olly - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Why is Internet Explorer security such a challenge?

A myriad of browser vulnerabilities and attacks pose a constant threat to Internet Explorer security, endpoint computing and software as a service.

Web browsers such as Microsoft Internet Explorer provide access to a burgeoning wealth of tools for tasks ranging from online investing and banking to using apps and data in the cloud.

But browsers like Internet Explorer (IE) are little more than communications applications -- replete with security oversights and flaws that can be exploited to compromise your data and put enterprise systems at risk. Let's examine the most common flaws of modern Web browsers and consider ways to reduce Internet Explorer security risks.

Basic browser vulnerabilities

So how are modern Web browsers attacked? There are basically three broad angles of attack that seek to compromise the operating system, the browser directly or communications taking place on the network.

Operating systems are typically breached with malware that modifies an OS kernel or component directly, takes advantage of a known security flaw such as a buffer overflow, or inserts itself as an OS background process.

Malware attempts to function through the CPU's privileged (or unrestricted) mode, which allows it to affect the memory or processing of any application. If successful, the malware can read or change the browser memory space -- essentially exposing the browser and its activities.

Next, the browser and its components may be hacked through malware or direct malicious activities. Attacks may focus on compromising the browser's main executable, browser components like Java, or browser plug-ins such as ActiveX. If successful, the browser's activities and communications are exposed to attackers. Both of these approaches can be facilitated through common practices, including sending users to malicious websites or emailing them HTML documents. Simply visiting or opening such content can launch a malware installation.

Finally, the browser's network communication can be intercepted and potentially modified or redirected once packets are outside of the computer. This might occur through network packet-monitoring tools, although the level of knowledge and sophistication required to use such tools makes this attack type rare.

IE attack trends

So how do these attack types take shape with Internet Explorer security? It might seem like every "Patch Tuesday" brings a new fix or tweak for Windows and IE, but regular updates are critical to keep pace with crackers who are determined to subvert Microsoft's complex code base. IE security patches generally address five different vulnerabilities.

Distributed denial-of-service attacks. A DDoS attack generally seeks to make computer or network node unavailable to its user or users. DDoS attacks can be external -- flooding a network server with so many bogus requests that it cannot respond to legitimate requests.

For IE, DoS attacks are usually launched from malicious websites designed to run malicious code. The malicious code takes advantage of exploits in the browser's code, such as buffer overflows, which trigger errors causing the server to fill disk space or use all memory or processor cycles. This essentially saps the computer's resources and prevents IE from working.

DDoS attacks are perhaps the broadest and most common tool for IE hackers, and a huge percentage of Microsoft patches work to prevent these incidents. Fixes often span several IE versions. For example, Microsoft Security Bulletin MS14-056 addresses 14 reported vulnerabilities in IE 6 through IE 11.

Bypass attacks. A bypass attack is designed to break or circumvent a browser's security features and give attackers more rights on the target system -- even rights equal to those of a user. This can allow attackers to see or download files or perform other malicious actions on the system.

Bypass attacks are usually launched on IE from malicious websites that can trigger code to exploit the vulnerability. For example, MS14-056 includes a fix for one bypass flaw that exposes the address space layout randomization protection mechanism in IE 6 through IE 11.

Privilege attacks. Privilege-escalation attacks can exploit bugs, flaws or poor configurations in Windows or IE to access computer resources that are normally protected or reserved. Once an attack gains more privilege, the software (and attacker) can perform actions on the computer that are unknown and unwanted such as deleting files, accessing private information or installing malware.

For example, Microsoft Security Bulletin MS14-051 addresses 25 reported vulnerabilities in IE 7 through IE 11 and includes a fix for privilege vulnerabilities. Privilege attacks are usually launched through malicious websites.

Information attacks. Information attacks are a variation of privilege attacks. They launch code from malicious websites designed to expose data on target systems. For example, Microsoft Security Bulletin MS14-035 addresses 58 reported vulnerabilities in IE 8 through IE 11, including one in IE 10 and 11 that could allow an attacker to read files on the local system through a malicious website.

Executable code attacks. Finally, IE attacks may allow malicious websites to run executable code on the system (such as JavaScript) that might expose data or bypass the browser's "sandbox" mode to give attackers access to more rights or data than expected. For example, MS14-035 includes fixes for multiple executable code vulnerabilities in IE 6 through IE 11.

Tips to minimize risk

So what can computer users do to minimize browser risks? Perhaps the most critical tactic for maintaining browser security is to take full advantage of Microsoft's Patch Tuesday and apply security patches for operating systems and browsers as quickly as possible. The longer you wait to apply important fixes, the more time that malware and malicious websites have to wreak havoc -- zero-day attacks are becoming commonplace.

For individual users, this typically requires configuring Windows Update to automatically download and install patches. Enterprise environments may prohibit individual patching and utilize Windows Server Update Services for timely centralized system patching to nodes across the LAN. If it is not practical to keep IE updated regularly, consider using an alternative browser such as Google Chrome.

In addition, employ high-quality antimalware tools running in the background. Modern tools can constantly scan files for the latest malware. They can also watch incoming network traffic patterns to warn against other types of attacks, such as intrusion-detection attacks. Antimalware software relies on current signature files, so it is critical to keep those files updated before each system scan.

Consider minimization tactics like disabling Java scripts or disabling unneeded plug-ins such as ActiveX and Adobe Flash. This will dramatically change the level of interaction that you enjoy with some websites, but it can prevent common attacks that rely on Java and plug-ins.

Another minimization tactic is to browse only from a "least privilege" user account -- without administrator rights -- which can severely limit the potential for privilege-escalation attacks.

Patching and security threats exploded with the broad adoption of the Internet in the 1990s, but the threat is even more severe today as corporations and individuals depend on the Internet for mission-critical business tasks. Today's attacks aren't just an annoyance; they can do serious long-term financial and legal damage. This is why a user's security awareness is so important.

No amount of patching and configuration control can stop a user from carelessly opening an HTML email attachment or visiting a questionable website -- effectively making the choice to welcome an attack. User browsing habits must complement a sound security posture in personal and professional settings.

Next Steps

New settings in Internet Explorer 11 and Windows 8 improve security

Beat bad browser behavior by troubleshooting Internet Explorer 10

The end of Microsoft support for Internet Explorer 8 demands updates now

Modern.ie can be helpful for testing Windows app compatibility with IE

Point-of-sale security breaches offer endpoint management lessons

This was last published in November 2014

Dig Deeper on Microsoft Internet Explorer (IE)

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

12 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Have you had any problems with Internet Explorer security? What did you do to resolve them?
Cancel
Internet Explorer (IE) was used recently up until last year by our organization. We always used IE for our trading platforms and where advised to turn off the phising filter to help keep our data safe. We always ran into the problem of security certificates, and tried working with IE tech but couldn't get the issues resolved. Our organization ended up switching to Chrome as a result.
Cancel
Yes. It was far easier to hand all its duties over to Chrome or Firefox. Poof, problems are gone.
Cancel
The organization that i worked for discontinued the use of IE except when we had no option to use it because other organizations wrote the Website to use.  I just encountered another issues with IE and Edge both would not talk to Microsoft properly and downloads from Microsoft blew up and would not download.  I switched to Firefox and had no issues negotiating with Microsoft and got the download immediately.  Microsoft has traditionally had issues with Flash. so my recommendation is to use Firefox.

Cancel
The page loading opening a new window also you can see the icons of most visited sites based on browsing history
Cancel
Just getting updates and not having them recalled have been a majority of my issues. Recently an update (KB3114409) broke a feature in Outlook. Once the patch was removed the functionality came back. 
Cancel
On personal computer, I switched to Firefox. At work, usually it's for the IT Service to deal with the issues. They're certainly struggling testing endless patches and pushing them to workstations.
Cancel
Beside patches that did more harm than good or changed setting I had made for easier use, I have stopped using IE all together. There is one exception, we have one legacy app at work that requires us to use IE. 
Cancel
Yes, IE is certainly complex software made to interface with a complex world. OTOH it's been around since 1995 and by now the good folks at MS should have have gotten it right. Instead every new release feels rushed, hitting the market long before it's finished and long before it's necessary. And the constant patches and bug fixes seem to prove it, too. 
Cancel
I think it comes down to trying to keep it in sync with the OS. Some commands may be in valid in on version but not the other. Each have flaws and when you are trying to debug an issue, it may be tough to figure which is really responsible. Until newer technology and methods are adopted by the end user, IE is trying to support everyone. Or was until they just announced the end of life for all version up through IE10.  Now they can focus on giving us one, clean, bug free version of IE (for those few that use it).
Cancel
Maybe they should invest in skilled human testing. Automation is good for checking known problems. Security flaws are always something new.
Cancel
I think they should start clean from the ground up. Patching and adding on to a shaky system only makes it more unstable. I agree with agareev there definitely needs to be more human testing, maybe contract some "white hats".. A normal user may not be thinking of all possible weaknesses. Hackers are always looking for holes to exploit.
Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close