I have some friends who swear to me that the phrase "Internet Explorer Security" is a contradiction in terms. While I don't agree, I can see their point. There are countless security holes that have been documented in Internet Explorer, and don't even get me started on the damage that a browser hijacker can do. Even so, Microsoft claims to be learning from its past mistakes. Internet Explorer 7 contains a plethora of new security features that should help make the new browser much more secure than its predecessors and hopefully make the lives of administrators easier.
You have probably noticed that many of the security patches for previous versions of Internet Explorer have been designed to fix unchecked buffers. The reason why these patches are so important is because hackers can construct malicious Web sites in such a way that they can trick a user into clicking on a link that is associated with an extremely long or malformed URL. When Internet Explorer attempts to parse the URL, the URL's malformed nature or excessive length would cause a buffer overflow. If the malicious Web site had managed to place executable code into just the right place within the buffer prior to triggering the buffer overflow, the buffer overflow could cause the code to execute.
In Internet Explorer 7, Microsoft has completely rewritten the URL parser. As a result, buffer overflow exploits within Internet Explorer should become a thing of the past.
Cross-site scripting attack protection
A cross-site scripting attack is an attack in which information entered into one Web site is used in another Web site in another domain.
One of the more common examples of such an attack is a phishing scam; it's when someone sends a victim an e-mail claiming to be from his bank. The e-mail asks the recipient to log in and check something regarding his account. The victim clicks on the link in the e-mail and a browser window opens and goes to a malicious Web site. However, this window is usually minimized or at least moved to the background. A second browser window opens that opens the bank's real Web site.
The victim of the scam looks at the Web site and decides that it is the bank's real Web site (which it is), and logs on. However, a malicious script takes the information that the user enters (such as an account number and password) and puts that information into the malicious page running in the background, which can then transmit the account information to the perpetrator of the scam.
Internet Explorer 7 defends against this type of scam by looking at the domain from which a script is launched. The script is not allowed to interact with sites from any domain other than the one that launched it.
One of the biggest security problems in previous versions of Internet Explorer was when malicious Web sites used ActiveX controls to steal information or to wreak havoc on the victim's system. There are actually a whole group of ActiveX controls that come with Internet Explorer and that are enabled by default in previous versions of the browser. These ActiveX controls were not intended to be malicious, but some hackers have figured out how to use the controls for malicious purposes.
In Internet Explorer 7, all built-in ActiveX controls are disabled by default. When a user accesses a Web page that requires one of these controls, the user can decide for herself whether or not to allow the ActiveX control to run. This helps prevent malicious Web sites from performing automated ActiveX-based attacks against Internet Explorer.
Not quite ready for prime time
Microsoft designed Windows Defender to prevent malware from entering the system via a piggyback download. It's hard to say exactly what form Windows Defender will take when Windows Vista and IE7 are eventually released. Windows Defender does exist in the current beta, but it has drawn a lot of criticism for being too intrusive. There are rumors circulating that Microsoft may revamp Windows Defender to make it less obnoxious.
In the current implementation, Windows Defender monitors your system for any potentially intrusive actions. If it detects such actions, Windows Defender warns you that you should block the action unless you initiated it. While this sounds good in theory, the current implementation of Windows Defender produces warnings any time you try to open the Control Panel or perform many other very common tasks. I fully expect Windows Defender to be less sensitive when Microsoft finally releases it.
Phishing is the art of luring unsuspecting victims to a fraudulent Web site and tricking them into entering personally identifiable information. For example, a common phishing scam involves the scam I mentioned earlier -- setting up a Web site that spoofs a bank's Web site in an effort to trick users lured to the site into entering their account information.
Microsoft designed the phishing filter to help users spot these fraudulent Web sites. When a user visits a Web site, the phishing filter compares the site's address against a list of known phishing sites and analyzes the site for characteristics typical of phishing sites. If the Phishing filter determines that the site could be a phishing site, then the user is warned that the Web site is suspicious.
The filter sounds great, but it relies on a list of known phishing sites. We'll have to wait and see how extensive that list will be and if the filter's heuristic capabilities are good enough to detect a site that is not on the list.
Will be great, as soon as Vista is deployed
One of the simplest new IE security enhancements is also one of the most important. In Windows Vista, Internet Explorer 7 is designed to run with the lowest possible level of permissions (this is known as Protected Mode). The idea behind this is that, normally, an application has the same level of privileges as the user who is running it. This means that if a user is running Internet Explorer while logged in as Administrator, then any malware that happens to exploit holes in Internet Explorer essentially has administrative privileges on the system. In Windows Vista though, IE 7 has a reduced set of permissions regardless of which user account the user is logged in with. Although there will be a version of IE7 released for Windows XP, the protected mode feature will only work within Windows Vista.
As you can see, Internet Explorer 7 contains a number of security enhancements. It might still be in beta 2 preview, but learning the new features now should be worth while. Check out this IP Pro checklist if you plan on working with beta 2: IT Pro Checklist.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This was first published in April 2006