9.5 Preventing Internet Browser Attacks There are several things you can do to reduce the risk of malicious code from launching through your browser, although always be aware that the only 100 percent safe option is to remove the browser software from the PC and not use the Internet. The following prevention tips are presented in the order of importance. 9.5.1 Configure Browser Settings and ZonesInternet Explorer has security settings that can be set to minimize the risk of hostile code. I will cover the relevant Java and ActiveX settings in the next chapters. 9.5.1.1 Internet Explorer security settingsMost of Internet Explorer's security settings are under Tools Internet Options. There are two tabs that concern us. First choose Advanced, as shown in Figure 9-5. Figure 9-5. Advanced options in Internet ExplorerUnder the Advanced tab, the options listed in Table 9-1 can be enabled or disabled and affect browser security. Table 9-1. Internet Explorer's advanced options related to browser security
There are more security options under Tools Internet Options Security. 9.5.1.2 Internet Explorer security zonesInternet Explorer has five predefined security zones (see Figure 9-6), which can be used to assign Internet web sites with predefined permissions:
When using Internet Explorer, the security zone covering the current location will be displayed in the lower-right corner of the browser and can be clicked to bring up the Security Options dialog box. The first four zones are readily visible and configurable. The fifth, My Computer (also called Local Computer zone ), controls files on the local system and is configurable only in the registry or by using the Internet Explorer Administration Kit (covered later). Cache files and folders are stored under the auspices of this zone. Files on the local system are assumed safe and are only limited by the operating system's security settings (i.e. Windows NT's permissions) or the inherent security of the object (i.e. Java). Figure 9-6. Internet Explorer security zonesThe Internet security zone has a reasonable level of security for most Internet users and most Internet web sites. The settings in the Internet security zone are appropriate for users not surfing to dangerous locations. It will not allow unsigned ActiveX controls to download and it will not initialize and run controls not marked as safe for scripting (covered in Chapter 11). And it will even prompt you to allow signed controls to run. Java security is set to High Safety . By default, any web site you visit that is not specifically assigned in one of the other zones, is placed in this zone. The next three security zones allow users to add individual web sites by domain name or IP address. The Local Intranet setting is for web sites on the computer's local area network, which supposedly present less inherent risk. Accordingly, a few more things can be accomplished in the Local Intranet zone. Objects can be installed to the user 's desktop and Java security is set to Medium Safety . Security is more relaxed and objects and coding can access local system resources. Only the most trusted sites should be listed in the Trusted Sites security zone. This zone is even more relaxed than the Local Internet zone. Although unsigned applets will still cause the user to be prompted, most other types of content will execute with little interference. The Trusted Sites zone is meant for Internet sites that have little risk of causing malicious damage or being externally compromised. I use this setting sparingly. Even if you know an Internet site would never harm your system, you also have to feel confident that the site has taken reasonable efforts against being hacked. Otherwise, the trust you have placed in the site can expose your system to unintended malicious hackers' attempts. I've seen the most secure sites violated by simple DNS corruption attacks that redirect web surfers to malicious areas of the Web instead. It had little to do with the security of the actual web site, and more to do with the security maintained at the ISP site's DNS servers. Yet, the result was the same. Conversely, the Restricted Sites security zone is for known Internet risks. It disables most non-HTML functionality and active content. Java is disabled. ActiveX is disabled for both signed and unsigned objects. The Restricted site's zone is a zone used to treat web sites you have little confidence in or for areas you expect to be hacked simply by visiting. It is the nature of my job that I spend considerable time visiting malicious hacking web sites, and most of those web sites fall into the Restricted Sites zone. Be careful not to give to much trust to this security setting, as there have been exploits, working through the limited functionality left enabled, that have been able to cause problems and download malicious code. Each zone has its own default level of security assigned to it. There are four levels of security (see Figure 9-7):
Figure 9-7. Internet Explorer security settingsWith Internet Explorer 5.x, the default Internet security zone is set to Medium. Medium security is a good level for most end-user PCs to have. Table 9-2 shows the default settings and relationships between Internet Explorer's different security zones per level (avoiding Java and ActiveX options for now). Options can be different depending on the browser release, and in some cases, renamed or moved around. Internet Explorer's security zones and levels provide a fairly flexible set of security permissions. If I had to complain about something, it would be that Microsoft doesn't allow users to add more customized security zones or levels. We are stuck with what is predefined. Expect future versions to allow more levels and zones. Table 9-2. Internet Explorer's default security settings per level
Internet Explorer allows you to customize the default settings for any security zone. Thus, you can make any zone's permissions tougher or more relaxed depending on the needs of the computing environment. Table 9-3 gives a brief description of each option. Table 9-3. Explanation of Internet Explorer's security settings
With the two differences previously noted (Navigating Subframes and Allow Paste Operations), I accept Internet Explorer's default security settings for each security zone. (I disagree more in the Java and ActiveX chapters.)
9.5.1.3 Internet security registry settingsThe security zone settings are stored in the HKCR registry key, so that the settings are unique per user:
Although security settings can be manually added to HKLM to apply to all users of the same machine. If you would like to manually change Internet Explorer's security through the registry, consult Microsoft's Knowledgebase Article #Q182569 . Editing through the registry allows you to modify the default security of the My Computer zone and to specify security down to a lower level of detail. For example, you could force HTTP traffic to the Internet zone while allowing FTP and HTTPS packets to run under the Trusted Sites zone. 9.5.1.4 New cookie management updateIn response to privacy concerns, Microsoft has released a new privacy patch. Among other things, it will notify users when a cookie belongs to a third-party web site, and prompt the user to accept or deny. Many advertising companies are going to be upset. The new patch will also allow users to delete all cookies at once -- a feature sorely missing prior to the new update. Internet Explorer 6.0 has a new button allowing all cookies to be deleted at once.
9.5.1.5 Internet Explorer Administration KitMicrosoft's Internet Explorer Administration Kit (IEAK) allows you to customize the security settings and appearance of Internet Explorer, and then helps accelerate distribution to end users. The kit is made for network administrators, commercial distributors , and Internet service providers. Branded browser versions can be delivered over the Web, over a network, or via a disk media pack. The automation kit also provides ways to automate browser updates. 9.5.2 Install the Latest Version of Browser and Security PatchesUsually within 30 days of an announced browser security hole, an Internet Explorer upgrade is released to eliminate the vulnerability. Oftentimes, the vendor has the problem fixed within days. Make sure your copy is the latest version with the latest security patches. Internet Explorer will automatically check for new updates if installed with default settings. Unfortunately, security patches for non-Windows platforms are not as forthcoming. Users of Unix and Macintosh browsers are often left unpatched for several months or more. 9.5.3 Install and Use an Antivirus ScannerAs previously noted, an antivirus scanner that scans incoming browser code may be able to stop malicious code from interacting with your computer. Antivirus scanners show their innate strength when scanning for Java and script viruses. Outside of that arena, most antivirus products are weak. 9.5.4 Avoid Untrusted Web SitesAnother common sense tip: stay away from nonlegitimate web sites. If you play around on kiddie chat channels, or pirate or hacker web sites, sooner or later they will get you. If you must visit a risky site, add it to your Restricted Sites security zone in Internet Explorer, or disable all scripting (in either browser). 9.5.5 Remove HTA AssociationHTML Applications are such a high risk, and are used so rarely for legitimate purposes on most PCs, that a great way to avoid them is to remove their MIME association. In Windows 98, open My Computer, choose View Folder Option File Types, choose HTML Applications, and Remove (see Figure 9-8). Choose OK to accept the choice. Now, an HTA cannot be executed, neither from a browser, from Windows Explorer, or from the command prompt. Figure 9-8. Removing HTML applications as a MIME typeYou can also choose Edit, instead of Remove, and modify the settings enough so that HTA will not automatically execute with MSHTA.EXE . You can modify the setting so that it will open up with WordPad instead. In either case, the threat of HTAs will be gone.
Following all of these prevention steps should significantly decrease your risk from browser-based malicious mobile code. |
Team-Fly |
Top |