Browser Security: Concepts and Terms

by Subratam Biswas

See other Security MVP Article of the Month columns.

When using the Internet, we’ve all encountered the following:

  • Redirection to a search page.

  • Unknown toolbars and search bars.

  • Pop-up and pop-under windows flooding the monitor.

Although security has long been a cause of concern for computer users, it has really become “the word” in the last few years. Suddenly, we want to be secure, we want to prevent rather than cure, and we want to be able to use common sense.

Experts cite different reasons as to how computers become infected, but most agree that the browser used to surf the Internet can be the first line of defense.

Microsoft Internet Explorer was and still is the most used browser worldwide. Netscape was dominant for some time and we have seen some other alternatives like Kmeleon, and Avant, which tried to provide general users some new and unique features. Then Firefox and Opera entered the web browser arena. These entries were beneficial for the general user because Microsoft responded to the challenge to ensure that Internet Explorer remained in the game.

The real fight now is between Opera, Firefox, and Internet Explorer (popularly referred to as “IE”). Each of them has considerably improved the browsing experience and, most importantly, browser security.

To help lessen the chances of getting infected, it is good to clarify some concepts and understand some of the terms closely associated with browsers and security.

ActiveX – According to Webopedia, “ActiveX is not a programming language, but rather a set of rules for how applications should share information. Programmers can develop ActiveX controls in a variety of languages, including C, C++, Visual Basic, and Java. ActiveX is more like a Netscape plug-in. Both Netscape plug-in and ActiveX controls are binary code and have access to the system and system APIs, they are designed to allow access to the same thing. ActiveX is essentially COM and this extension mechanism was provided in IE3 to allow existing developers easy access to APIs that they were familiar with alongside support for the Netscape plug-in APIs. Unlike Java applets, however, ActiveX controls have full access to the Windows operating system. This gives them much more power than Java applets, but with this power comes a certain risk that the applet may damage software or data on your machine. To control this risk, Microsoft developed a registration system so that browsers can identify and authenticate an ActiveX control before downloading it. Another difference between Java applets and ActiveX controls is that Java applets can be written to run on all platforms, whereas ActiveX controls are currently limited to Windows environments.”

Microsoft has taken strong steps to address those ActiveX controls that are vulnerable. As Chris Wilson explains on the IEBlog:

“Building on the security features released at beta 1, upcoming new features will include ActiveX Opt-in. To reduce the attack surface and give users more control over the security of their PC, most ActiveX controls (even those already installed on the machine) will be disabled by default for users browsing the Internet. Users will have the option to enable controls as needed using the same Information Bar they have used to install new controls since Windows XP SP2, and we are proactively working with the largest ActiveX control vendors to make sure the experience is great. We’ve created a Protected Mode for IE when running on Windows Vista, which reduces the severity of threats to IE and add-ons running in the IE process by eliminating the silent install of malicious code through software vulnerabilities. We do this by automatically running IE in isolation from any other application or process in the operating system and preventing the IE process from writing to any location beyond Temporary Internet Files without explicit user consent.”

Java is an object-oriented programming language that can be used to develop active content for Web sites. A Java Virtual Machine, or JVM, is used to execute the Java code, or “applet,” provided by the Web site. Java applets can be downloaded from a Web server and run on your computer by a Java-compatible Web browser. A recent issue with a Java version from Sun is that when users install the latest version of Java on their computer, it sits on top of the older versions and thus the older versions still remain on the computer. It is recommended to uninstall previous Java versions whenever you are updating your computer with the latest version.

Active content involves plug-in applications that are intended for use in the Web browser. Plug-ins normally comes into play when one visits a certain Web site, for example Acrobat Reader plug-ins or Macromedia Flash allows the user to experience a particular Web site that needs this active content. Active content also applies to scripting features in browser. Active Scripting is a term used to define the various script programs that can run within and work with HTML to interact with the user and create a dynamic web page.

JavaScript is a dynamic scripting language developed by Netscape to enable Web authors to develop active content for Web sites. Although it shares many of the features and structures of the full Java language, it was developed independently. Unlike Java, JavaScript is a language that is interpreted by the Web browser directly. JavaScript is endorsed by a number of software companies and is an open language that anyone can use without purchasing a license. JavaScript also has security measures to prevent against malicious code. It cannot, for example, modify important system files or read your registry. JavaScript can have vulnerabilities, though. If your browser is not up-to-date, there is a higher chance that your computer can get infected.

JScript is the Microsoft implementation of the ECMA 262 language specification. It is a full implementation, plus some enhancements that take advantage of capabilities of Microsoft Internet Explorer. JScript is an interpreted, object-based scripting language. Although it has fewer capabilities than full-fledged object-oriented languages like C++ and Java, JScript is more than sufficiently powerful for its intended purposes. JScript .NET is probably the biggest leap in functionality for JScript since the 1996 introduction of JScript version 1.0 with Internet Explorer 3.0. JScript has traditionally been used to develop client-side scripts due to its ubiquitous, cross-platform support on the Internet, but we've been seeing a steady increase in the usage of JScript on the server—particularly in Active Server Pages (ASP). For example, MSDN uses a large amount of server-side JScript, as do many other sites on the Internet. JScript .NET was designed with these requirements in mind. The JScript team was keen to ensure that the new language features were added in an evolutionary manner, so that one can leverage existing JScript skills in the .NET world. It was vital that JScript .NET feel like a new version of the existing language, rather than a completely new language.

VBScript (short form of Visual Basic Script Edition) is a programming language that is unique to Microsoft Windows. VBScript is similar to JavaScript, though it is not as widely used in Web sites because it is more compatible with Internet Explorer than other alternative browsers. VBScript is an Active Scripting language interpreted via Microsoft's Windows Scripting Host.

Cookies are text files that a Web server can store on a user's hard disk. Cookies allow a Web site to store information (sites visited or credentials for accessing the site) on a user's machine and later retrieve it. The pieces of information are stored as name-value pairs. Cookies are designed to be readable only by the Web site that created them. A name-value pair is simply a named piece of data. It is not a program, and it cannot "do" anything. A Web site can retrieve only the information that it has placed on your machine. It cannot retrieve information from other cookie files or any other information from your machine. For more information on how to handle cookies in Internet Explorer, read the Microsoft.com Cookie FAQ.

Cross-site scripting (XSS) is a security vulnerability of dynamic Web pages generated from information supplied to the web server and replayed as part of the response to the browser. In an XSS attack, a malicious user can create a specially crafted link to inject unwanted executable script or code (usually JavaScript) into a Web site. When an unsuspecting victim clicks the link, the malicious piece of JavaScript can then send the victims’ cookie away to a CGI script. At times techniques to protect data, proper cookie handling is not enough to prevent XSS. For more information about XSS, read The Cross Site Scripting FAQ. People use both “CSS” and “XSS” for cross-site scripting. XSS is used to avoid confusing it with the CSS acronym for cascading style sheets.

Although XSS is a severe threat, the awareness of it is still relatively low. For example, the popular forum board software Invision Power Board Version 1.3.1 Final was reportedly vulnerable to XSS at one point. Again, it is most important to make our basic concepts clear and to raise awareness.

Cross domain vulnerabilities can be regarded as a super set or Global XSS. It is a trick that can be used in the browser to effectively gain "XSS access" to any page regardless of the hosting site has an XSS vulnerability or not.

Internet Explorer 7 is coming up with some more new features like cross-domain protection. Cross-domain scripting attacks involve a script from one Internet domain manipulating content from another domain. For example, a user might visit a malicious page that opens a new window that contains a legitimate page (such as a banking Web site) and prompts the user to enter account information, which is then extracted by the hacker. To learn more about the new security features in Internet Explorer 7, read Finding Security Compatibility Issues in Internet Explorer 7.

Phishing is the term for an ever-growing e-mail fraud threat.

A Common Phishing e-mail

A generalized definition from Computerworld says, “Phishing is a technique used to gain personal information for purposes of identity theft, using fraudulent e-mail messages that appear to come from legitimate businesses. These authentic-looking messages are designed to fool recipients into divulging personal data such as account numbers and passwords, credit card numbers and Social Security numbers.”

To help address this threat, Microsoft has come up with Phishing Filter, a feature in Internet Explorer 7.

Phishing Filter Settings

Phishing Filter is an opt-in feature that uses three checks to help protect users from phishing scams:

  1. It compares addresses of Web sites that a user attempts to visit with a list of reported legitimate sites that is stored on the user’s computer.

  2. It analyzes sites that users want to visit by checking those sites for characteristics common to phishing sites.

  3. It sends the Web site address that a user attempts to visit to an online service run by Microsoft to be checked immediately against a frequently updated list of reported phishing sites.

Internet Explorer 7 is still in beta and feedback will only help end users to help Microsoft deliver the best. It sure looks a bright future ahead with new technologies implemented and innovations brought up. Features such as Phishing Filter and Protected Mode are already proving useful and will bring more promise in coming days.

At the end of day, it comes down to a simple two-word trick, “click safe.” If we examine how we and other victims have been infected, we will see that more often than not it was because we clicked on a suspicious link, we downloaded a suspicious attachment, or we were not watchful and cautious about what we were clicking. A common mistake is clicking duplicate Close buttons and then realizing that the genuine Close button is just above, which will, at once, bring up lots of pop-ups and with just one moment of losing common sense. A Web browser is merely a medium that can help you realize the potential of the Internet. Using common sense and understanding the basic requirements are enough to help have a secure, rich browsing experience.