Now Microsoft is ramping up for a one-two punch to the competition with all the new security features in the next version of Internet Explorer, IE 7.0, which is currently in private beta testing. I’ve been trying out IE 7.0 for a few weeks, and at the MVP summit in Redmond in September, I got a chance to hear from some of the folks on the IE team about how these new features make IE more secure.
Microsoft’s browser security philosophy
The first thing we heard in regard to IE security is that Microsoft is taking a “big picture” look at the threat environment, recognizing that a single application – the Web browser – has multiple usages (on the intranet, on extranets, and on the Internet) that require different levels of security. That concept has long been exemplified by IE’s use of security zones, and the zone feature carries over to IE 7.0 but with some major improvements that give administrators (in the corporate environment) and users (in the home and small business environments) more granular control over browser behavior that impacts security. At the same time, many security features will be more transparent to end users.
One important priority is that IE’s new features will be turned off by default if there is any possible security risk involved in implementing them. It’s a simple idea, and part of the “secure by default” leg of Microsoft’s trustworthy computing “SD3” (Secure by Design, Secure by Default and Secure in Deployment) position. Microsoft’s new security philosophy is all about defense in depth, or multi-layered security, and they’ve made an effort to make the new security features proactive instead of relying on patching problems as they arise. Toward that end, they’ve made fundamental architectural changes to the browser software to address anticipated future threats.
The new IE security features can be classified into two broad categories: those that address threats to the machine and those that address threats to user data.
Machine protection is provided by a number of mechanisms:
- Protected mode
- Consolidated URL class (cURL)
- ActiveX opt-in
- Cross-domain protection
- Zones lockdown.
User info is protected by such features as the anti-phishing filter and new ways for users to more easily “clear their tracks” – delete records of browsing history, cookies, etc. Authentication has been strengthened, and there are new warnings that will prompt users when potentially dangerous situations exist.
Protected mode, previously called Low Rights IE, ensures that only the permissions that are necessary to do the job are delegated to the browser. Add-ons run with low permissions by default, so plug-ins are protected as well as IE itself.
By default, writes to a user’s profile are automatically redirected to a subdirectory of Temporary Internet Files, and extensions can use the SaveAs API to prompt the user if files will be written to any location outside the TIF folder (for example, if you download a template that will be saved in the Templates folder).
There are three integrity levels: High (admin), Medium (user) and Low (restricted). Processes running at lower integrity levels can never send to an application that’s running at a higher level.
Protected mode requires that IE be running on Windows Vista. An important security feature of Vista is user account protection (UAP), which runs everything with least privilege by default. This has been a part of UNIX for a long time, but it’s important to note that it protects the machine, not the individual user account.
Consolidated URL class
This security feature is designed to prevent attacks that take advantage of the way browsers parse URLs, for example, the way they process special escape characters such as the @ sign before the host name.
With the new cURL feature, URLs are parsed in one location only, rather than having individual plug-ins doing their own URL parsing (and perhaps parsing the same URL differently). It’s all about more control and leaving less to chance.
The cURL API lets programmers specify URLs instead of strings to designate addresses.
The new, more secure philosophy behind this feature is that active controls should run only if they’re intended to be run in IE. The average Windows computer has approximately 350 ActiveX controls when it ships, but only 10 or so are intended to run in the browser. IE 7.0 will have a list of controls that are known to be safe to run in the browser. If a control that’s not on the list tries to run, you’ll be prompted and you’ll have to opt-in to run it. Once you opt in for a particular control, you won’t be prompted when you run it again.
Another significant security improvement is “add on free mode.” This works somewhat like safe mode for Windows, in that it runs IE without any extensions. This is useful in case you have problems that prevent IE from running in regular mode and you need to download a fix, or search the Internet for a solution – but can’t do so because you can’t open the browser. One control that does run in this mode is the Windows Update control, which makes sense so you can get updates that may address your problem.
Cross domain protection and zones lockdown
Cross domain scripting is a common attack aimed at the Web browser. In previous versions of IE, an attacker could redirect a browser frame opened in one domain to a different security domain. For example, the attacker could run script in the Local Machine Zone and execute malicious code with the same privileges as the user who is logged onto the computer.
In IE 7.0, scripts and objects won’t lose their security content even when redirected. If the security context changes, the script will be blocked.
When IE 7.0 is run on Vista with protected mode turned on, there will be a new medium high security template. The intranet zone is off by default unless the computer is a domain member. The trusted sites zone has stricter default settings, and you can’t use the sliders to choose a setting that’s below medium security – you’ll have to explicitly customize the settings to do so.
Protecting user info
The problem here is that the browser or operating system can’t make all decisions on the user’s behalf – you have to let users make some decisions, but the user is the weakest security link. IE 7.0’s goal is to help users make the right decisions.
Anti-phishing filter uses a block list of known phishing sites plus heuristics technologies. IE will notify the user if a site is a reported phishing site or if it is a suspicious site based on heuristics, but it doesn’t tell the user what the specific criteria for suspicion is. There is also a client side list of known good sites. Info on those sites is not sent to the phishing server. Unfortunately, the user can’t add sites to the allow list.
When the browser communicates with the anti-phishing server, it uses SSL to encrypt communications, and it doesn’t send anything but the host name and path.
IE 7.0 will include a “clear tracks” selection as a top level menu item. The user can, in one click, clear browsing history, index.dat file and other records of what the user has done. This is useful, for example, when using public shared computers to remove records of your use. IE 7.0 will also prevent remote sites from stealing data that you have saved on the Windows clipboard, by prompting and requiring user approval before scripting the clipboard. Scripting in the status bar is also blocked so it will be harder for an attacker to spoof where a link goes when hovering over the link.
Finally, IE 7.0 will lock down what character sets can be displayed in the address bar by default. This prevents exploits that use characters in one character set that look like those in another to take you to a domain other than the one you think you’re going to. IE will now warn you when the Web server name includes international characters.
Microsoft has put a lot of effort into making IE 7.0 a much more secure browser. Some of these features will be available in the version of IE 7.0 that can be downloaded for XP, while others will require Vista. Either way, users will enjoy definite security advantages by upgrading to the new browser version, and the release of IE 7.0 looks to be a big step forward for Microsoft toward regaining ground they’ve lost to other browsers because of security issues.