Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>IE 7 needs tweaking for safety

Windows Secrets Newsletter • Issue 85 • 2006-10-26 • Circulation: over 400,000

Table of contents 
  • Top Story: IE 7 needs tweaking for safety
  • Perimeter Scan: Do you have HIPS in your future?
  • Woody's Windows: Top timesaving tips in IE 7 and Firefox 2
  • Over the Horizon: Old flaws still plague Internet Explorer
  • Patch Watch: Patches have problems as IE 7 seeks deployment
 
Top Story

IE 7 needs tweaking for safety

Brian livingston By Brian Livingston

Microsoft’s new Internet Explorer 7.0 browser, which was released to the public last week, includes several security improvements but still has weaknesses inherited from IE 6.

I’ll show you an easy way to “harden” IE 7 so you’re protected against hacker threats that haven’t even been invented yet.

IE 7 suffers from some IE 6 weaknesses

IE 7 does benefit from some significant updates over IE 6. For example, the so-called Phishing Filter in IE 7 warns you if a page you’re about to visit is in a real-time database of hacked sites. (You must turn on this filter for it to work. Hopefully, most users will do so because IE 7 asks for the filter to be enabled the first time you use the new browser.)

Also, IE 7′s new Protected Mode, which only works in Windows Vista, will prevent Web sites from modifying system files or settings. I described several of these new features in my Executive Tech column on Oct. 24.

Unfortunately, IE 7 still contains some security weaknesses that were present in IE 6 — and which Microsoft still hasn’t fixed in that older browser. The most publicized example since IE 7 went gold is the so-called MHTML hole. This problem allows a hacked site to read information from the window of a different site you’re visiting, such as an online banking service.

The respected security firm Secunia published an advisory on Oct. 19 publicizing a free test for the weakness in IE 7. The problem in IE 7 is almost identical to the one described by Secunia in an April 2006 advisory that affects IE 6. (Contributing editor Chris Mosby has more in his column in today’s paid newsletter, below, about this and other flaws that IE 7 has inherited from IE 6.)

Neither the IE 6 nor the IE 7 problems are considered severe. Secunia rates them only 2 on a scale of 5 in severity, mainly because a hacker must first get you to visit a rogue Web site before being able to read information from other sites you may visit. You can close the holes in both browser versions by changing Active Content to a setting of Disable in the Security tab of IE’s Internet Options dialog box. (See Figure 1.)

IE 7 internet options
Figure 1: You can easily disable active scripting using IE 7′s Internet Options dialog box.

But why stop there? If other weaknesses loom in IE 7 — and you can easily close these holes without waiting for a threat to attack you first — why not protect yourself proactively?

Changing IE’s profile from weak to strong

I contacted Arie Slob (pronounced "slobe"), a Dutch citizen who lives in Malta but works for a U.S. company named Infinisource. Arie runs Web servers for the company and, more importantly, has analyzed the inner workings of most of IE’s Internet Options settings.

After a telephone discussion with me, Arie completed an analysis of IE 7′s Internet Options and posted it on Oct. 25. Back in 2004, I used his findings to recommend changes to 19 of the options in IE 6 SP1. (A link is shown at the end of this article.)

Arie told me in a telephone interview that only a couple of IE 6′s Internet Options settings had been changed in a more secure direction in IE 7 by Microsoft. He’s particularly concerned that, in his words: "There are new settings for XAML and they’re all enabled by default."

XAML — Extensible Application Markup Language, pronounced "zammel" —  is a Microsoft-specific technology designed for corporate developers who wish to deliver simple but striking user interfaces, similar in some ways to Flash animations. There’s a risk, however, that XAML might some day be used by hackers to deliver infected code to unsuspecting users.

Why would Microsoft enable such technologies by default in IE 7? At Microsoft’s Professional Developers’ Conferences in recent years, company officials have stated that technologies won’t be enabled in Windows by default unless 90% of users would use a technique. (Printing is an example of a technology that should be "on" while macros and other active content should be "off" unless enabled by users or administrators.) Since corporate admins could easily enable XAML companywide using Group Policy, why turn XAML on for all IE 7 users? Why create yet another code monoculture for hackers to take advantage of?

The answer is that XAML is built on Microsoft’s Windows Presentation Foundation (WPF), a key feature of .NET Framework 3.0. This technology is aimed at corporate developers who Microsoft wants to build Windows-only applications. Rather than ask these large enterprises to flip a simple switch to enable XAML in IE 7, Microsoft apparently decided that compiled .xaml files should run in the browser by default for every Windows user in the world.

How to configure IE 7 to protect yourself

Just because certain features are enabled in IE 7, that doesn’t mean you have to leave them on and expose yourself to rogue examples of such code in the future. Shown below is a concise list of the way Arie recommends that you configure Internet Options in IE 7 to protect your system.

In IE 7, click Tools, Internet Options, and then select the Security tab. With the Internet zone selected, the security level by default should be set to Medium-High. Click the Custom Level button. Set the following choices:
  • .NET Framework
    • Loose XAML: Disable
    • XAML browser applications: Disable
    • XPS documents: Disable
  • ActiveX controls and plug-ins
    • Binary and script behaviors: Disable
    • Run ActiveX controls and plug-ins: Disable
    • Script ActiveX controls marked safe for scripting: Disable

  • Downloads
    • Font download: Disable
    • Enable .NET Framework setup: Disable
  • Enable .NET Framework setup: Disable
  • Miscellaneous
    • Allow META REFRESH: Disable
    • Allow Web pages to use restricted protocols for active content: Disable
    • Display mixed content: Disable
    • Drag and drop or copy and paste files: Disable
    • Installation of desktop items: Disable
    • Launching applications and unsafe files: Disable
    • Launching programs and files in an IFRAME: Disable
    • Navigate sub-frames across different domains: Disable
    • Software channel permissions: Maximum Safety
    • Submit non-encrypted form data: Disable
    • Userdata persistence: Disable
    • Web sites in less privileged Web content zone can navigate into this zone: Disable
  • Scripting
    • Active scripting: Disable
    • Allow programmatic Clipboard access: Disable
    • Scripting of Java applets: Disable
Some of the above settings will interfere will the operation of some legitimate Web sites. I’ll describe in the following section how to work around this.

Firefox is still a better browser than IE 7

Changing IE 7′s default settings can remove some functionality from Web sites you may regularly visit. For example, disabling "active scripting" turns off JavaScript. Many sites use JavaScript to activate various menu options. For example, the menu at the WindowsSecrets.com site (but not in the newsletter) shows you what second-level options are available when you hover your mouse over a top-level option.

We’ve designed the menu at our site so it works (less slickly) even if JavaScript is disabled in a visitor’s browser. For example, you can simply click a top-level menu item and the resulting page then shows your second-level choices.

But not all sites have this kind of fall-back design. Here are my recommendations on how to use the Web effectively, despite the fact that you’ve made IE 7 more secure:

• Use Firefox, not IE 7. Firefox is inherently a more secure browser that Internet Explorer, even version 7.0. For example, Firefox is not vulnerable to Secunia’s test of the MHTML hole that IE 7 (and IE 6 and IE 5) suffers from.

Most sites today work with both Firefox and IE (and other major browsers, such as Opera, Netscape, and Mac Safari). Sites that really require IE are declining. If you haven’t already installed Firefox, the new version 2.0 can be downloaded from the Mozilla release notes page. (Be sure to read the notes before installing.)

• Add legitimate IE-only sites to the Trusted Sites zone. If you encounter a site that you know to be responsible — but it requires Internet Explorer for some reason — you can easily add the site to IE’s Trusted Sites zone. In IE 7, pages in the Trusted Sites zone run at the Medium security level (not Medium-High as in the Internet zone) and aren’t restricted by the customizations you’ve applied to the Internet zone.

To add a Web address to the Trusted Sites zone in IE, click Tools, Internet Options, and then select the Security tab. Select the Trusted Sites zone, click the Sites button, and add the address of the site you wish to visit. If the site doesn’t use encrypted pages, turn off the option Require server verification (https:) for all sites in this zone.

It’s even easier to add an address to your Trusted Sites if you install Microsoft’s Power Tweaks Web Accessories from the company’s download page. This applet inserts an option called Add to Trusted Zone right on IE’s Tools menu. (Microsoft’s download page says the download is only for IE 5, but it works fine on IE 6 and IE 7.)

• Easily open pages in IE while in Firefox. If you use Firefox routinely, you can quickly open an IE-only page in IE by clicking an icon on the Firefox toolbar. To do this, install IE View, an extension available from Mozdev.org. You can even set specific sites to automatically open in IE, if you absent-mindedly surf to them in Firefox.

• Install IE 7 just to protect yourself against IE 6. If you run Firefox or some other secure browser, you may wonder why you should upgrade to IE 7 at all. The answer is that you might be induced to visit an IE-only site some day, and that site turns out to be infected (deliberately or accidentally). Browsing with IE 7 instead of IE 6 does provide you with better protection, especially if you’ve made the changes shown above. To install IE 7, visit Microsoft’s download page.

• Why not just set IE 7′s security level to “High”? It’s always possible to crank IE’s Internet Zone up to the High security level instead of Medium-High. Doing this, however, makes most Web sites unusable, because IE then pops up a warning every time some harmless page script runs. Sometimes, several warnings appear on every page of a site. Using the customized settings shown above — and adding respected companies to your Trusted Sites zone — provides you with fairly good protection without subjecting you to such pointless harassment.

• Watch out for ClearType after installing IE 7. Rudely, IE 7 (when installed on XP machines) enables ClearType in browser windows, even if you had previously disabled it. ClearType makes text look less jagged on LCD screens, but it can make type look fuzzy on CRT monitors. This can affect other applications that use the IE rendering engine, such as the preview pane in Outlook and FrontPage.

You can turn ClearType off by running IE 7, clicking Tools, Internet Options, and selecting the Advanced tab. Under the Multimedia section, turn off Use ClearType. Alternatively, you can try tuning the effect to see if you like it, using MS’s online tuner page.

How to test your browsers for safety

As mentioned earlier, Secunia provides harmless test pages that can show you whether a particular browser is vulnerable to a known security threat. You should test every browser that you use.

Secunia’s test for the MHTML hole is linked to from two separate pages that apply to IE 7 and IE 5/IE 6 and Outlook Express 5.5 and 6.

Another set of tests demonstrates a new threat first reported on Oct. 25. This flaw, which Secunia rates as only 2 on a severity scale of 5, allows a rogue Web site that you visit to fake the address bar in a pop-up window that appears later. The pop-up window can appear to originate from a legitimate site that you happen to be visiting at that moment. This can lure you into entering passwords or other personal data.

This pop-up test is linked to from a page that specifically mentions IE 7. Firefox 1.x, however, also appears to be vulnerable to this kind of spoofing. There’s no workaround to correct this in either browser at this time, so always be suspicious of any pop-up window that appears unexpectedly.

Important note: If you’ve made the changes shown above to harden IE 7, the link on Secunia’s test pages entitled Test Now — Left Click On This Link won’t do anything when you click it. The lack of action demonstrates that the vulnerability has been eliminated. But it can be confusing if you don’t know why the link isn’t working.

Arie Slob provides three separate pages that explain the weaknesses in different versions of Internet Explorer and how the Internet Options should be changed. These pages cover IE 7, IE 6 with Service Pack 2, and IE 6 with Service Pack 1.

My original Windows Secrets story, which described how to harden IE 6 with Service Pack 1 (for people who, for whatever reason, couldn’t upgrade to SP2) was published on Nov. 18, 2004.

How to get more information

As I mentioned earlier, Chris Mosby’s column in the paid version of this newsletter explains how to protect yourself against new threats that haven’t yet been patched. Susan Bradley’s column describes how to work around any problems that have been found with officially released patches, and Ryan Russell’s column teaches you how to know when you have adequate protection.

To get these columns, and gain access to all of our old and new paid content for a full year, you can upgrade to the paid version of the newsletter. We don’t require any fixed fee. You can contribute whatever it’s worth to you. We want as many people as possible to have this information. How to upgrade

That’s it for now. If you have further information to share about IE 7, or you have a tip on any other topic, send it to me using the Windows Secrets contact page. You’ll receive a gift certificate for a book, CD, or DVD if I print a comment that you send. Thanks!

Brian Livingston is the editor of WindowsSecrets.com and the coauthor of Windows Me Secrets and nine other books.
 
Perimeter Scan

Do you have HIPS in your future?

Ryan russell By Ryan Russell

One of the newer buzzphrases in the security industry is Host-based Intrusion Prevention System, or HIPS, which is something you may want to look at.

It can be difficult, however, to separate the actual innovation from the traditional vendors trying to ride the buzzword wave.

What is HIPS?

Believe it or not, simply defining HIPS can be a controversial task. This is because the term is too inclusive. Anything that can help contribute to preventing intrusion, and runs on the individual host machines, gets thrown in the same bucket.

That means things like traditional antivirus, antispyware, file-integrity checkers, and firewalls now get lumped into this category. We know what those are, so I want to talk today about the new stuff. A good primer on HIPS is available at CastleCops.

Three categories of HIPS protection are new and useful, on top of the traditional products already mentioned. These are (1) protocol validation, (2) virtualization or sandboxing, and (3) code execution prevention.

I have to be careful about using “new” too much. ISS BlackIce has had protocol validation for a number of years. I believe that the current pick in the Security Baseline, ZoneAlarm, does as well. But that takes nothing away from these products.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Woody's Windows

Top timesaving tips in IE 7 and Firefox 2

Woody leonhard By Woody Leonhard

With IE 7 out the door and Firefox 2 being released this week, it’s time to retrain your fingers and teach those old dogs new tricks.

Check out my favorites — these are the tricks I use every day.

The best tweaks for your tabs

If you’ve used tabs for more than a few minutes, you probably already know that Ctrl+T opens a new tab and moves the cursor up into the address bar, ready for you to type a URL. But did you know that Ctrl+W closes the current tab? Or that, in Firefox, Ctrl+Shift+T re-opens the tab you just closed?

You probably know that holding down the Ctrl key while clicking on a link opens the clicked page in a new tab. But did you know that clicking the “middle” button — that’s the scroll wheel, on most mice — does the same thing? Or that clicking the middle button on a tab title closes the tab?

You can type a URL in the address bar in either IE or Firefox, then press Alt+Enter, and the Web page you entered appears in a new tab. Similarly, typing in the Search bar and pressing Alt+Enter runs the search in a new tab. Kewl.

There’s one IE 7 trick that really amazes me. Press Ctrl+Q (or click the Quick Tabs icon to the left of the tabs) and IE shows you thumbnails of all your tabbed web pages. Click on the page you want, and the correct tab appears. Very slick.

Some old and new tricks in both browsers

No doubt you remember that Shift+Click opens the clicked page in a new copy of the browser — in other words, a new IE or Firefox window. This has worked since the dawn of time. Here’s one you might not know: Hold down the Ctrl key and scroll the mouse wheel to zoom in and zoom out. Also, use Ctrl+F to find and Ctrl+H for history. Ctrl+E jumps to the Search bar in IE; Ctrl+K does the same in Firefox.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Over the Horizon

Old flaws still plague Internet Explorer

Chris mosby By Chris Mosby

The Internet is buzzing about the release of Internet Explorer 7. The Internet is also buzzing about flaws in IE 7 that are left over from IE 6.

I first wrote about one IE 6 flaw in the May 11, 2006, issue of the newsletter — and it still hasn’t been patched yet. I wonder how many other holes remain active in Microsoft’s “new” browser?

Redirection flaw in IE 6 and 7 discloses information

As I reported back in that May 11 column, a flaw in IE 6 and 7 involves an error in redirections for URLs that use the mhtml handler.

Microsoft’s Christopher Budd tried to explain in a Oct. 19 blog entry that this flaw is not due to IE but a component of Outlook Express. However, when I uninstalled Outlook Express (thank you Justice Department), the MHTML vulnerability test provided by Secunia (described below) still showed that IE 7 was vulnerable. This was on a fully patched version of Windows XP SP2.

Successful exploitation of this flaw can allow one Web site you visit to access the pages of other Web sites. For instance, if you are logged on to your online bank account with IE, a hacked Web site you’re also viewing in IE would be able to see information in the bank’s window.

What to do: Secunia suggests disabling active scripting support in both IE 6 and 7. If you’ve followed Brian’s recommended settings for IE 6, then you’re already taken care of. These settings are normally inherited by IE 7 when you upgrade. As far as IE 7 goes, Brian’s story, above, goes into detail on hardening the new browser’s settings.

After you’ve changed the Internet Options for IE, try the tests for these browsers that are linked to on Secunia’s advisory pages for IE 6 and IE 7.

Pop-up spoofing inherited in IE 7 from IE 6

Secunia reported this week a second unpatched vulnerability in Microsoft’s recently released IE 7. The flaw involves a weakness in the way that IE 7 handles the address bar on pop-up windows. When some special characters are appended to the URL, a dishonest Web site operator can display the wrong address bar in the popup.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Patch Watch

Patches have problems as IE 7 seeks deployment

Susan bradley By Susan Bradley

While everyone was in a tizzy over IE7 hitting the streets, the rest of us mortals were still tracking issues with the patches we got earlier this month.

There are times IT folks overreact to technology changes, such as IE 7 — but I guess that’s what makes us human.

MS06-056 (922770)
.NET patch has some issues installing

First up, the .NET patch, MS06-056 (922770), is still having some issues getting installed. I’m currently tracking separate three issues.

So far, the only consistent solution to all three is to uninstall .NET 2.0 and reinstall it. If you can’t remember whether or not you installed it, chances are that a line-of-business application did. Knowledge Base article 922770 points to several resolutions. Meanwhile, a blog post on the MSDN site points to a few other ideas.

MS06-061 (924191)
XML bulletin reissued for kill-bit error

The XML patch known as MS06-061 (924191) was re-released for Windows 2000 platforms on Oct. 19. It turns out that the “kill bit” that had been included as an additional security measure didn’t actually kill anything. Thus, it wasn’t doing what it was supposed to do in the XML parser 2.6.

The patch has been reissued to fix this issue. You may have noticed that on some servers you were offered up several versions of the XML patch. This means that you probably had XML from several different applications that had installed it.

Hotfix stops Microsoft Update’s 100% CPU usage

For several months now, I’ve been tracking two annoying issues. It looks like we finally have a resolution to one of the two (the other is described in my next item below).

Hotfix 916089 appears to solve an issue with Microsoft Update. When you run MU, the CPU usage of a machine may shoot up to 100%. This appears to freeze up the machine for a few moments.

Remote shutdown when a machine won’t reboot

The other issue that I’m still tracking involves patching a machine remotely over a Remote Desktop or Terminal Services session. The problem is that the machine doesn’t successfully reboot. Because it doesn’t restart, but it takes down the remote session, we’re left with a machine that we can’t remote back. We’re left with sending a remote shutdown command via a domain-attached machine to remotely reboot the box.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb