ActiveX security improves with Internet Explorer 8's security features

Recently, I wrote an article called Web security features of Internet Explorer 8. In that article, I explained that although better security was one of Microsoft's stated goals, it was a secondary goal and that Internet Explorer 8 was designed primarily to improve Web-based standards.

I also explained some of the new security features such as Domain Highlighting and the new Safety Filter. At the time, those were the only new security features that Microsoft had publicly disclosed. However, Microsoft has since disclosed a few more of Internet Explorer 8's security features. In this article, I want to talk about some of the new features that are designed to prevent browser-based exploits.

Internet Explorer (IE) security's biggest enemy is the browser-based exploit, and Microsoft worked hard in versions 6 and 7 to make Internet Explorer less vulnerable to exploits related to malicious code built into Web pages. But there is still a lot of work to be done.

The role of ActiveX in browser exploits

Often, these types of exploits are delivered through ActiveX controls, software modules that are based on Microsoft's Component Object Model (COM) architecture. ActiveX controls are kind of like miniature applications that can act as browser plug-ins. Essentially, they allow a website to interact directly with Windows and to perform functions that would be impossible using standard HTML code or scripting techniques.

Unfortunately, completely blocking ActiveX controls isn't really an option. There are a lot of perfectly legitimate websites that depend on them. In fact, Microsoft itself makes extensive use of ActiveX controls. Often when you download a patch or utility for Windows Vista, the website containing the download performs a check to make sure you are running a properly licensed version of Vista. This license che...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Internet Explorer (IE) Admins can wear many hats using Netcat Patching third-party browsers adds more work in Windows shops Four Internet Explorer 8 Group Policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 General security configuration: Step 1 Protection against international domain names, URL handling: Step 3 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Windows Vista and IE7: Step 5 Phishing filter: Step 2 Windows desktop security tips Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ck uses ActiveX controls.

Because so many ActiveX controls turn out to be malicious, Microsoft designed Internet Explorer 7 so that it displays a warning every time a site attempts to use an ActiveX control. The problem is that the casual user does not typically understand what an ActiveX control is, or what the consequences of allowing an ActiveX control to run might be. Therefore, Internet Explorer 7 tends to be prone to the same types of exploits as previous versions because the end user is allowing malicious code to run.

IE8 can help manage the threat of ActiveX

Internet Explorer 8's design helps reduce the chances of a malicious ActiveX control wreaking havoc on a system. There are two different mechanisms in place that help accomplish this goal.

The first is called Per-Site ActiveX. The idea behind this mechanism is that some sites require ActiveX controls and others do not.

For example, suppose you visit Microsoft's website, and the page requires you to download a specific ActiveX control in order to accomplish whatever it is that you're trying to do. You download ActiveX. Because the control came from a legitimate source, you probably don't think it's malicious. However, there could be ways in which someone with malicious intent could use an otherwise benign ActiveX control to his or her advantage. In fact, there have been numerous documented cases of malicious websites checking for the presence of certain non-malicious ActiveX controls and then using those controls in ways they were not originally intended.

The Per-Site ActiveX control feature reduces the chances of this happening because, by default, ActiveX controls are only allowed to run if they are called by the site that originally installed them. Furthermore, administrators are allowed to control where an ActiveX control is allowed to run, and the controls can now be installed so that they are only valid for the user to install them, and not for every user on the system.

Data Execution Prevention in IE8

One more security feature that I want to quickly mention is Data Execution Prevention. Data Execution Prevention is a security feature built into the 64-bit version of Windows Vista. It prevents certain types of code from writing data to executable memory space. Internet Explorer 8 is going to be designed to make use of the security feature. If a website attempts to write to executable memory space, then the browser window will automatically be closed and the process will be terminated.

About the author: Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.