Oct 16 2008

Stay Secure With Internet Explorer 8

The latest version of Microsoft's browser should help IT defend against common attacks.

Microsoft improved security markedly in Internet Explorer 7, and that trend is set to continue in Internet Explorer 8, with a host of new features that will make browsing safer than ever for nonsavvy users. The new functionality includes an updated Phishing Filter (in the form of SmartScreen), Per-User ActiveX controls and Domain Highlighting, all designed to improve Internet Explorer’s security prowess.

Despite the growing popularity of Mozilla’s Firefox, Internet Explorer still dominates the web-browser market, especially in enterprise environments because it’s easy to deploy, manage and update. Before IE7 — and due in part to its tight integration with the operating system — Internet Explorer fell short as a secure browser. Building on the improvements made in IE7, notably the Phishing Filter and Protected Mode (available for Vista only), IE8 not only provides a more secure browsing experience, but you’ll be pleasantly surprised by the enhancements in usability and performance too.

Per-User and Per-Site ActiveX Controls

ActiveX controls have long been the bane of Internet Explorer security. Requiring administrative privilege to install (and potentially giving unrestricted access to the system), these controls deliver additional functionality to web applications. But combined with malicious intent, they can wreak havoc. Windows Vista introduced the ActiveX Installer Service, which allows administrators to specify which ActiveX controls are permitted on a user’s system, and then installs the selected controls on the user’s behalf. While a big improvement over Windows XP and IE7, the ActiveX Installer Service still requires administrator intervention to approve new ActiveX controls.

In previous versions of Internet Explorer, all ActiveX controls were installed in the Windows directory and accessible to all users. IE8 introduces the concept of Per-User ActiveX controls. When users encounter Per-User ActiveX controls on a web site, they are given the option of installing the add-ons for their own user profile only or, if they have appropriate privileges, for all users.

Although in most cases no special changes need to be made to ActiveX controls for a Per-User install, they do need to be packaged to allow this feature. If needed, Per-User ActiveX controls can be disabled by Group Policy.

IE8 also brings Per-Site ActiveX controls to the table, which help ensure that an installed control will run only on designated web sites. In IE7, SiteLock allowed developers to restrict ActiveX controls to specific domains; IE8 allows administrators to do the same by modifying the registry. Although not directly supported by Group Policy, you can script any necessary changes. The AllowedDomains registry key is shown below, where {clsid} represents the identifier of the control:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CLSID}\iexplore\AllowedDomains\{Domain or *}

Below, a sample Registry Editor (.reg) file, for modifying the registry to allow a specific control to work with any domain:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{219C3416-8CB2-491A-A3C7-D9FCDDC9D600}\iexplore\AllowedDomains] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{219C3416-8CB2-491A-A3C7-D9FCDDC9D600}\iexplore\AllowedDomains\*]

Another control is restricted to work only with microsoft.com and technet.com:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6}\iexplore\AllowedDomains\microsoft.com] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6}\iexplore\AllowedDomains\technet.com]

SmartScreen Filter

In IE8, the Phishing Filter has been incorporated into the new SmartScreen Filter, which blocks sites and downloads that are known to host malware or phishing attacks, based on a blacklist URL reputation service. Heuristics for detecting unknown phishing websites have been improved along with performance, so you shouldn’t notice any delay in loading pages when SmartScreen is enabled. Better telemetry also allows the URL reputation service to be updated more quickly.

Other improvements include a new warning screen (Figure 1), configured using Group Policy, which either blocks a user from continuing when a malicious site is encountered or gives the option to continue at the user’s risk. Users can be prevented from accessing a site deemed malicious by SmartScreen by enabling the Prevent Bypassing SmartScreen Filter Warnings setting in Group Policy, located under User Configuration > Administrative Templates > Windows Components > Internet Explorer.

Figure 1

Domain Highlighting and File Upload Control

Though perhaps a small improvement, Domain Highlighting offers users the most important information about any web site they visit: the site’s domain name. Phishing attacks often use long URLs, which including the name of a bona fide web site, to confuse users into thinking they’re visiting a genuine site. Most average users don’t know how to identify a website’s actual domain name in the URL. Domain Highlighting shows exactly which domain the user is visiting, by highlighting the domain name in black, differentiating it from the rest of the URL (Figure 2).

Figure 2

The new File Upload Control prevents IE from revealing path information for sensitive files on your network. You’ll notice that IE8’s File Upload Control is now read-only — you can’t type anything directly into the box. To select a file, you need to either use the Browse button or paste (CTRL+V) a file path into the box. This feature is designed to help prevent key loggers from recording path names typed in by the user. In addition, only the filename is uploaded, rather than the full path name.

IE8 has improved MIME handling when downloading files from web servers. If IE7 detects a plain text file containing HTML code, it renders the file as HTML, even if the content type is marked as text/plain. This feature, known as MIME Sniffing, is included in IE for compatibility with legacy web servers that store all files as plain text, regardless of their actual content. If the content-type of the document is set to authoritative on the server, IE8 will accept that the server declares the file to be plain text, and renders it as such. IE8 restricts MIME Sniffing by default for image content types, as images don’t usually contain HTML code or scripts.

Web 2.0 Safety

Microsoft has included some new technologies in IE8 that are designed to help protect against poorly written web applications, and also provide developers with more security when handling information requests among servers. One of the new technologies is Cross-Document Messaging.

IFRAMEs are often used in Web 2.0 applications to embed gadgets into a page. Cross-Document Messaging allows IFRAMEs that include content from different domains — which are by nature isolated from the rest of a web page — to communicate securely with the parent document. Various techniques exist for cross-frame messaging, but cross-document messaging is designed specifically to handle the problem of secure messaging between frames, while at the same time retaining frame isolation.

And There’s More

If what you’ve read isn’t enough, there’s a whole range of minor improvements. Data Execution Prevention (DEP) is now switched on by default. Microsoft decided to switch this feature off in IE7 because a number of high-profile browser add-ons were not compatible with it. Those issues have now been resolved with the manufacturers; DEP in IE8 now provides default protection against malicious code that attempts to run in nonexecutable memory space.

Cross-site scripting attacks, which allow hackers to steal account information or take control of a user’s web application, are suppressed in IE8 with the new XSS Filter. All inbound and outbound requests for potential cross-site scripting attacks are monitored, and annulled if the attack is replayed in the server’s response (Figure 3).

Figure 3

Protected Mode, which made its debut in IE7 (for Windows Vista only), is now disabled by default in the Intranet Zone. IE7 required a new process to be created, and therefore a new window, when switching into Protected Mode. IE8’s ability to open tabs in separate processes in the same window makes it unnecessary to enable Protected Mode by default in the Intranet Zone simply for the sake of usability. Protected Mode can now be on or off in different tabs in one IE window.

Application Protocol Handlers, which let programs be launched from within IE using specially crafted URLs, can be used to exploit application vulnerabilities. For instance, if there is a known security hole in Windows Media Player, a website could be created to launch a file that exploits the vulnerability. IE8 now prompts users before such applications are permitted to run outside of the browser window.

IT Takeaway

Internet Explorer 8 contains many worthwhile security improvements that, when used as part of a deep-defense strategy, should help to mitigate common attacks. Usability and performance improvements, such as built-in search and Web Slices, are an added bonus. Before upgrading to IE8, you should test all your critical web-based applications to ensure they’re compatible with the browser’s new rendering engine. A Compatibility Mode is included to mitigate any page-rendering problems, but this doesn’t seem to work as well as it should.

Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.