Chapter 10: Securing Internet Explorer


Internet Explorer (IE) is Microsoft's most attacked and vulnerable software. Much of the reason has to do with the fact that it is the most popular browser by a large majority and a very complex piece of software with a lot of functionality. Surely Microsoft is to blame for not making it more secure early on, but it is getting more secure and resilient over time. If you don't believe me, read "IE Security Statistics," later in the chapter. This chapter discusses how Internet Explorer works, summarizes the different types of attacks against it, and covers security defenses.

Internet Explorer

First released in July 1995 (www.microsoft.com/windows/WinHistoryIE.mspx), Internet Explorer (IE) was Microsoft's first Internet browser. At the time, the Netscape browser had the majority of the market share, but by 1999 IE had captured first place. Since then, IE has remained the dominant browser, perhaps in a large part due to Windows' desktop dominance. Since 2001, IE has had 60–80% of the browser market share (try www.w3schools.com/browsers/browsers_stats.asp or www.safalra.com/website/browsermarket), depending on whose figures you read. IE works mainly on Windows platforms, but there is a Mac-based version as well (www.microsoft.com/mac/products/internetexplorer/internetexplorer.aspx?pid=internetexplorer). The most popular version is IE 6.x, followed by IE 5.x. Microsoft released IE 7 for XP SP2 and Windows Vista, partially in response to Firefox and partially to combat the increasing threat of phishing attacks. IE 7 is significantly more secure than previous IE versions, but unfortunately, requires Windows XP and later to run.

IE Features

IE is the most functional browser on the market today. It strives to comply with any popularly supported standard. It supports HTML, XML, DHTML, JavaScript, VBScript, FTP (both passive and active modes), URL monikers, multimedia, file downloading, cascading style sheets (CSS), program interfacing, custom interfaces, browser extensions, history listing, favorite links, content filtering, pop-up blocker, source-code viewing, offline web page viewing, digital certificates, script debugging, install on demand, user authentication, iframes, persistent user data, plug-ins (called addons in IE), Java applets, ActiveX controls, SSL, TLS, Auto Complete, resizable graphics, multiple security zones, privacy features, and a cookie manager.

New IE 7 Features

IE 7 is a major upgrade over previous versions, although the look-and-feel remain the same, with a few major changes, such as tabbed browsing and the anti-phishing filter. IE 7 added the following features (assuming they are left in the final release candidate):

  • Improved User Interface:

    • Cleaner interface, less icons, less clutter.

    • Tabbed browsing. Mozilla introduced tabbed browsing, whereby multiple web sites are shown on one web page view, each on a different tab. The feature allows more efficient web surfing, and Microsoft adopted it too.

    • Quick tabs feature, to enable users to view and manage multiple tabs with a thumbnail representation of all tabs in a single window.

    • Improved search engine integration with five default search providers (i.e., MSN, Google, Yahoo, Ask Jeeves, AOL Search). End users can easily add more. Search engine companies can customize the end-user experience.

    • Improved search result support. Search results are presented to the user in a better way. Result of work from the OpenSearch 1.1 (http://opensearch.a9.com) collaboration. Search results can be displayed as HTML or RSS.

  • Improved Security:

    • Significantly improved anti-spoofing features. Fixes many errors in past versions whereby a malicious web link or site could hide its true location.

    • Anti-phishing filter. If enabled (IE asks before it enables it), will send any link you are connecting to Microsoft in real time to determine whether it has previously been reported as a fraudulent web site. If the web site has been flagged as a known phishing site, the end user will be warned (see Figure 10-1). Even when the web site has not been previously flagged but still contains known phishing or spoofing tricks, IE will warn the user and ask if they want to proceed. Users can also submit sites for verification testing.

    • Protected mode (only available in Windows Vista), in which IE will prevent any code or software downloaded from the Internet from being written outside the Temporary Internet File (TIF) location. Should prevent many malware and hacker attacks.

    • New security setting called Medium-High to be used for the Internet zone default security setting. This is more secure than the Internet zone's old setting of Medium.

    • Trusted sites zone security will be move from Low to Medium security.

    • Local Intranet security zone will be disabled for non-domain computers.

    • SSLv.3.0 and TLS 1.0 will be used for HTTPS connections, instead of SSL v.2.0.

    • Capability to use IE 7 in "No Add-ons" mode to quickly turn off any add-ons to decrease potential vulnerabilities

    • ActiveX Opt-in: ActiveX controls will not be allowed to run in IE by default. In previous versions, most ActiveX controls could run in IE even though most are intended only to run in Windows (outside IE). IE 7 sets a new default behavior, but the list is user definable.

    • Improved digital certificate handling and end user presentation and involvement

    • Stronger enforcement of cross-domain security

    • Better URL parsing to prevent spoofing, obscurity, and phishing attacks

    • If run on Windows Vista, IE will run in User Account Control mode, whereby IE runs with Restricted Code privileges (see Chapter 3) even when the user who started it is an admin.

    • Stronger content filtering (new Parental Controls will require Windows Vista)

  • New Features:

    • Support for International Domain Name (IDN)

    • Really Simple Syndication (RSS) support. RSS is essentially a new way for web sites to do pseudo-NNTP. Previously, it required another client; now RSS support is built right in. Every web site will be examined for an RSS "feed," and if it contains one, a button on the toolbar lights up.

    • A Page Zoom feature to allow users to magnify any part of a web page

    • Improved PNG graphics support, including for transparent PNG files, whereby they become somewhat transparent so an underlying media presentation can be seen

  • Improved Printing:

    • Shrink-to-fit web page printing, finally, so all printed web pages fit on the printed page. No more cut off right margins.

    • If the last printing page of a multiple-page document from a web site (called an orphan) covers only a minimal portion of the page, IE will resize the document to make it fit on the previous page. Of course, you can control this feature.

  • Miscellaneous Additions:

    • Improved CSS support

    • Stronger compliance with HTML and other browser standards

    • Improved XML support (native now, no longer needs a separate ActiveX control)

    • A web developer toolbar for web application developers (will also be an add-on feature for IE 6)

    • Improved group policy support for new and existing features

    • And, of course, IE 7 contains multiple bug fixes.

image from book
Figure 10-1

IE Competitors

There are other popular Internet browsers, such as open-source Firefox (www.mozilla.org/products/firefox), Mozilla (www.mozilla.org/products/mozilla1.x) , Linux-based Konqueror (www.konqueror.org), Opera (http://www.opera.com), Mac-based Safari (www.apple.com/support/downloads/safari.html), and text-based Lynx (http://lynx.isc.org).

Firefox has garnered a lot of attention lately and made the biggest gain into IE's dominant market share. According to a few resources, Firefox may have as much as 18% market share, especially in non-USA markets. Released in August 2004, Firefox was seen as a "safer" browser choice. Unfortunately, as covered in Table 10-1, it has suffered even more vulnerabilities than IE since its release. Because Firefox is constantly being exploited, its popularity has waned in recent months.

Table 10-1

Year/Product

Total Number of Announced Vulnerabilities

Severity Rating-Extremely Critical

Vulnerabilities That Allowed Complete System Compromise

2003-IE 6.x

24

17%

14

2004-IE 6.x

34

15%

12

2005-IE 6.x

17

12%

7

2005-FF 1.x

22

4%

9

Figures and statistics taken from www.secunia.com.

Netscape (http://browser.netscape.com/ns8) has become open source, but it will probably never be a serious challenge to IE and the other competitors. The Mozilla browser runs on Windows, Linux, and Mac OS X, but is coming in a distant third after Firefox. The Opera browser comes in commercial and adware-sponsored versions and is a sophisticated browser choice. Although it currently has slightly more than 1% market share, it should continue to be a viable browser choice for Linux and Windows users. Lynx is an interesting browser in that it is all text-based, and theoretically very difficult to exploit. Of course, it doesn't support many browser standards and features, and because of this doesn't have much market share, although security researchers often use it when linking to a suspected malware site. Several cell-phone vendors, such as Nokia (www.nokia.com) and NTT DoCoMo (www.nttdocomo.com), offer web-based browsers that are popular enough to a small, but measurable market share. Analysts expect cell-phone-based browsers to have some of the biggest market share increases over the next decade.

IE Security Statistics

To be a Microsoft proponent is to constantly hear about IE's security vulnerabilities from every opensource zealot. It has a lot. As of February 2006, version 6.x has had at least 91 announced security vulnerabilities since its release. But it is getting better. Table 10-1 shows some vulnerability statistics for IE 6.x and Firefox (FF) 1.x through December 2005.

Table 10-1 shows a few interesting facts. First, IE 6.x's number of vulnerabilities and vulnerability criticality rating has been decreasing over the years. In fact, the open-source Firefox browser had 30% more vulnerabilities than IE in 2005, and nearly half the Firefox vulnerabilities allowed complete system compromise. Symantec's Internet Security Report, Volume VIII (http://enterprisesecurity.symantec.com/content.cfm?articleid=1539) supports this finding.

Does this mean that IE is more secure than Firefox? No, not for sure. For one, new products being examined in the marketplace, like Firefox is, are expected to have more vulnerabilities than when the product matures. The only offsetting fact is that Firefox has a very small market share as compared to IE, and if its market share increases, so will the number of eyes looking to exploit it, and so will the number of discovered vulnerabilities. Second, the total number of exploits is only one measure of how secure a product is — it says nothing about how secure the product really is. And because of its popularity, an IE flaw is a higher risk than a flaw found in less frequently used Firefox. Still, seeing the data, I don't see Firefox as a more secure browser alternative.

The hard truth is that there are few safe browser alternatives. Lynx, a text-only browser, is probably as close as typical users will come to a relatively safe browser. It can display HTML and text files, and handle some cookies, but cannot display pictures or execute downloaded content. And it cannot reliably display most web sites. For this reason, it does not, and will not, have wide acceptance in the world.

Don't think browsers are difficult to secure? Lynx is a text-only browser, and it had two critical vulnerabilities in 2005 (http://secunia.com/product/5883). Regular, graphical-based browsers, capable of rendering complex web sites (as is IE and most of its competitors) are highly exposed (nearly every computer has one) and most contain multiple vulnerabilities — found and unfound. The two important factors are that a vendor establishes an acceptable level of functionality versus security and that when vulnerabilities are found, they are quickly patched by the vendor. On the latter point, Microsoft could improve.

Secunia.com currently (as of February 2006) shows that out of the 75 IE vulnerabilities, 28% of them are unpatched by Microsoft. Although few of them are ranked as high or extreme criticality, many are ranked as moderate issues (albeit most are non-severe). Several were announced as vulnerabilities in 2003 and 2004. The vast majority lead to either spoofing, security bypass, or information disclosure. To compare, Firefox only left 7% of their vulnerabilities unpatched, none highly critical. Mozilla is at 15% and Opera is 8%. To be fair, Microsoft has fixed many of the unpatched vulnerabilities in IE 7 (still in beta as of this writing), but with IE 6.x running on most of the world's desktops, Microsoft could respond quicker to patching IE issues.

How IE Works

When a user starts Internet Explorer using the normal Iexplore.exe executable, a lot happens under the hood. Hundreds of registry and file reads are done. Nearly 100 Dll files are loaded, including the following:

  • Ieframe.dll is one of the main IE Dlls.

  • Shdocvw.dll is the Web Browser Control, which is a main part of the browser. You can build your own browser program using this Dll.

  • Mshtml.dll renders HTML coding, and is used by most Windows programs that display HTML, including Outlook and Outlook Express.

  • Msrating.dll is involved with the Content Advisor feature, even if you don't use it.

  • Urlmon.dll parses loaded URLs and includes lookups for URL monikers. It is the module that decides in which Internet Explorer security zone a particular URL or content will be placed.

  • Crypt32.dll handles the Crypto API, which is needed for Digital Certificates, SSL, TLS, S/MIME, etc.

What Dlls are loaded depends on what IE is doing and rendering. For example, surfing to a site with VBScript coding will load Vbscript.dll. Surfing to a web site with JavaScript controls will invoke Javascript.dll.

Here is some of the startup process that occurs when a user first opens IE:

  1. The user profile is queried to ensure that the correct IE settings are implemented.

  2. GPO use is checked for and application of the GPO IE settings is verified.

  3. The History file is loaded.

  4. Cookie files and the index (Index.dat) are loaded.

  5. Add-ins, such as Adobe Acrobat Reader, are loaded.

  6. TCP/IP settings are verified.

  7. MIME types (covered below) are loaded.

  8. IE security zone settings are loaded.

  9. Digital certificates and trusts are loaded.

  10. Languages are verified and loaded.

  11. Programs that are interfaced with IE to provide support, such as Notepad or Microsoft Word, are verified.

  12. Internet Explorer is loaded.

When IE is up and running, it waits for a URL to be typed or loaded and for content to be retrieved or sent. Any loaded URL is parsed by Urlmon.dll and Url.dll, among several other support files. HTML content is rendered by Mshtml.dll. These Dlls can be called to work in any Windows Internet-enabled program. For instance, if an HTML-enabled e-mail is received by Outlook, it uses the previously listed Dlls to help with the displaying of the web content.

If content besides HTML is received, IE will load other helper files, Javascript.dll, Vbscript.dll, or an add-on such as Adobe Acrobat Reader or Macromedia Flash controls. What gets loaded depends on the content. Much of the content is determined by the MIME type descriptor (discussed in previous chapters). For instance, if the MIME TYPE instruction TYPE=" application/x-shockwave-flash is found, then IE will load the Flash ActiveX control (Flash.ocx) to display the related Flash file. IE can also be instructed to download and run other executables and programs, download files, use SSL or TLS protection, run Java applets, run other scripts, and attempt user logons.

Uniform Resource Locators

The Universal Resource Locator (URL) is the standard naming convention used to locate and retrieve HTTP and other browser content. A URL includes information about the protocol it is using (i.e., the URL moniker), a colon, two forward slashes, and the content's fully qualified location, usually using DNS naming.

Note 

You may also see URLs referenced as Uniform Resource Identifiers (URI). URLs are actually a subset of URI, but both can be used when talking about browser content locations.

The first part of the URL, the URL moniker, indicates the protocol type. Although it is usually http, it can be many other choices, including aim, telnet, ftp, news, and file (for local file manipulation). The next part of the URL indicates the server's name, which is usually www, but can be almost any name. The server's fully qualified domain location follows. Any typed-in DNS domain name is converted to its resultant IP address, although the URL can contain an IP address (i.e., http://208.215.179.178) instead of a DNS Name. After the domain name, URLs usually contain a folder or document name to retrieve. If the retrieved content contains URL references to other objects, they are downloaded as well. For example:

  • http://www.wrox.com/WileyCDA

In the preceding example, Http is the protocol, www is the server name, wrox.com is the DNS domain name where the server is located, and WileyCDA is the content location or virtual directory.

  • ftp://ftp.microsoft.com

In the preceding example, ftp is the protocol, ftp is the server name, and the server is located in the DNS domain Microsoft.com.

In the next example, the protocol is http, the server is www, the domain name is ietf.org, the content location on the server is rfc, and the document is rfc3986.txt:

  • http://www.ietf.org/rfc/rfc3986.txt

Normally, when a particular file or document is not specified in the URL, the browser or server will offer up default file names, such as Index.htm or Default.htm.



Professional Windows Desktop and Server Hardening
Professional Windows Desktop and Server Hardening (Programmer to Programmer)
ISBN: 0764599909
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net