Microsoft has just recently released the latest version of its web browser, Internet Explorer 9. It’s sleek and pretty, and it’s definitely faster than its predecessor - but is it more secure? Let's find out.
Why browser security matters more than ever
There are two components to web security: the security of web sites and the servers on which they reside, and the security of the client software that accesses those sites – the web browser. There was a time when the web browser was just one of many Internet applications. As I wrote recently in an overall review of IE 9 for Win7News.net, that’s no longer the case. Whereas we once used separate email clients, FTP clients, IRC clients, newsgroup readers and more, today many computer users do the majority of their computing tasks through their browsers. That’s beginning to include business users, too, as more companies dump their on-premise mail servers and transition their workers to web mail services, and get rid of locally installed applications in favor of lower cost or free web services such as Google Apps and Microsoft Office Web Apps.
Now that the web browser has taken center stage and is inextricably involved with most of what users do on their computers, it’s more important than ever that the browser provides a secure environment not just for surfing sites for information, but for actually performing sensitive tasks. Attackers, of course, recognize this and see the browser as a very attractive target. The web browser is one of the most frequently exploited applications, and at the annual Pwn2Own event, security researchers compete to bring down the popular web browsers. At this year’s competition, IE 8 was successfully hacked, along with Safari 5.0.3 (The researchers who were scheduled to test Firefox and Chrome withdrew or didn’t show up, respectively). You can read more about it here.
The evolution of Internet Explorer security
Microsoft’s web browser has come a long way since IE 1.0, which came in the Windows 95 Plus! Pack. Security wasn’t nearly so much of an issue back in those early days of the commercial Internet, although by the end of 1995, when version 2.0 was released, Microsoft had added support for Secure Socket Layer (SSL). Subsequent versions of the browser focused more on adding features such as multimedia enhancements and increasing performance and stability. However, enhanced functionality also meant more features that could be exploited, and IE used the concept of security zones to.
IE 6.0, which came preinstalled on Windows XP (but was released a few months prior), was the first version to actually start to address security and privacy, with a new cookie handling tool and the first implementation of the P3P protocol for controlling privacy settings. This is a bit ironic, given that IE 6 is now considered a big security risk and everyone, including Microsoft, is urging computer users to stop using it. Find out more here.
The real push for security came with IE 7, which came with a phishing filter to protect against malicious web sites that aren’t what they purport to be, and introduced reduced privilege mode (also called protected mode IE) on computers running Vista – but this feature wasn’t support on XP computers. In addition, Active X opt-in helped to defend against some of the dangers of Active X controls and IE 7 allowed you to enabled it on a per-zone basis, and security zones themselves were more locked down by default. Another security improvement in IE 7 was designed to protect against cross-domain scripting by making scripts keep the same security context even when they were redirected. Better SSL/TLS notification made it easier for users to know whether a web transaction was secured, and web sites that obtained high assurance certificates (which require an identity verification process) were identified by a color coded (green) address bar. New registry keys were added to prevent HTML access to users’ personal data. There was even a “no add-ons mode” to ensure that threats couldn’t be introduced via browser add-ons. All in all, IE 7 was a big step forward for Microsoft, security-wise. For more detail about all the security improvements, see the article that I wrote on that topic back in 2005 here.
IE 8 came out in 2009 and added more security improvements such as domain highlighting, which makes it easier to determine the domain of the site you’re accessing, and the SmartScreen filter, which was a new and improved version of IE 7’s phishing filter that, in addition to protecting against phishing sites, also protects you from sites that are known to deliver malware. Although the browser gives users the option to disregard the warning, administrators could use Group Policy to prevent them from doing so. In addition to the blacklist, the filter also used heuristics to detect potentially dangerous sites. IE 8 also includes changes to ActiveX, so that controls are now installed on a per-user basis by default and can also be installed on a per-site basis. ActiveX killbits was integrated with Windows Update so the controls could be automatically disabled when an exploit was discovered. Data Execution Prevention (DEP) was enabled by default, the XSS Filter offered better protection against cross-site scripting, and the Cross Domain Request and Cross Document Messaging features make it more secure for sites to share information with one another. Microsoft also provided an IE 8 Desktop Security Guide with information on how to adjust settings for a more locked down security configuration.
What does IE 9 bring to the table?
IE 9 builds on all the security features that were introduced in IE 7 and IE 8. It also brings with it some additional protections, such as enhanced memory protection features that are aimed at preventing malicious code from running when a memory-related vulnerability is discovered. DEP/NX is the foundation of memory protection, and it causes the processor to terminate a process when a block of memory doesn’t contain the proper marking indicating that it is executable code. That means if an attacker places data in memory, the processor raises an exception and causes a “safe crash” rather than execute the potentially dangerous instructions. To better understand how DEP/NX works, see this link.
IE 9 also improves on another IE 8 feature, Address Space Layout Randomization (ASLR), which helps prevent attackers from bypassing DEP/NX protections by ensuring that a process’s memory space is laid out in a way that’s not predictable. The randomization process has been improved in IE 9 to eliminate predictable memory mappings. IE 9 also supports a new feature call SEHOP (Structured Exception Handler Overwrite Protection) that validates the integrity of the exception handling chain to prevent structured exception handling from being exploited. This overcomes some of the limitations of SafeSEH (Safe Structured Exception Handling) which was designed to prevent malicious structured exception handlers from being introduced into the chain, but which was enabled on a per-DLL basis and required add-ons to be compiled with the SafeSEH flag. The details of these features will be of most interest to developers; if you’re interested, you can learn more about SEHOP here .
Another focus of IE 9 security is protection against social engineering attacks. This makes sense, because many experts believe social engineering is one of the biggest threats to the IT infrastructure. This position was taken recently by the Australian Federal Police at the Australian Computer Society’s Discover IT 2011 conference, as reported in CIO Australia. Check it out here
And the social engineering contest at the most recent Defcon, in September of last year, showed that most organizations easily give up vital information to social engineers. You can read more here.
Social engineering is attractive to attackers because they don’t need deep technical skills to pull off an attack; all they have to do is convince a computer user to do something that will allow the attacker to get in. IE 9 improved the SmartScreen Filter by adding the SmartScreen Application Reputation feature, which works with URL Reputation to improve protection against socially engineered attacks. Application Reputation attempts to distinguish between reputable downloads and those that are potentially malicious. The SmartScreen filter is also integrated into the new download manager in IE 9 (itself a feature that some users have been wanting for a long time).
You can read more about Application Reputation here.
Yet another security/privacy feature that’s built into IE 9 is called Tracking Protection. This feature makes it easier for users to block or allow third party content by using Tracking Protection Lists from trusted organizations. Get the full story on Tracking Protection here.
Finally, the Pinned Sites feature in IE 9, while it may seem like merely a convenience, also provides some security benefits. By pinning the sites you use often, such as your banking site, to your toolbar, you make it easy to go to the site that way and avoid clicking links in email messages, protecting you from that type of phishing. Another advantage is that because pinned sites run in a separate session of IE, cookies used by those sites can’t be accessed and abused by sites on tabs in your main IE window. Another good thing about pinned sites is that they run without add-on toolbars or helper objects so attackers who use those as an attack vector won’t be able to attack your pinned sites sessions. You can also ensure that you always connect to the secure (https) version of the site and don’t get redirected to the non-secure (http) version. And you get some protection from man-in-the-middle attacks aimed at the HTTPS protocol, because the connection will be terminated if there’s a problem with the site’s certificate. If you aren’t familiar with Pinned Sites, read about the feature here.
What more could you want?
With all the above-referenced security mechanisms in IE 9, is there anything lacking that would make the browser more secure? There have been complaints that the default security settings are not stringent enough, and that all active content should be completely locked down by default, then users could add trusted sites one at a time.
Along those same lines, security purists might object to the blacklist method used by SmartScreen. This basically allows sites that aren’t known to be malicious (although as mentioned earlier, heuristics are also used). Those folks would prefer a whitelist method, which disallows all sites except those that are known to be trustworthy. Certainly that is the more secure approach – but it’s also one that (like Vista’s “in your face” UAC) would probably earn the ire of many users.
Another commonly heard complaint is that IE’s security settings, while they provide very fine grained control, are overly complex for the average user. What would you change, add, or simplify when it comes to IE’s security features? What’s on your security wish list for IE 10? Let me know and I’ll compile a list and publish the results in my Windowsecurity blog.