IE’s Extreme Security Makeover
Microsoft throws in a bevy of new features in Internet Explorer 7 to improve security -- but are they enough?
So far, I like most of what I've seen in the new Internet Explorer -- especially
the tabbed browsing. I still can't help but wonder why it took Microsoft so
long to implement such a simple feature, but at least it's finally there.
Last month, I touched on some
of the new security features and architectural enhancements in Internet Explorer 7 (IE 7). Because the previous versions of IE have been such a pain in the neck from a security perspective, I wanted to take a more in-depth look at what IE 7 brings to the table in terms of security.
many commercial certification authorities hand out SSL certificates
like candy without adequately verifying the identity of the certificate
Microsoft has rewritten a good bit of IE 7's core code to help combat attacks
that rely on malformed URLs (that typically cause a buffer overflow). It now funnels
all URL processing through a single function (thus reducing the amount of code
that "looks" at URLs).
The idea here is that less code looking at URLs equals less possibility for
errors. It's not a bad approach. The new behavior is similar to the way IIS
6 funnels all incoming HTTP requests through a system-level HTTP listener for
basic checks before passing the data along. This type of hardening is an excellent
architectural strategy, as it can help mitigate the risk of certain types of
One area where some interesting things are happening is in the realm of end-user
situational awareness. With IE 7, Microsoft has bolstered the visual cues that
help users understand where they are, which site they're browsing and what kind
of connection they're making.
Internet Explorer 7
Reviewed: Beta 1
Current Status: Beta 1
Expected Release: Mid- to Late-2006 (currently)
For instance, IE 7 requires that all browser windows display an address bar.
This helps foil attackers that operate by popping up new windows masquerading
as pages on a legitimate site, when in fact the site is fraudulent. By requiring
an address bar, users will immediately see the true URL of the displayed page,
making these types of attacks more obvious. If you think you're looking at www.microsoft.com,
but the browser address bar says www.illhackyou.net, you ought to be suspicious.
In early November, a bunch of Web browser developers got together and started
fleshing out standards for address bar coloring, which can cue users to secured
connections. Under the proposal laid out by IE 7 team member Rob Franco, even
sites that use a standard SSL certificate will display a standard white address
bar. Sites that use a stronger, as yet undetermined level of protection will
use a green bar.
The conservative color scheming -- with SSL connections shown in generic white
-- is an excellent decision. Too many commercial certification authorities hand
out SSL certificates like candy without adequately verifying the identity of
the certificate requestor. As a result, you can't be certain the site you're
on belongs to your bank, even if it does have an SSL certificate issued to your
Franco also said that when navigating to an SSL-protected site, the IE 7 address
bar will display the business name and certification authority's name in the
address bar. This will also help users better understand what's going on. You
can read more of Franco's thoughts at http://tinyurl.com/9fqk7.
As an aside, I'd really like to see Microsoft cut back on the number of certification
authorities (CAs) they pre-approve in new versions of Windows. At the very least,
Microsoft should confirm that the CAs bundled with Windows meet more stringent
requirements for identity verification throughout their certificate-issuing
People using Windows Vista beta 2 will find a new feature called Protected Mode,
which renders IE 7 unable to modify system files and settings. This essentially
breaks down part of the integration between IE and Windows itself. All communications
with the operating system occur through a broker process, which gets to analyze
everything and stomp on any communications -- like scripted actions -- that
might try to download or modify system data.
This is a welcome and fundamental change. Basically, Protected Mode throws
up a shield around IE and walls off the rest of Windows from whatever trouble
IE might get itself into. Unfortunately, this capability will not be available
in Windows XP because it's woven directly into Windows Vista itself.
In a sense, Protected Mode is an admission that it may not be possible to fix
IE security without creating major compatibility issues. Rather than fix the
browser, Microsoft has chosen to isolate it from the operating system.
position is that any Web browser -- or any sophisticated piece of
code for that matter -- is going to have security vulnerabilities."
Another source of chronic IE security shortcomings has been add-ons like ActiveX
controls and Browser Helper Objects (BHOs). These have become infamous as conduits
for spyware, adware and malware. Sadly, these oft-misused extensibility features
remain in IE 7, although they've been configured with more secure default settings.
IE 7 does offer a "No Add-ons" mode that disables all add-ons. There's a special
Start menu shortcut to launch IE in this mode. IE 7 beta 2 is also slated to
receive a new Add-On Manager to make it easier for you to see what's installed
and to help you remove any add-ons.
As is the case with CAs, some form of oversight would be welcome. A Microsoft
certification program -- similar to driver signing -- would boost protection.
Microsoft could analyze legitimate add-ons like the MSN Search Toolbar or the
Google Toolbar for compliance with security standards. Those that comply would
be digitally signed by Microsoft. Unsigned add-ons would be disabled altogether.
Yes, this type of program would put Microsoft in the position of testing and
approving add-ons, but they already do this with drivers to help ensure system
stability. In most cases, simply verifying that add-ons don't do anything sneaky
would be sufficient.
Is It Really More Secure?
Microsoft's position is that any Web browser -- or any sophisticated piece of
code for that matter -- is going to have security vulnerabilities. That's true,
but one way other browsers have mitigated the problem is to reduce complexity
and include fewer built-in functions and features. IE has taken the more complex
The majority of IE's notorious security flaws stem from its pervasive integration
with Windows. That is a feature no other Web browser offers -- and an ability
that Vista's Protected Mode intends to mitigate. IE 7 obviously won't remove
all of that tight integration. Lacking deep architectural changes, the effort
has focused instead on hardening or eliminating potential vulnerabilities. Unfortunately,
this approach requires Microsoft to anticipate everything that could go wrong
and block it in advance -- hardly a surefire way to secure a browser.
IE 7 does eliminate a great deal of legacy code that dates back to the IE 4
days, which is a welcome development. It would have been better to see IE 7
made less functional in some ways and separated from Windows itself. For example,
Microsoft could eliminate ActiveX support or restrict what ActiveX and related
technologies can do. Of course, breaking ActiveX poses a significant compatibility
| The software
described here is incomplete and still under development; expect it to change
before its final release -- and hope it changes for the better.
The solution is already out there in Windows 2003 Server, which features the
default Internet Explorer Enhanced Configuration. This locked-down flavor of
IE does little more than render HTML. If you want add-ons for IE, you have to
install a discreet Windows component to do it. In a perfect world, ActiveX and
other troublesome add-on technologies wouldn't work at all until you actually
went into Windows Setup and installed them yourself.
IE 7 offers several new security features, but it's hardly a given that the
situation will improve. There has already been a set of security updates for
IE 7 beta 1 released for both Windows Vista and Windows XP computers. Security
vulnerabilities in a beta product shouldn't be alarming (IE 7 is hardly what
you'd consider "finished" at this point), but it may be a sign that the product's
architecture and design still have fundamental security issues.
The spate of new IE security enhancements should close the doors on many tried-and-true
attacks. The question is, can the developers at Microsoft stay a step ahead
of the bad guys and consistently anticipate what might happen next?
Ultimately, the greatest security weakness in IE 7 will be the people who use
it. Most attacks nowadays -- phishing being the best example -- exploit social
weaknesses more than technological deficiencies. Features like the IE Phishing
Filter are probably just the first volley in the war over social attacks. Even
if IE 7 -- and every other browser on the planet -- were 100 percent secure
from a code perspective, they would still be vulnerable to those who seek to
exploit other people's ignorance.