9.5 Preventing Internet Browser Attacks

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Slots : 1
Table of Contents
Chapter 9.  Internet Browser Attacks

9.5 Preventing Internet Browser Attacks

There are several things you can do to reduce the risk of malicious code from launching through your browser, although always be aware that the only 100 percent safe option is to remove the browser software from the PC and not use the Internet. The following prevention tips are presented in the order of importance.

9.5.1 Configure Browser Settings and Zones

Internet Explorer has security settings that can be set to minimize the risk of hostile code. I will cover the relevant Java and ActiveX settings in the next chapters.

9.5.1.1 Internet Explorer security settings

Most of Internet Explorer's security settings are under Tools figs/u2192.gif Internet Options. There are two tabs that concern us. First choose Advanced, as shown in Figure 9-5.

Figure 9-5. Advanced options in Internet Explorer
figs/mmc_0905.gif

Under the Advanced tab, the options listed in Table 9-1 can be enabled or disabled and affect browser security.

Table 9-1. Internet Explorer's advanced options related to browser security

Advanced option

Description

Automatically check for Internet Explorer updates

If selected, whenever Internet Explorer is started, the browser will first log on to Microsoft's update web site and see if any updates or security patches need to be applied. Nice feature.

Disable script debugging

If unselected , you will be notified about every script error on a web site, which can be a lot. Most people should enable this option.

Display a notification about every script error

Related to the previous option. Typically, left off. If turned on, when a web page script error is encountered , a large warning message is displayed. Good for programmers debugging their web sites.

Enable Install on Demand

If selected, browser will automatically begin to download additional Internet Explorer components as needed (i.e. Chinese character encoding). There is a slight risk with this option selected, but so far it has not been exploited.

Check for publisher's certificate revocation

When downloading signed content, the browser will check to see if the developer's certificate has been revoked . High-security sites should have this option enabled.

Check for server's certificate revocation

When initiating a secure channel, the browser will check to see if the web site's certificate has been revoked. High-security sites should have this option enabled

Do not save encrypted pages to disk

If enabled, pages from secured web sites will not be stored on the disk cache. If disabled, it is sometimes possible for someone to hit the Back button and see the secure page. If a shared PC is used by individuals to see private information, this should be enabled.

Empty Temporary Internet Files folder when browser is closed

Self-explanatory. Follow previous advice.

Enable Profile Assistant

If enabled, you can choose the information your browser can reveal to a web site. Profile Assistant located under Tools figs/u2192.gif Internet Options figs/u2192.gif Content figs/u2192.gif My Profile.

Use Fortezza

Only needs to be enabled when using Fortezza-enabled hardware encryption devices.

Use PCT 1.0

Use SSL 2.0

Use SSL 3.0

Use TLS 1.0

You can enable which secured communication technologies your browser will use to talk to secure web sites. You can choose to activate any of the options and they are not mutually exclusive. You should at least have SSL 2.0 selected as a default to do business with most commercial web sites.

Warn about invalid sitecertifications

If enabled, browser will warn you if the certificate you are negotiating with is not registered to the current web site.

Warn if changing between secured and not secured mode

Normally not a problem either way, although it should be enabled at high security web sites. This option will warn you if your secured channel suddenly gets redirected to a nonsecure site (possible web spoofing).

Warn if forms submittal is being redirected

Self-explanatory. Follow previous recommendations.

There are more security options under Tools figs/u2192.gif Internet Options figs/u2192.gif Security.

9.5.1.2 Internet Explorer security zones

Internet Explorer has five predefined security zones (see Figure 9-6), which can be used to assign Internet web sites with predefined permissions:

  • Internet

  • Local intranet

  • Trusted sites

  • Restricted sites

  • My Computer

When using Internet Explorer, the security zone covering the current location will be displayed in the lower-right corner of the browser and can be clicked to bring up the Security Options dialog box. The first four zones are readily visible and configurable. The fifth, My Computer (also called Local Computer zone ), controls files on the local system and is configurable only in the registry or by using the Internet Explorer Administration Kit (covered later). Cache files and folders are stored under the auspices of this zone. Files on the local system are assumed safe and are only limited by the operating system's security settings (i.e. Windows NT's permissions) or the inherent security of the object (i.e. Java).

Figure 9-6. Internet Explorer security zones
figs/mmc_0906.gif

The Internet security zone has a reasonable level of security for most Internet users and most Internet web sites. The settings in the Internet security zone are appropriate for users not surfing to dangerous locations. It will not allow unsigned ActiveX controls to download and it will not initialize and run controls not marked as safe for scripting (covered in Chapter 11). And it will even prompt you to allow signed controls to run. Java security is set to High Safety . By default, any web site you visit that is not specifically assigned in one of the other zones, is placed in this zone. The next three security zones allow users to add individual web sites by domain name or IP address.

The Local Intranet setting is for web sites on the computer's local area network, which supposedly present less inherent risk. Accordingly, a few more things can be accomplished in the Local Intranet zone. Objects can be installed to the user 's desktop and Java security is set to Medium Safety . Security is more relaxed and objects and coding can access local system resources.

Only the most trusted sites should be listed in the Trusted Sites security zone. This zone is even more relaxed than the Local Internet zone. Although unsigned applets will still cause the user to be prompted, most other types of content will execute with little interference. The Trusted Sites zone is meant for Internet sites that have little risk of causing malicious damage or being externally compromised. I use this setting sparingly.

Even if you know an Internet site would never harm your system, you also have to feel confident that the site has taken reasonable efforts against being hacked. Otherwise, the trust you have placed in the site can expose your system to unintended malicious hackers' attempts. I've seen the most secure sites violated by simple DNS corruption attacks that redirect web surfers to malicious areas of the Web instead. It had little to do with the security of the actual web site, and more to do with the security maintained at the ISP site's DNS servers. Yet, the result was the same.

Conversely, the Restricted Sites security zone is for known Internet risks. It disables most non-HTML functionality and active content. Java is disabled. ActiveX is disabled for both signed and unsigned objects. The Restricted site's zone is a zone used to treat web sites you have little confidence in or for areas you expect to be hacked simply by visiting. It is the nature of my job that I spend considerable time visiting malicious hacking web sites, and most of those web sites fall into the Restricted Sites zone. Be careful not to give to much trust to this security setting, as there have been exploits, working through the limited functionality left enabled, that have been able to cause problems and download malicious code.

Each zone has its own default level of security assigned to it. There are four levels of security (see Figure 9-7):

  • High

  • Medium

  • Medium-Low

  • Low

Figure 9-7. Internet Explorer security settings
figs/mmc_0907.gif

With Internet Explorer 5.x, the default Internet security zone is set to Medium. Medium security is a good level for most end-user PCs to have. Table 9-2 shows the default settings and relationships between Internet Explorer's different security zones per level (avoiding Java and ActiveX options for now). Options can be different depending on the browser release, and in some cases, renamed or moved around.

Internet Explorer's security zones and levels provide a fairly flexible set of security permissions. If I had to complain about something, it would be that Microsoft doesn't allow users to add more customized security zones or levels. We are stuck with what is predefined. Expect future versions to allow more levels and zones.

Table 9-2. Internet Explorer's default security settings per level

Security item description

High

Medium

Medium- Low

Low

Security Zone Default

Restricted

Internet

Local

Intranet

Trusted

Allow cookies that are stored on your computer

D [1]

E [1]

E

E

Allow per-session cookies (not stored)

D

E

E

E

File download

E

E

E

E

Access data sources across domains

D

D

E

E

Installation of desktop items

D

P [1]

E

E

Launching of programs and files in an IFrame

D

P

E

E

Navigate subframes across different domains

D

E

E

E

Software channel permissions

High

Medium

Low

Low

Submit nonencrypted forms data

P

E

E

E

User data persistence

D

E

E

E

Active scripting

P

E

E

E

Allow paste operations via script

P

E

E

E

User Authentication/Logon

P

#2

#3

#3

[1] D=Disable, E=Enable, P=Prompt.

Internet Explorer allows you to customize the default settings for any security zone. Thus, you can make any zone's permissions tougher or more relaxed depending on the needs of the computing environment. Table 9-3 gives a brief description of each option.

Table 9-3. Explanation of Internet Explorer's security settings

Security item

Description

Allow cookies that are stored on your computer

Choose whether to allow or deny cookies to be created by web sites and stored on your computer.

Allow per-session cookies (not stored)

Choose whether to allow or deny cookies in memory to be used during current session.

File Download

Choose whether to allow file downloads via HTTP. Even if allowed, you will still be prompted to save file to disk. Does not affect FTP options.

Access data sources across domains

Choose whether to allow web sites with data downloading from different domains. If disabled, can prevent web-site spoofing. I usually choose Prompt to notify me if it is being attempted.

Installation of desktop items

Choose whether or not to allow a browser program to modify the desktop, such as placing a new icon. Disable if you have Active Desktop activated.

Launching of programs and files in an Iframe

Choose whether ot not to Frame-enable your browser.

Navigate sub- frames across different domains

Choose whether or not to allow a web site to open frames from domains other than its own. If enabled, can allow cross-frame navigation. I disagree with IE's default setting and set this to Prompt or Disable.

Software channel permissions

Choose how much to automate software downloads. Choose Low Safety to allow automatic software distributions without end-user intervention. Choose High Safety in a high security environment.

Submit nonencrypted forms data

Choose whether or not to allow data submitted in an HTML form to be transmitted in clear text across the Web. Normally this is OK unless you are submitting confidential data.

User data persistence

Choose whether or not to allow personal user data entered into a web-site form to persist for other forms.

Active scripting

Choose whether or not to allow scripting languages to run on the browser. Disable in high-security PCs.

Allow paste operations via script

If allowed, some JavaScript exploits can read local system files. I choose Prompt.

User Authentication/Logon

Chooses whether or not to automatically respond with logged-in user credentials when prompted for a password. If Enabled, a nonsecure web site may be able to learn your logon name and password as it is transmitted in clear text.

With the two differences previously noted (Navigating Subframes and Allow Paste Operations), I accept Internet Explorer's default security settings for each security zone. (I disagree more in the Java and ActiveX chapters.)

David LeBlanc, a leading Microsoft security expert, recommends a second approach to zone security because he believes the trusted sites zone is too trusting. He recommends applying the default Internet security zone settings to the trusted zone, and then securing the Internet zone even further.

9.5.1.3 Internet security registry settings

The security zone settings are stored in the HKCR registry key, so that the settings are unique per user:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings

Although security settings can be manually added to HKLM to apply to all users of the same machine. If you would like to manually change Internet Explorer's security through the registry, consult Microsoft's Knowledgebase Article #Q182569 . Editing through the registry allows you to modify the default security of the My Computer zone and to specify security down to a lower level of detail. For example, you could force HTTP traffic to the Internet zone while allowing FTP and HTTPS packets to run under the Trusted Sites zone.

9.5.1.4 New cookie management update

In response to privacy concerns, Microsoft has released a new privacy patch. Among other things, it will notify users when a cookie belongs to a third-party web site, and prompt the user to accept or deny. Many advertising companies are going to be upset. The new patch will also allow users to delete all cookies at once -- a feature sorely missing prior to the new update. Internet Explorer 6.0 has a new button allowing all cookies to be deleted at once.

When you disable downloading cookies, cookies already installed will continue to work.

9.5.1.5 Internet Explorer Administration Kit

Microsoft's Internet Explorer Administration Kit figs/u2122.gif (IEAK) allows you to customize the security settings and appearance of Internet Explorer, and then helps accelerate distribution to end users. The kit is made for network administrators, commercial distributors , and Internet service providers. Branded browser versions can be delivered over the Web, over a network, or via a disk media pack. The automation kit also provides ways to automate browser updates.

9.5.2 Install the Latest Version of Browser and Security Patches

Usually within 30 days of an announced browser security hole, an Internet Explorer upgrade is released to eliminate the vulnerability. Oftentimes, the vendor has the problem fixed within days. Make sure your copy is the latest version with the latest security patches. Internet Explorer will automatically check for new updates if installed with default settings. Unfortunately, security patches for non-Windows platforms are not as forthcoming. Users of Unix and Macintosh browsers are often left unpatched for several months or more.

9.5.3 Install and Use an Antivirus Scanner

As previously noted, an antivirus scanner that scans incoming browser code may be able to stop malicious code from interacting with your computer. Antivirus scanners show their innate strength when scanning for Java and script viruses. Outside of that arena, most antivirus products are weak.

9.5.4 Avoid Untrusted Web Sites

Another common sense tip: stay away from nonlegitimate web sites. If you play around on kiddie chat channels, or pirate or hacker web sites, sooner or later they will get you. If you must visit a risky site, add it to your Restricted Sites security zone in Internet Explorer, or disable all scripting (in either browser).

9.5.5 Remove HTA Association

HTML Applications are such a high risk, and are used so rarely for legitimate purposes on most PCs, that a great way to avoid them is to remove their MIME association. In Windows 98, open My Computer, choose View figs/u2192.gif Folder Option figs/u2192.gif File Types, choose HTML Applications, and Remove (see Figure 9-8). Choose OK to accept the choice. Now, an HTA cannot be executed, neither from a browser, from Windows Explorer, or from the command prompt.

Figure 9-8. Removing HTML applications as a MIME type
figs/mmc_0908.gif

You can also choose Edit, instead of Remove, and modify the settings enough so that HTA will not automatically execute with MSHTA.EXE . You can modify the setting so that it will open up with WordPad instead. In either case, the threat of HTAs will be gone.

Be sure to test the effects of removing the HTA association before doing so. In most cases, nothing will be disabled. But on some systems there are a few programs and help files that might not function if the HTA extension is removed.

Following all of these prevention steps should significantly decrease your risk from browser-based malicious mobile code.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net