Web Browser Security Revisited (Part 2)

by [Published on 5 Feb. 2014 / Last Updated on 5 Feb. 2014]

In this article we'll look at Microsoft’s browser, Internet Explorer.

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this series, we discussed the importance of web browser security and some security-related issues that are common to all or many of the popular browsers today. In subsequent installments, we’re going to look at each of those browsers individually and discuss the specific security mechanisms that are built into each and how they’re implemented, and talk about some best configuration practices to make each as secure as possible.

Because our focus on this site is on Windows and Microsoft products, we’ll begin with Microsoft’s own browser, Internet Explorer.

Internet Explorer Security

Internet Explorer has been included with the Windows operating system since Windows 95 (first as part of the Plus! package), and up until Windows 7/IE 8 was an integral part of the operating system that couldn’t be removed. Unfortunately, IE garnered a reputation for security vulnerabilities due to some high profile exploits. As the browser with the most widespread usage, it is naturally the target of more hackers and attackers who want to get the most “bang for the buck.”

Much of Internet Explorer’s bad reputation is based on the past, before Microsoft started putting a high priority on security. IE 6, in particular, is well known to have serious security flaws and a couple of years ago, Microsoft launched a campaign to encourage users to upgrade from the browser that some are, nonetheless, still running on Windows XP. The good news is that the market share of those using IE 6 is now (as of October 2013) under 5 percent, according to Net Applications statistics.

However, there have been some high profile incidents where more recent browser versions were implicated, too. In early 2010, the German, Australian and French governments went so far as to recommend their citizens switch to a different browser after a major attack on Google and other companies that exploited a security flaw in IE 6, 7, and 8. Germany issued the same warning again in September of 2012, in the wake of an outbreak of the Poison Ivy Trojan that also exploits a vulnerability in IE.

Almost every month, Patch Tuesday sees Microsoft patching another vulnerability in IE. Just last September 2013, a zero day vulnerability in all supported versions of IE that, according to Microsoft, affected up to 70 percent of business users was being actively exploited “in the wild” and October’s monthly security update slate included a cumulative update for IE that addressed 10 separate vulnerabilities, including two of the zero day variety.

Despite these and other incidents, because it comes with Windows and doesn’t require downloading and installing another piece of software, IE has always held a large portion of the market share, and probably always will. Netmarketshare.com’s September 2013 statistics showed IE (counting all versions) with a total market share of 55.15 percent.

Note:
You may see widely varying statistics from different sources, due to differences in methodology regarding how the data is collected and reported. Some sites go by unique users, others by page view count. Some limit the geographic area of collection. Some collect data from more web sites than others. Some use surveys or information from regional ISPs. Net Market Share uses over 40,000 web sites throughout the world and counts unique visitors, and has a quality control system to prevent fraud.

On the other hand, as mentioned in Part 1, some recent studies have found that IE is better at blocking malicious software than any of the other major browsers. More recent tests indicate that both IE and Chrome are far superior to rivals Firefox and Safari when it comes to malware protection – a bit ironic in light of the previously mentioned Sophos poll that showed Firefox was the most trusted browser.

In any event, usage statistics prove that a majority of web users think IE is “secure enough.” And Microsoft has poured a ton of time, effort and money into improving IE’s security over the years. The very latest version is IE 11, which comes in the Windows 8.1 update that was released in final form just a few days prior to the writing of this article. Prior to that release, Microsoft hosted a reward program, inviting hackers and researchers to find security vulnerabilities in the preview version, for which the company offered to pay up to $11,000 per vulnerability.

Beginning with IE 7 in 2006, Microsoft built in a security mechanism called Protected Mode, which is enabled by default for Internet browsing. It was designed to run IE with greatly restricted privileges and warn users when a website they were visiting attempted to run software programs that would have access to your computer outside of IE. This was a great security improvement but the problem was that Protected Mode only worked when the browser was running on Vista or above; it didn’t work in XP even if you installed the IE 7 browser, because it depended on User Account Control (UAC). Since Vista was not popular, most users and companies stayed with XP and didn’t benefit from Protected Mode.

IE 8 also brought domain highlighting, to show the real domain being visited so it would be more difficult for users to be tricked by phishing sites. It introduced the SmartScreen Filter, another anti-phishing mechanism that analyzes web pages for suspicious characteristics and checks them against a list of known phishing sites, as well as checking downloaded files. There is also a cross-site scripting filter to prevent web-based applications from gathering data from a user.

The Add-on Manager makes it easy for users to enable and disable browser add-ons (plug-ins) and get rid of ActiveX controls that aren’t needed. The InPrivate Browsing and InPrivate Filtering features also came in IE 8, to help prevent the browser from saving sensitive data and to keep web sites from collecting info about other sites you visit.

IE 9 improved on these features, including application reputation as part of the SmartScreen Filter and supports DEP/NX, ASLR and SEHOP, all of which are memory protection mechanisms. Data Execution Prevention (DEP) can prevent exploits that store executable instructions in areas of memory that should be for data, by using a buffer overflow (NX refers to the Never Execute bit that segregates areas of memory). Address Space Layout Randomization (ASLR) also protects against buffer overflow attacks by preventing attackers from accessing particular functions in memory. It does this by arranging the areas of a program in a random and unpredictable fashion. SEHOP (Structured Exception Handler Overwrite Protection) validates the integrity of the exception handling chain to prevent structured exception handling from being exploited. 

It’s important to note that IE 9 is not available for Windows XP.

IE 10 and 11 have incorporated some new security features that include:

  • Enhanced Protected Mode
  • ForceASLR
  • HTML5 Sandbox Attribute

Enhanced Protected Mode takes the Protected Mode feature a step further, to limit the browser so that it only has read/write access when that’s absolutely required. Manager processes now always run as 64 bit processes if you’re running a 64 bit version of Windows, which improves security. Content processes also run in 64 bit processes in the modern UI version of IE, but on the desktop run as 32 bit processes by default to maintain compatibility with add-ons. You can enable Enhanced Protected Mode in the desktop version from the Options | Advanced tab, making it more secure. When running on Windows 8, Enhanced Protected Mode also runs the Content Process in AppContainer, which is a new feature for isolating processes. You can read more in-depth details about Enhanced Protected Mode here.

ForceASLR is an enhancement to the ASLR that was introduced in IE 7, which now randomizes the locations of all modules that the browser loads into memory. This is integrated into the Windows 8 kernel and when you install IE 10 on Windows 7, it updates that operating system to support it as well.

The sandbox attribute is new in HTML5 and it is supported by IE 10 and above. When the attribute is applied, sandboxed content is restricted in a number of ways. Plug-ins are disabled, so no ActiveX, Flash, or Silverlight content will run. Forms and JavaScript are also disabled. Anchor tags that link to different browsing contexts don’t work, and content isn’t allowed to read cookie information.

In addition, the “modern UI” version of IE 10 has limited Flash capability, allowing only “whitelisted” web sites that have been preapproved by Microsoft to run Flash content, since Flash is often targeted by attackers. IE 11 doesn’t add any major security upgrades. It does add support for WebCryptoAPI (for IE 11 on Windows 8.1).

It’s also interesting to note that IE 11 will also support WebGL. This is interesting because of Microsoft’s previous stance; in 2011 the company published a paper positing that WebGL (which is a 3D graphics API) is a security risk. That paper was, however, careful to note that they did not support WebGL “in its current form,” so those who are saying they had previously sworn to never support it are incorrect. In fact, Microsoft rep Dean Hachamovitch noted that the WebGL technology of today is different; it now includes a technology called CORS that prevents the type of attacks Microsoft was previously concerned about. The IE 11 team also built in mechanisms to screen WebGL content for suspicious activity patterns.

Summary

All of the security mechanisms we’ve discussed work together to help the latest versions of IE provide for better security than ever. But how you configure the browser matters a lot. In Part 3, we’ll discuss best configuration and use practices to make browsing with Internet Explorer a safer experience.

If you would like to read the other parts in this article series please go to:

Featured Links