protocol Prompt
- File Upload Control
- Social Engineering Defenses
- Address Bar Domain Highlighting Improvements
- SmartScreen Phishing Filter
From the blog
"Hi! I'm Eric Lawrence, Security Program Manager for Internet Explorer. Last Tuesday, Dean wrote about our principles for delivering a trustworthy browser; today, I'm excited to share with you details on the significant investments we've made in Security for Internet Explorer 8. As you might guess from the length of this post, we've done a lot of security work for this release. As an end-user, simply upgrade to IE8 to benefit from these security improvements. As a domain administrator, you can use Group Policy and the IEAK to set secure defaults for your network. As web-developer, you can build upon some of these new features to help protect your users and web applications.
As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don't provide attackers with new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits."