News

IE Settings Can Enable Intranet Attacks, Report Says

Default security settings in Microsoft's Internet Explorer browser could open a company's intranet to hacking attacks, according to a recent security white paper.

Default security settings in Microsoft's Internet Explorer browser could open a company's intranet to hacking attacks, according to a recent security white paper.

The report, posted last week by Argentina-based security consultancy Argeniss, defined the issue based on Microsoft's scheme of using five security zones in Internet Explorer. In particular, the Local Intranet Zone has a more relaxed security setting by default than the Internet Zone. The white paper outlines a proof-of-concept attack based on that lowered security setting.

Someone with inside information about the appearance of the company's intranet interface could use that information in combination with phishing techniques to harvest passwords and gain access to workstations, according to the report's author, Cesar Cerrudo. The report focused on IE 7, but it can apply to IE 8 too.

Cerrudo notes that it's possible to get to the intranet, with its lower default security setting, through the Internet. Another issue is that Microsoft's cross-site scripting filter is disabled by default in IE. Consequently, an attacker just needs to lure the victim to a Web site controlled by him where script code opens a password login box that looks like the one used in the company's intranet. It's a scenario that requires inside information.

To prevent such a phishing scenario, Cerrudo recommends disabling two options that might allow the construction of such a fake login box: "allow script-initiated windows without size or position constraints" and "allow websites to open windows without address or status bar." He also recommends turning on the "enable XSS filter" setting on the Local Intranet Zone.

The report also mentions how SQL injection attacks could be carried out due to default security settings in IE. Cerrudo recommends turning on the "prompt for user name and password" setting on the Local Intranet Zone to help prevent such attacks.

Microsoft, when contacted about the report, stressed that such exploits are possible in "an untrustworthy internal environment."

"It's important to understand that the report outlines scenarios where the internal network cannot be trusted due to a breakdown in other security controls," a Microsoft spokesperson explained by e-mail." Every attack that Cesar Cerrudo outlined requires that an internal server has a vulnerability or that security controls be relaxed enough so that unauthorized users are able to take inappropriate actions against internal servers."

Still, the Microsoft spokesperson said that the report "outlines viable security options for operating Internet Explorer" in such untrustworthy environments. The spokesperson recommended that IT pros change IE's default security settings in accord with organizational security policy.

Some additional IE 8 security tips are referenced in Microsoft's team blog here, as well as at the Microsoft enterprise IE 8 site.

The report, "Opening Intranets to attacks by using Internet Explorer," can be accessed at Argeniss' Web site here (PDF).

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Azure Cost Management Now Commercially Available for Some Tenancies

    Microsoft on Monday announced that its Azure Cost Management feature had reached the "general availability" release stage for both Azure "pay-as-you-go" customers and Azure Government tenancies.

  • Microsoft Bringing Files Restore Capability to SharePoint Online and Teams

    Microsoft on Monday announced that it's delivering its Files Restore feature for SharePoint Online and Microsoft Teams to Office 365 tenancies as early as this month.

  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

  • Dealing with Broken Dependencies in SCVMM

    Brien shows you how to resolve some broken, template-related dependencies in Microsoft's System Center Virtual Machine Manager.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.