The MHTML hole
In late 2006, Secunia, a security firm based in Denmark, discovered a non-critical yet important vulnerability in IE7. Essentially, the vulnerability involves the potential for Web sites with malicious code to steal data from other sites opened in another window of IE7. Its level of seriousness is debatable, and Microsoft claims that the vulnerability exists in Outlook Express rather than IE. Whatever the reason, the vulnerability is demonstrated at this sample site hosted by Secunia.
To work around this, disable the ability for ActiveX content to run automatically. The setting is covered in my checklist, which I explain a bit later in this article.
Protected mode and the phishing filter
Rarely will I advise upgrading to a new operating system just to take advantage of a new feature. But if you are a die-hard Internet Explorer aficionado, then you'll like a new feature, available only in IE in Windows Vista called Protected Mode; it helps create what is arguably the safest browsing environment bar none.
Requires Free Membership to View
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.
Margie Semilof, Editorial Director
 |
||||
|
|
|||
|
||||
Another feature available in all versions of Internet Explorer, not just in IE coupled with Windows Vista, is the Phishing Filter. Microsoft has a database of the names of suspect Web sites. It works to notify the user if he or she opens a Web site deemed problematic by Microsoft after running the name through the database. The address bar will turn red and a warning will appear that the Web site is problematic. You can see the status of the phishing filter in the status bar at the bottom of the window; click it to turn it on and off. (Experienced users may find the behavior annoying, and there is a slight lag in loading pages while the URL is checked against Microsoft's phishing site database.)
Settings checklist
Here is a list of my recommended settings for a custom level within IE7. To implement these recommendations, select Options from the Tools menu in IE7. Navigate to the Security tab. Click the Custom Level tab after ensuring that the Internet zone is selected, and then select the following choices from the list (some less important settings can be left alone):
ActiveX controls and plug-ins:
- Binary and script behaviors: Disable
- Run ActiveX controls and plug-ins: Disable
- Script ActiveX controls marked safe for scripting: Disable
Miscellaneous:
- Allow Web pages to use restricted protocols for active content: Disable
- Display mixed content: Disable
- Installation of desktop items: Disable
- Launching applications and unsafe files: Disable
- Launching programs and files in an IFRAME: Disable
- Navigate sub-frames across different domains: Disable
- Software channel permissions: Maximum Safety
- Submit non-encrypted form data: Disable
- Web sites in less privileged Web content zone can navigate into this zone: Disable
Scripting:
- Active scripting: Disable
- Scripting of Java applets: Disable
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
This was first published in February 2007
Join the conversationComment
Share
Comments
Results
Contribute to the conversation