Protect Internet Explorer without SP2 — part twoMicrosoft’s recent release of Service Pack 2 (SP2) for Windows XP protects XP users against a variety of hacker attacks, particularly ones that affect Internet Explorer. SP2 prevents IE users from being subjected to pop-up windows and silent downloads of software from rogue Web sites, among other threats.
But what about people who run versions of Windows other than XP?
In the previous issue
Switching browsers can prevent some but not all problems
The serious security problems that lie buried deep within Internet Explorer are becoming more widely known. But most Windows users still do not understand the depth of the danger.
The respected security firm Secunia reports in its current advisory on IE 6 that 18 separate security holes — some of them rated “extremely critical” — remain unpatched by Microsoft.
An additional 71 issues with IE that Secunia has published alerts about do have patches available now. But security experts widely feel that additional holes will continue to be found. These flaws can be and sometimes have been exploited by hackers before “good guy” researchers find the weaknesses and describe them privately to Microsoft, which then begins developing a patch.
One security company, Finjan Software, even reports that it’s already found 10 new security flaws in XP SP2 alone. The nature of the claimed flaws, however, has not been publicly revealed, and other observers (including Microsoft) respond that Finjan is using the claims to help sell its security software.
All of this hubbub has led millions of former IE users to stop browsing the Web with Microsoft’s product. Instead, the new browser of choice is Mozilla Firefox, a free program for Windows and other operating systems, which released its 1.0 gold version last week after a long period of beta testing.
More than 1 million people per day were downloading the new release when it was first posted, according to the nonprofit Mozilla Foundation, which develops the software. But the pace has now slowed, making it a good time for you to join the fun, if you haven’t already. We’ll have a full review of Firefox 1.0 in an upcoming issue of the Windows Secrets Newsletter.
Beta versions of Firefox had their share of security weaknesses, as do most new software programs during their development stage. But Secunia, which documented 17 temporary security flaws in those beta versions, reports that none of the issues remain open in Firefox 1.0.
In many cases, unfortunately, you may find that you have to run Internet Explorer. Perhaps you’re subject to a company policy or certain sites that you depend on have foolishly made their Web technology work only in IE.
Merely shunning Internet Explorer and using Firefox instead when browsing the Web, in addition, doesn’t correct the security holes in Windows. Because Microsoft long ago integrated IE into the guts of the operating system, the flawed components are still present and can be taken advantage of by rogue Web sites, even if you never open an IE window.
That’s why you need to keep current with Microsoft’s latest patches — using Windows Update and Office Update for individual users or patch-management software for multiple PCs — and take the steps described below. This article covers three alternatives: one foolish suggestion, one serious alternative that costs a few dollars, and a third alternative that’s free.
What Microsoft suggests, which is absurd
On its Web site and in its publicity materials, the Microsoft Corp. recommends that Windows users change the security settings of the so-called Internet Zone in Internet Explorer to “High.” (To do this in IE, click Tools, Internet Options. Select the Security tab, then click the Custom Level button. In the “Reset To” box, select High, then click the Reset button and click OK to close all dialog boxes.)
Setting the Internet Zone to High affects all sites you visit using IE that you haven’t manually specified as belonging to a different “zone.” Switching to High imposes on the sites you visit all of the same restrictions as IE’s Restricted Sites Zone, which disables numerous features of the Web.
One problem with this advice is that many Web sites won’t work well (or display anything at all) when the Internet Zone is set to High. In a crowning irony, Microsoft’s own Windows Update site won’t download security updates under this setting.
In addition, several Web sites now instruct visitors to turn on dangerous Web features, such as “active scripting.” Sites that currently exhort users to turn on certain features in the Internet Zone include Investor’s Business Daily and NASA.gov.
These sites almost certainly aren’t doing anything that would hurt visitors. But they shouldn’t be telling their users to lower the security of all sites in their Internet Zone. Instead, they should tell visitors to add the sites to IE’s Trusted Sites Zone. In that way, sites such as theirs that use nonsecure Microsoft technologies, such as ActiveX, would continue to work in visitors’ browser windows without exposing those users to risks at other sites. (More details on the Trusted Sites Zone is given later in this article.)
The worst aspect of Microsoft’s advice to set IE’s Internet Zone to High is that this does nothing to close one of today’s worst security holes. That hole is Windows’ so-called Local Machine Zone.
The Local Machine Zone consists of Web content that more or less includes any HTML or other file found on a local hard drive. Almost any action that a logged-on user can take on a PC can also be performed by whatever script or Trojan horse a hacker can succeed in planting.
There are a seemingly unlimited number of ways that hacked Web sites and infected e-mail attachments can get access to the Local Machine Zone. This breach of security is often one of the first steps that a hacker takes to compromise other local resources and turn a PC into a “zombie,” controlled by the hacker from a remote location.
In the next section of this article, I’ll explain two ways to secure your Local Machine Zone, protecting your PC from attack. But let’s first look at why Microsoft isn’t protecting this zone by giving out updates for all Windows versions.
Microsoft officials have stated that the security improvements in Service Pack 2 for XP will not be made available for download to users of older versions of the operating system, such as Windows 2000 and Me.
This decision is inexplicable, since many of the security fixes could easily be re-packaged for users of these Windows versions, who arguably comprise more than half of all Windows users.
By withholding these fixes, Microsoft has aligned its interests with those of the worst “black-hat” hackers. The Redmond corporation is using people’s legitimate fears of infection as a blunt instrument — a Billy club — to sell more copies of its Windows XP software. This is truly despicable and unethical business behavior.
Protecting the Local Machine Zone
There are two primary ways to protect the Local Machine Zone, giving it stronger security settings that block silent access by hacker scripts.
The commercial software route
One method requires the purchase of a commercial software program, one version of which is currently available for $34.95. The other method is free but requires a tweak in the Windows Registry and a manual change in Internet Explorer’s settings.
One of the leading contenders to “lock down” the Local Machine Zone, both for home PC users as well as enterprise IT administrators, is QwikFix-Pro, a piece of software developed by PivX Inc.
Despite the quirky-sounding name, QwikFix-Pro is a serious program that corrects several dangerous weaknesses in Windows. This includes disabling dangerous URL protocols, Local System Account (LSA) anonymous settings, and the Windows Messenger Service (not instant messaging), according to the company’s PDF white paper.
Qwik-Fix Pro Home Edition can be downloaded for a free 30-day trial, after which the price is $34.95. Corporate versions are available for $500 per server or less in volume.
Protecting the Local Machine Zone manually
If you can’t or don’t want to use commercial software to tighten the security of the Local Machine Zone, you should at least lock it down manually, which costs nothing.
Although the Local Machine Zone is a security zone used by Internet Explorer, by default it is hidden from users. That means when you click Tools, Internet Options in IE and select the Security tab (as described earlier), the Local Machine Zone doesn’t show up as one of the zones you can configure.
Microsoft documents in its online Knowledge Base a Registry setting that makes the Local Machine Zone visible. This doesn’t affect its security, it simply makes it possible for you to alter the security settings of the zone.
Before altering the Registry, first make sure you back it up and know how to restore it if you make a mistake.
Then click Start, Run, type regedit and click OK. In the HKEY_CURRENT_USER folder, find the following Registry key:
SOFTWARE Microsoft Windows CurrentVersion Internet Settings Zones 0
In that key, the Flags value, which is a DWORD, controls whether or not the Local Machine Zone is visible in IE’s Security tab. Set the data value to 47 (in hexadecimal) to display the zone or 21 (in hexadecimal) to hide it.
Microsoft’s description of this procedure is in KB article 315933.
After you’ve made the change, you can then apply to the Local Machine Zone the same security settings that are recommended below for the Internet Zone. Be aware that this doesn’t give you the multiple protections provided by QwikFix-Pro and similar security software.
Protecting the Internet Zone
Many security experts recommend that you configure IE’s Internet Zone so dangerous technologies are not allowed to run. These recommendations don’t go as far as setting the zone to “High” but protect you against most security breaches that a hacked Web site could expose you to.
Many programs other than IE, such as Microsoft Outlook and Outlook Express, use IE’s rendering engine to write to the screen, etc. Changing the security settings of the Internet Zone also strengthens these applications, making it safer for you to read e-mail and use these programs in other ways. One set of recommendations is provided by InfiniSource, a Web resource center.
To make your Internet Zone more secure, pull down the Tools menu in IE, then click Internet Options and select the Security tab. (You can also access Internet Options as an applet in the Control Panel.) Select the Internet Zone, then click the Custom Level button. In the dialog box that appears, change the following settings to the values shown:
- ActiveX controls and plug-ins
• Download signed ActiveX controls: Disable
• Download unsigned ActiveX controls: Disable
• Initialize and script ActiveX controls not marked as safe: Disable
• Run ActiveX controls and plug-ins: Disable
• Script ActiveX controls marked safe for scripting: Disable
- Downloads
• Font Download: Disable
- Microsoft VM
• Java permissions: Disable Java
- Miscellaneous
• Allow META REFRESH: Disable
• Display mixed content: Disable
• Drag and drop or copy and paste files: Disable
• Installation of desktop items: Disable
• Launching programs and files in an IFRAME: Disable
• Navigate sub-frames across different domains: Disable
• Software channel permissions: High Safety
• Userdata persistence: Disable
- Scripting
• Active scripting: Disable
• Allow paste operations via script: Disable
• Scripting of Java applets: Disable
- User Authentication
• Logon: Prompt for username and password
One benefit of changing the above settings manually, rather than simply setting the Internet Zone to High Security, is that you can easily change back any individual setting if it causes you a problem.
If a Web site or application complains about a certain setting, you can investigate it and determine whether or not lowering your security settings is justified. If you didn’t know about the settings shown above, you’d be tempted in the face of problems to reset the Internet Zone from High to Medium, which would put you back where you started.
Microsoft itself has posted a Knowledge Base article about changing some of the above settings manually in IE, going back to version 3.0. The article is primarily oriented toward troubleshooting, rather than security. The description is in KB article 154036.
Add legit sites to the Trusted Sites list so they’ll run
Changing the above-named settings very likely will disable some of the features of some of the Web sites you visit. Unfortunately, in the bad old “anything goes” days of the Internet — which hopefully someday will be “long gone” — these sites adopted nonsecure or proprietary technology to display banner ads, submenus, and the like. Shutting down this stuff is part of the price of making the Internet a more secure place.
If a site that you know is legitimate has a problem with your security settings, it’s easy to add the site to your Trusted Zone. The site will then benefit from the less-secure settings in that zone, which is by default set to Low Security.
You can add a site manually to the Trusted Zone by visiting it using IE, then clicking Tools, Internet Options. Select the Security tab, then select Trusted Zone and click the Sites button. Type http:// and the domain name into the input box and click the Add button to add the domain.
To include non-SSL-encrypted sites in the list, turn off the check box labeled “Require server verification (https:) for all sites in this zone.” Click the OK button to close all the dialog boxes.
There’s a much easier way to add a site to your Trusted Zone, though. You can put an item named “Add Site to Trusted Zone” on IE’s Tools menu and click it rather than having to go through Internet Options every time. To get this, download and install Power Tweaks Web Accessories from Microsoft’s Web site. This 129 KB download is described as being for IE 5, but it works just as well on IE 6.
Unfortunately, the utility also places on IE’s Tools menu another item named “Add Site To Restricted Zone.” You should never visit a site that you think is untrustworthy so you can click this menu item. Instead, always add such a site to the Restricted Zone manually, using the procedure described above, before visiting the site.
It’s unfortunate that Windows users have to go through all this just to get some peace of mind. Microsoft should simply distribute, free of charge, the fixes necessary to provide this minimal level of protection to all Windows users. Until that time, however, you should take steps to protect yourself.
To send us more information about IE security, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.
