Protection against international domain names, URL handling: Step 3

You could almost consider this security feature as an extension of the phishing filter except that it is automatically enabled and is used whether the phishing filter is in use or not. The idea is that oftentimes malicious Web sites try to impersonate well-known legitimate Web sites. One of the hardest things for a malicious Web site to impersonate is the legitimate site's URL. Less sophisticated perpetrators often rely on close misspellings of the legitimate site's URL. More sophisticated scam artists have begun using foreign language character sets in the URL. The idea is that some foreign language character sets use characters that are visually identical to characters used in the English alphabet, but they are not treated the same by the computer. This allows for the creation of a URL that looks identical to a legitimate URL.

To protect against this technique, Internet Explorer now notifies you when a URL contains a mix of character sets, since that often indicates that the site is malicious or misleading. Again, you don't have to do anything to enable this feature; it is enabled automatically.

URL handling

A feature that is similar to the foreign language filter is a new URL parser. In the past, attackers have embedded remote code execution commands in the URL. There are several different variations on this technique, but the most popular technique was one that included a command with an extremely long URL. The idea was that the URL's excessive length would cause a buffer overflow. If a command was positioned at just the right position within the URL, then the command could execute when the buffer overflow occurred.

That particular exploit was fixed long ago, but there are countless varieties of the technique that are still used today. IE7 contains a new URL parser that Microsoft designed to perform a sort of integrity check on URLs prior to unleashing them up on Internet Explorer.

The new URL parser is another example of a security feature that is enabled by default and is not configurable.

Configuring IE7 security on Vista

 Home: Introduction
 Step 1: General security configuration
 Step 2: Phishing filter
 Step 3: Protection against international domain names, URL handling
 Step 4: ActiveX opt-ins, information bar and cross-domain protection
 Step 5: Windows Vista and IE7

ABOUT THE AUTHOR:

Brien M. Posey, MCSE, MVP Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com. Copyright 2006 TechTarget

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Internet Explorer (IE) Admins can wear many hats using Netcat Patching third-party browsers adds more work in Windows shops Four Internet Explorer 8 Group Policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 General security configuration: Step 1 Phishing filter: Step 2 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Windows Vista and IE7: Step 5 IE8 brings focus to cross-browser compatibility and Web standards Patches, alerts and critical updates Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator The state of enterprise security and emerging threats in 2009 Microsoft Windows Vista operating system Windows 7 launches, offers salvation from Vista An intro to Windows 7's Deployment Image Servicing and Management tool Guide to converting from Windows XP to Windows 7 Choosing the best way to install images Has Microsoft corrected Vista annoyances in Windows 7? Microsoft's August patches run the gamut Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Combining folder redirection with roaming profiles IPv6 protocol, Windows Vista features simplify peer ad-hoc networking

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary