Beta Man

IE’s Extreme Security Makeover

Microsoft throws in a bevy of new features in Internet Explorer 7 to improve security -- but are they enough?

• By Don Jones
• 02/01/2006

Last month, I touched on some of the new security features and architectural enhancements in Internet Explorer 7 (IE 7). Because the previous versions of IE have been such a pain in the neck from a security perspective, I wanted to take a more in-depth look at what IE 7 brings to the table in terms of security.

The idea here is that less code looking at URLs equals less possibility for errors. It's not a bad approach. The new behavior is similar to the way IIS 6 funnels all incoming HTTP requests through a system-level HTTP listener for basic checks before passing the data along. This type of hardening is an excellent architectural strategy, as it can help mitigate the risk of certain types of attacks.

Situational Awareness
One area where some interesting things are happening is in the realm of end-user situational awareness. With IE 7, Microsoft has bolstered the visual cues that help users understand where they are, which site they're browsing and what kind of connection they're making.

For instance, IE 7 requires that all browser windows display an address bar. This helps foil attackers that operate by popping up new windows masquerading as pages on a legitimate site, when in fact the site is fraudulent. By requiring an address bar, users will immediately see the true URL of the displayed page, making these types of attacks more obvious. If you think you're looking at www.microsoft.com, but the browser address bar says www.illhackyou.net, you ought to be suspicious.

In early November, a bunch of Web browser developers got together and started fleshing out standards for address bar coloring, which can cue users to secured connections. Under the proposal laid out by IE 7 team member Rob Franco, even sites that use a standard SSL certificate will display a standard white address bar. Sites that use a stronger, as yet undetermined level of protection will use a green bar.

The conservative color scheming -- with SSL connections shown in generic white -- is an excellent decision. Too many commercial certification authorities hand out SSL certificates like candy without adequately verifying the identity of the certificate requestor. As a result, you can't be certain the site you're on belongs to your bank, even if it does have an SSL certificate issued to your bank's name.

Franco also said that when navigating to an SSL-protected site, the IE 7 address bar will display the business name and certification authority's name in the address bar. This will also help users better understand what's going on. You can read more of Franco's thoughts at http://tinyurl.com/9fqk7.

As an aside, I'd really like to see Microsoft cut back on the number of certification authorities (CAs) they pre-approve in new versions of Windows. At the very least, Microsoft should confirm that the CAs bundled with Windows meet more stringent requirements for identity verification throughout their certificate-issuing processes.

Shields Up!
People using Windows Vista beta 2 will find a new feature called Protected Mode, which renders IE 7 unable to modify system files and settings. This essentially breaks down part of the integration between IE and Windows itself. All communications with the operating system occur through a broker process, which gets to analyze everything and stomp on any communications -- like scripted actions -- that might try to download or modify system data.

This is a welcome and fundamental change. Basically, Protected Mode throws up a shield around IE and walls off the rest of Windows from whatever trouble IE might get itself into. Unfortunately, this capability will not be available in Windows XP because it's woven directly into Windows Vista itself.

In a sense, Protected Mode is an admission that it may not be possible to fix IE security without creating major compatibility issues. Rather than fix the browser, Microsoft has chosen to isolate it from the operating system.

Another source of chronic IE security shortcomings has been add-ons like ActiveX controls and Browser Helper Objects (BHOs). These have become infamous as conduits for spyware, adware and malware. Sadly, these oft-misused extensibility features remain in IE 7, although they've been configured with more secure default settings.

IE 7 does offer a "No Add-ons" mode that disables all add-ons. There's a special Start menu shortcut to launch IE in this mode. IE 7 beta 2 is also slated to receive a new Add-On Manager to make it easier for you to see what's installed and to help you remove any add-ons.

As is the case with CAs, some form of oversight would be welcome. A Microsoft certification program -- similar to driver signing -- would boost protection. Microsoft could analyze legitimate add-ons like the MSN Search Toolbar or the Google Toolbar for compliance with security standards. Those that comply would be digitally signed by Microsoft. Unsigned add-ons would be disabled altogether. Yes, this type of program would put Microsoft in the position of testing and approving add-ons, but they already do this with drivers to help ensure system stability. In most cases, simply verifying that add-ons don't do anything sneaky would be sufficient.

Is It Really More Secure?
Microsoft's position is that any Web browser -- or any sophisticated piece of code for that matter -- is going to have security vulnerabilities. That's true, but one way other browsers have mitigated the problem is to reduce complexity and include fewer built-in functions and features. IE has taken the more complex route.

The majority of IE's notorious security flaws stem from its pervasive integration with Windows. That is a feature no other Web browser offers -- and an ability that Vista's Protected Mode intends to mitigate. IE 7 obviously won't remove all of that tight integration. Lacking deep architectural changes, the effort has focused instead on hardening or eliminating potential vulnerabilities. Unfortunately, this approach requires Microsoft to anticipate everything that could go wrong and block it in advance -- hardly a surefire way to secure a browser.

IE 7 does eliminate a great deal of legacy code that dates back to the IE 4 days, which is a welcome development. It would have been better to see IE 7 made less functional in some ways and separated from Windows itself. For example, Microsoft could eliminate ActiveX support or restrict what ActiveX and related technologies can do. Of course, breaking ActiveX poses a significant compatibility issue.

The solution is already out there in Windows 2003 Server, which features the default Internet Explorer Enhanced Configuration. This locked-down flavor of IE does little more than render HTML. If you want add-ons for IE, you have to install a discreet Windows component to do it. In a perfect world, ActiveX and other troublesome add-on technologies wouldn't work at all until you actually went into Windows Setup and installed them yourself.

IE 7 offers several new security features, but it's hardly a given that the situation will improve. There has already been a set of security updates for IE 7 beta 1 released for both Windows Vista and Windows XP computers. Security vulnerabilities in a beta product shouldn't be alarming (IE 7 is hardly what you'd consider "finished" at this point), but it may be a sign that the product's architecture and design still have fundamental security issues.

What's Missing?
The spate of new IE security enhancements should close the doors on many tried-and-true attacks. The question is, can the developers at Microsoft stay a step ahead of the bad guys and consistently anticipate what might happen next?

Ultimately, the greatest security weakness in IE 7 will be the people who use it. Most attacks nowadays -- phishing being the best example -- exploit social weaknesses more than technological deficiencies. Features like the IE Phishing Filter are probably just the first volley in the war over social attacks. Even if IE 7 -- and every other browser on the planet -- were 100 percent secure from a code perspective, they would still be vulnerable to those who seek to exploit other people's ignorance.