Dynamic Security Protection: Reviewing IE7 Security Enhancements
By Matt Heller
Security Evangelist, Text'd LLC
See other Viewpoint articles.
The Web browser is quickly becoming the most commonly used application on a user’s computer. And it occupies a unique space as an essential business and personal productivity tool that is constantly exposed to potentially malicious content created by unknown individuals or groups. As the Web has evolved, browser extensibility has offered developers the tools to build more feature-rich applications and create powerful destinations for their users. These online experiences have fueled the growth of e-commerce and made online financial transactions commonplace. But the extensive commercial success has also given rise to a growing trend toward malicious online activity and increasing efforts by identity thieves to trick users and steal their information. This month we’ll look at past improvements of Microsoft Internet Explorer, the current state of malicious activity, and the enhancements offered in the next version of Internet Explorer to help protect users.
Internet Explorer 6 (IE6) made its debut in late 2001/early 2002, when fewer users were online, spam was the main threat against users, and broadband was just around the corner. IE6 offered many improvements over previous versions and support for new coding technologies. It quickly gained popularity in the marketplace. That success proved too tempting and IE6 was soon the target of malicious attacks. The early attacks were geared at basic financial gain: bombard users with pop-up windows in an effort to earn referral fees when users clicked a link. The tactic was soon used as a denial of service effort where users had so many windows coming up that they (and their system) were simply unable to keep up.
There were other security issues for which IE6 became the target of choice for hackers. A commonly used approach was to place fake URLs and gold padlock icons over the Address bar to trick users and then lure them into divulging personal information. Browser hijack attacks would reset home pages -- again for financial gain through paid advertising -- and users were often unable to reset or remove it. Spyware began popping up on systems, mainly through piggyback downloads (where software is bundled with something else and installed without the user’s informed consent), and began to emerge as the threat we know today.
Making It Better
To help address many of these issues, Microsoft developed a set of updates for both the operating system and the browser. With the release of Windows XP Service Pack 2, users could browse the Web with improved confidence and trust as they logged on to their financial accounts. Some of the major enhancements of Windows XP Service Pack 2 include:
Local Machine Zone Lockdown
Improved Zone Elevation Blocks
URL Spoof Prevention
Secure Download Management
To take a more thorough look at Windows XP Service Pack 2 and its various security improvements, download this white paper. Although IE6 on Windows XP Service Pack 2 did greatly increase user security, the attackers continued their assault. Automatic Updates and the included personal firewall helped stop many of the attacks. But the larger problem seemed to be with the users themselves -- malicious attackers would do anything to trick and confuse users. Social engineering was the tool of the day, and users were becoming unwitting partners in compromising their own security by following directions that ultimately opened up their systems or disclosed personal information.
Solving More Problems
In looking at ways to improve user security, it seemed that work was needed on both usability items (educating and informing the user) and technical issues. Because user safety and security were the primary development goals for Internet Explorer 7, this new version leverages all of the advancements in previous versions and contains new features to help mitigate potential attack vectors. IE7 is also the first browser version to be entirely developed using the Security Development Lifecycle (SDL) methodology, which has been shown to dramatically reduce the number and severity of issues in released software. In essence, the SDL is a set of development processes that combine development, security, and product teams to deliver software that meets business objectives but has undergone detailed security reviews during the design and build process, rather than undergoing an audit after the code is complete.
The end result of the process was an IE7 that offers users a rich mix of user awareness security features and some major internal code changes to greatly reduce the attack surface. There are many Web developer and user-oriented features, tabbed browsing for example, but this discussion will focus on the security features. To find out more about IE7 in general and get a more complete review of all the exciting new features, visit the IE7 Web site.
IE7: Don't Get Hooked by phishing
To really experience the security features in IE7, it helps to think about some real-world use cases. Let’s take the all too common example of a phishing attack. Banks and other financial institutions are fighting harder and harder to educate their users about phishing, but the attackers just get smarter (okay, maybe just trickier). There was a recent case where a malicious group built an exact replica site for a real bank in the Midwestern United States, complete with all the right images, links and content and a close-but-not-the-real-one domain name. The only noticeable difference between the real site and the phishing site was the certificate authority (CA) that issued the certificate. This group was able to convince a CA to issue their site a bona fide SSL certificate with root credentials preconfigured in all major browsers.
In this real-world case, IE7 users would have been protected on several levels from this social engineering attack -– not an attack that attempts to exploit a code vulnerability or compromise the users computer to achieve success. IE7 users would have the added protection of a feature called Phishing Filter, an opt-in service provided by Microsoft at no charge. The service is a combination of client-side and server-side heuristics and allow/block lists that update regularly throughout the day. The feature works by taking the URL (not any variables or personally identifiable information) and weighing factors based on page content to establish a score. Information is passed asynchronously to the online service if the score is in a certain range, and the service then replies if the site is a known phishing site.
Known phishing sites are denoted by turning the Address bar red, users are navigated away from the page and a warning message is displayed about the potential for a phishing attack. Suspicious sites – where a page has certain suspicious characteristics and the site does not appear on the allow list – display a yellow-filled Address bar, and good sites display the standard white Address bar. There is a locally stored allow list with many well-known and trusted sites to increase performance by reducing the number of calls to the service.
Because Phishing Filter works on a combination of data from a broad set of collected sources and user submitted site data, the service is constantly updated as threats are discovered, so users would likely have been steered away before significant damage was done.
But wait, there’s more. Microsoft is actively involved in an industry effort to define a new, enhanced validation process by certificate authorities. The goal of the High Assurance certificates is to build consumer trust. Although the standards are still being crafted, the final process will require CAs to perform more thorough checking and validation of businesses before they can receive a High Assurance SSL certificate. Microsoft has included support for these new certificates in IE7, and the Address bar will be green to visually indicate the presence of a High Assurance certificate. In the case above, users of the bank’s Web site would have expected to see green and would have been alerted when it was missing.
Users will clearly benefit from the Phishing Filter service and support for High Assurance certificates. But there are other security features in IE7, including:
Address Bar Protection -- To help block malicious sites from emulating trusted sites, every window, regardless of whether it is a pop-up or standard window, will present an Address bar to users.
Delete Browsing History -- Enables users to clean up cached pages, passwords, form data, cookies and history, all from a single window.
Fix My Settings -- An Information Bar warns users when their current security settings may put them at risk. Within the Internet Control Panel, users will see certain critical items highlighted in red when they are unsafely configured. In addition to receiving dialog alerts that warn about unsafe settings, users will be reminded by the Information Bar as long as the settings remain unsafe. To instantly reset Internet security settings to the Medium-High default level, users can click Fix My Settings in the Information Bar.
URL Handling Security -- Redesigned URL parsing ensures consistent processing and minimizes possible exploits. The new URL handler helps centralize critical data parsing and increases data consistency throughout the application.
Saving the Best for Last
It’s always nice to reward people for reading to the end. Sticking with it lets you in on the best parts of IE7: Protected Mode and ActiveX Opt-In. Protected Mode, available on Windows Vista, will run the IE process with very low rights -- only enough permission to write to a specific part of the Registry and the Temporary Internet Files directory. Without express user interaction (IE needs an onClick event or equivalent, scripting is prohibited) and the user accepting the download prompt, the user hive and all other resources are unavailable. If the application needs higher level permissions, to save a file for example, a broker process is called to handle the request. The broker process can only be called by a user driven interaction and once the elevated permission task is complete, the broker goes away.
IE7 offers users the protections of ActiveX Opt-In to ensure high-impact extensibility while maintaining the proper balance of application security. ActiveX Opt-In reduces a computer’s attack surface by turning off access to most ActiveX controls by default. Since many controls used and installed by other applications were never meant to be exposed to the Internet, they may not have been designed with proper levels of scrutiny or security to handle malicious threats. Further, many of those controls have no legitimate need or requirement to be exposed to the Internet. ActiveX Opt-In removes those threats from being exploited without a user’s consent. Before a control can be accessed, it must be approved by the user. ActiveX Opt-In gives the control (of controls!) to the user, not to the malicious Web site. When properly used, this feature should prevent drive-by downloads and unintended activity on a user’s computer.
But even users with the best intentions can be persuaded to make poor trust decisions. I’ve seen some of those malicious sites and occasionally they can be very compelling: who doesn’t want to get 100 photos for a $1? That’s where IE7 works closely with the defense-in-depth protections offered by Windows Defender. Now in Beta 2, Windows Defender provides users with added levels of safety and security for online activity. Windows Defender is constantly scanning critical areas of the file system to help ensure that nothing gets placed on the system to compromise the user. The Registry, startup folder, browser settings, and more are generally protected from unauthorized modification by Windows Defender. No matter what browser you are running today, you should not be operating without an anti-spyware product like Windows Defender.
Take the Plunge
Go ahead, download the Beta 2 Preview of IE7. You’ll need to be running Windows XP Service Pack 2, which you should have installed long ago. Take the new browser for a spin and let us know what you think. The goal of the Beta 2 Preview is to have people test out the features and then tell us what works and what doesn’t work so well. We’ve planned on time to tweak things based on your feedback, so don’t be shy.
If you just want to read more before making any changes, then the IE Team blog may be just the place for you. The blog covers all the features in much more detail and announces special events, talks, and more.