Over the past few years, Microsoft Internet Explorer (IE) has had its share of bad publicity as a result of security vulnerabilities that fall into two basic categories: viewing malicious content or installing unsafe code. The browser might bring you a link to a nefarious Web site or a maliciously coded HTML-based email message. Also, phishing email messages and links to software on fringe sites (e.g., pornographic or gambling sites) sometimes lure users to install ActiveX controls that give attackers privileged access to their computer systems.
The browser's tight integration with the OS includes a flexible application programming interface (API) and has launched a burgeoning Application Service Provider (ASP) market and a popular platform for corporate-intranet programming. Unfortunately, attackers took advantage of this flexible framework, and soon IE became a popular target for spyware, adware, worms, and other browser-based exploits. Of course, the fact that IE has come standard on every Windows OS for more than 10 years makes it a natural target for attackers as well. IE's perceived—and real—security vulnerabilities have become so bad lately that many pundits recommend switching to an alternative browser such as Mozilla FireFox, even in light of the compatibility problems that arise from using a browser that doesn't support ActiveX. (For more information about whether choosing an alternative browser is a good idea, see the Web sidebar "Firefox or IE 7.0?" at InstantDoc ID 48823.) Now, IE 7.0 is in beta, and although it doesn't completely address all the problems (yes, you must still educate users about how not to install unfamiliar software), the new release adds many security improvements. Of course, regardless of IE's security improvements, the greatest security vulnerability is still the end user. Many of IE 7.0's security improvements help users assess the safety and integrity of a site and make informed decisions about Internet use. Let's take a look at what you can expect from the next release of IE and specifically at the user-targeted security features you'll find.
Microsoft will release two versions of IE 7.0. Users of Windows XP Service Pack 2 (SP2) will be able to download a standalone version that will upgrade IE 6.0. Also, Microsoft is including IE 7.0 in its new Windows OS, Vista. This integrated browser will include additional security features, such as protected mode, that aren't available in the standalone version. Protected mode provides a wrapper around IE 7.0 that leverages Vista's User Account Protection (UAP) technology and prevents the browser from directly accessing the OS. This feature should prevent the elevation-of-privilege attacks that plague earlier versions of IE. While in protected mode, IE 7.0 will be unable to directly access local resources, such as the user or system files or the registry, and will be able to write only to Temporary Internet Files. You must initiate any requests for privileged access—such as installing an ActiveX control or saving a Web page—by clicking the IE UI. This action invokes a broker process to manage the connection between the browser and the OS. Additionally, you'll be able to classify which ActiveX controls are available to the browser (e.g., Macromedia Flash) and which will be accessible to the OS. Although this code is still in beta and Vista isn't expected until the second half of 2006, this feature alone will be one of many compelling reasons to upgrade to Vista.
Microsoft has tweaked numerous IE security features to make them more accessible in version 7.0. IE 7.0 exposes several security features directly in the IE 7.0 interface so that users don't have to search the menus. For example, the Tools menu now includes several new options, including the phishing filter and a new feature, Delete Browsing History, which deletes all of the currently saved cookies, history, Web-form data and passwords, and temporary files. This accessibility is good because most browser users probably never visit the menus, choosing instead to interact by using just the address bar and associated buttons such as Home, Forward, Back, and Refresh.
A Site Security Report
Web sites encrypt sensitive information over HTTP Secure (HTTPS) by using either Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and today, most Web sites encrypt all personal information. IE 7.0 changes the default HTTPS protocol settings and will disable SSL 2.0 and enable TLS 1.0 to provide stronger Web site encryption. In addition, IE 7.0 makes the status of an HTTPS connection more visible to users. Most browsers signal an SSL-protected page by displaying a padlock icon, or you can look at the URL designator— "HTTPS" indicates a protected page. IE 7.0 goes further and presents a security report for the site. When you visit an SSL-encrypted site, you can access this report by clicking the lock icon to the right of the address bar. Alternatively, you can access the security report by selecting View, Security Report. As Figure 1 shows, the security report summarizes the site's SSL status, including the encryption level and certificate owner. Clicking View Details shows you the same certificate information dialog box you see in current IE releases. Knowing this information can help a user discern a legitimate Web site from the kind of spoofed Web site common to phishing attacks.
IE 7.0 also provides more information than previous releases about problematic HTTPS certificates to better notify users when problems exist. If a Web site contains an invalid certificate (e.g., the certificate was issued to a host name different from the name in the URL, the certificate root CA is untrusted, or the CA is expired), IE 7.0 will redirect users to a warning page. Users can continue to the page, but if they do, they'll see a constant reminder of the site's questionable security: IE 7.0 will paint the URL address bar bright red. I'm sure this feature will cause many companies to redeploy internal certificates or URLs to ensure that the sites' certificates are valid. For example, many intranets signed with company certificates will be marked invalid by home users who haven't installed the company's root certificate.
Finally, you probably recognize the message This page contains both secure and nonsecure Items. Do you want to see the nonsecure items?, which prompts users to click Yes or No to continue. IE 7.0 will now block the nonsecure content and will permit access only through the information bar, in much the same way that IE 6.0 blocks file downloads and popups today.
Phishing Filter is the New Popup Blocker
The most remarkable (and debated) new security feature in IE 7.0 is the phishing filter. Phishing is the nefarious act of luring someone to a spoofed Web site under false pretenses, usually by sending an enticing email message containing a link to the site. For example, in one popular phishing scam, an attacker impersonating a bank sends an email message that directs the recipient to a false Web site to "update account information." Victims end up giving their account information to the attacker. The IE 7.0 phishing filter analyzes each Web site you visit for characteristics common to phishing Web sites. If IE makes a match, it will allow access to the site but will flag the site as suspicious and warn you by displaying a dialog box. Then, IE takes the warning one step further: It inspects the URL of every Web request by using two methods to attempt to validate that the target Web site is legitimate. First, IE compares the Web-site address with a list of legitimate Web sites, which is stored on the local computer. The computer periodically downloads updates to the list from Microsoft. The list contains many prominent sites, such as the largest banks and services, which are often targets of phishing attacks. If the URL matches a URL on the list, IE permits access.
Phishing sites come and go fairly quickly, so to actively check URLs in realtime, Microsoft employs an innovative (and hotly debated) feature: live links to a phishing database. When you first run IE 7.0 after installation, it will ask if you want to opt in to this feature. If you consent, IE 7.0 sends Microsoft each URL that you visit to confirm that the address isn't that of a known phishing site. If the site is deemed a phishing site, IE 7.0 will block navigation to that page, warn you, and ask whether you want to visit the site or close the Web page. Microsoft updates this phishing database several times an hour and includes in IE options to report a false positive or a new phishing site. Many of Microsoft's anti-phishing initiatives originated from MSN and MSN Hotmail and now have made their way into the browser to provide an unprecedented level of protection from both known and unknown phishing sites. If active URL checking is disabled and the site isn't listed on Microsoft's downloaded list of safe sites, IE displays a clickable warning icon at the bottom of the browser window that prompts you to take action, as Figure 2 shows.
It's hard to imagine an effective phishing filter that doesn't reference the latest database of information because many phishing sites are up and running for less than a day. But Microsoft's method of automatically checking sites has stirred up quite a bit of controversy. Many people applaud Microsoft's effort to solve a real problem that's plaguing Internet users. But others are suspicious of how Microsoft will use the information it collects or wonder how the automatic checking will affect network performance.
Disabling automatic site checking is an option. However, this option will cause the browser to flag most of the sites you visit because the list of legitimate sites in the local file is fairly limited. Over time, many people might simply ignore the warning or overlook it as just another icon in the bottom of the browser. However, even if automatic checking is disabled, you can manually check a site's legitimacy against Microsoft's database at any time by right-clicking the phishing icon and selecting Check This Website. Even with the phishing filter, training and educating users remains important so they continue to think twice before clicking links to EBay or E*Trade—two companies that unfortunately have been targeted by phishing attacks in the past.
I searched the Internet for the word "bank," and IE 7.0 recognized most of the top 10 US banks as legitimate, but it didn't recognize many others—especially international banks. Although Microsoft will update its list frequently, the list will never include the huge range of sites that people visit. Time will tell how people receive this security feature. It's a step in the right direction, and I'm glad Microsoft is trying to do something to combat phishing, even if it's the first of several iterations of a solution that everyone can live with. For more information about the phishing filter in Beta 1, see the Microsoft white paper "Microsoft Phishing Filter: A New Approach to Building Trust in E-Commerce Content" at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/MSPhishingFilterWP.asp or on the official IEBlog at http://blogs.msdn.com/ie.
Getting a Handle on IE Add-Ons
Many spyware applications infest and hijack IE by using Browser Helper Objects (BHOs), which extend the functionality of an Internet browser. Many BHOs enable useful, legitimate services. For example, Adobe Acrobat and Windows Messenger are two common applications that interface with IE by using a BHO. However, spyware and other malicious software lure users into installing BHOs for other wicked purposes. By tweaking the Manage Add-ons dialog box, IE 7.0 lets users see what BHOs are installed in the browser without removing any useful functionality. You access the Manage Add-ons dialog box from the Tools, Manage Add-ons menu. Then, you can view add-on status or delete add-ons. In the same dialog box, you can show add-ons that IE has used, show add-ons currently loaded in IE, show add-ons that load when IE starts, and show downloaded ActiveX controls (32-bit). These options are too advanced for casual users, but they provide direct access for technical support staff members so that they can troubleshoot problems. By using this feature, you can see at a glance any programs that users might have installed in IE that could interfere with the system. Plus, this feature provides a direct way to remove unwanted programs from IE.
IE 7.0 also includes several under-the-hood architectural security improvements. You'll see improvements in how IE programmatically handles URLs and a cross-domain barrier feature. The consolidate URL (cURL) feature-lets programmers specify cURLs as objects instead of strings, which increases security by improving how IE parses the URL. A cross-domain barrier provides additional security, prohibiting one site or code from accessing another site's data.
Although the phishing filter is the most obvious security upgrade to IE 7.0, Microsoft has enhanced many features that improve the security of this product. Time will tell whether these improvements reduce the number of IE security exploits and restore the IE marquis. Regardless of the new release's other improvements, its security improvements make upgrading to IE 7.0 a must.
Jeff Fellinge ([email protected]) is a contributing editor for Windows IT Pro and the director of information security and infrastructure engineering at aQuantive. He is the author of IT Administrator's Top 10 Introductory Scripts for Windows (Charles River Media).