| By Brian Livingston |
Microsoft’s new Internet Explorer 7.0 browser, which was released to the public last week, includes several security improvements but still has weaknesses inherited from IE 6.
I’ll show you an easy way to “harden” IE 7 so you’re protected against hacker threats that haven’t even been invented yet.
IE 7 suffers from some IE 6 weaknesses
IE 7 does benefit from some significant updates over IE 6. For example, the so-called Phishing Filter in IE 7 warns you if a page you’re about to visit is in a real-time database of hacked sites. (You must turn on this filter for it to work. Hopefully, most users will do so because IE 7 asks for the filter to be enabled the first time you use the new browser.)
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!
Also, IE 7’s new Protected Mode, which only works in Windows Vista, will prevent Web sites from modifying system files or settings. I described several of these new features in my Executive Tech column on Oct. 24.
Unfortunately, IE 7 still contains some security weaknesses that were present in IE 6 — and which Microsoft still hasn’t fixed in that older browser. The most publicized example since IE 7 went gold is the so-called MHTML hole. This problem allows a hacked site to read information from the window of a different site you’re visiting, such as an online banking service.
The respected security firm Secunia published an advisory on Oct. 19 publicizing a free test for the weakness in IE 7. The problem in IE 7 is almost identical to the one described by Secunia in an April 2006 advisory that affects IE 6. (Contributing editor Chris Mosby has more in his column in today’s paid newsletter, below, about this and other flaws that IE 7 has inherited from IE 6.)
Neither the IE 6 nor the IE 7 problems are considered severe. Secunia rates them only 2 on a scale of 5 in severity, mainly because a hacker must first get you to visit a rogue Web site before being able to read information from other sites you may visit. You can close the holes in both browser versions by changing Active Content to a setting of Disable in the Security tab of IE’s Internet Options dialog box. (See Figure 1.)
Figure 1: You can easily disable active scripting using IE 7’s Internet Options dialog box.
But why stop there? If other weaknesses loom in IE 7 — and you can easily close these holes without waiting for a threat to attack you first — why not protect yourself proactively?
Changing IE’s profile from weak to strong
I contacted Arie Slob (pronounced "slobe"), a Dutch citizen who lives in Malta but works for a U.S. company named Infinisource. Arie runs Web servers for the company and, more importantly, has analyzed the inner workings of most of IE’s Internet Options settings.
After a telephone discussion with me, Arie completed an analysis of IE 7’s Internet Options and posted it on Oct. 25. Back in 2004, I used his findings to recommend changes to 19 of the options in IE 6 SP1. (A link is shown at the end of this article.)
Arie told me in a telephone interview that only a couple of IE 6’s Internet Options settings had been changed in a more secure direction in IE 7 by Microsoft. He’s particularly concerned that, in his words: "There are new settings for XAML and they’re all enabled by default."
XAML — Extensible Application Markup Language, pronounced "zammel" — is a Microsoft-specific technology designed for corporate developers who wish to deliver simple but striking user interfaces, similar in some ways to Flash animations. There’s a risk, however, that XAML might some day be used by hackers to deliver infected code to unsuspecting users.
Why would Microsoft enable such technologies by default in IE 7? At Microsoft’s Professional Developers’ Conferences in recent years, company officials have stated that technologies won’t be enabled in Windows by default unless 90% of users would use a technique. (Printing is an example of a technology that should be "on" while macros and other active content should be "off" unless enabled by users or administrators.) Since corporate admins could easily enable XAML companywide using Group Policy, why turn XAML on for all IE 7 users? Why create yet another code monoculture for hackers to take advantage of?
The answer is that XAML is built on Microsoft’s Windows Presentation Foundation (WPF), a key feature of .NET Framework 3.0. This technology is aimed at corporate developers who Microsoft wants to build Windows-only applications. Rather than ask these large enterprises to flip a simple switch to enable XAML in IE 7, Microsoft apparently decided that compiled .xaml files should run in the browser by default for every Windows user in the world.
How to configure IE 7 to protect yourself
Just because certain features are enabled in IE 7, that doesn’t mean you have to leave them on and expose yourself to rogue examples of such code in the future. Shown below is a concise list of the way Arie recommends that you configure Internet Options in IE 7 to protect your system.
In IE 7, click Tools, Internet Options, and then select the Security tab. With the Internet zone selected, the security level by default should be set to Medium-High. Click the Custom Level button. Set the following choices:
- .NET Framework
• Loose XAML: Disable
• XAML browser applications: Disable
• XPS documents: Disable
- ActiveX controls and plug-ins
• Binary and script behaviors: Disable
• Run ActiveX controls and plug-ins: Disable
• Script ActiveX controls marked safe for scripting: Disable
• Font download: Disable
• Enable .NET Framework setup: Disable
- Enable .NET Framework setup: Disable
• Allow META REFRESH: Disable
• Allow Web pages to use restricted protocols for active content: Disable
• Display mixed content: Disable
• Drag and drop or copy and paste files: Disable
• Installation of desktop items: Disable
• Launching applications and unsafe files: Disable
• Launching programs and files in an IFRAME: Disable
• Navigate sub-frames across different domains: Disable
• Software channel permissions: Maximum Safety
• Submit non-encrypted form data: Disable
• Userdata persistence: Disable
• Web sites in less privileged Web content zone can navigate into this zone: Disable
• Active scripting: Disable
• Allow programmatic Clipboard access: Disable
• Scripting of Java applets: Disable
Firefox is still a better browser than IE 7
But not all sites have this kind of fall-back design. Here are my recommendations on how to use the Web effectively, despite the fact that you’ve made IE 7 more secure:
• Use Firefox, not IE 7. Firefox is inherently a more secure browser that Internet Explorer, even version 7.0. For example, Firefox is not vulnerable to Secunia’s test of the MHTML hole that IE 7 (and IE 6 and IE 5) suffers from.
Most sites today work with both Firefox and IE (and other major browsers, such as Opera, Netscape, and Mac Safari). Sites that really require IE are declining. If you haven’t already installed Firefox, the new version 2.0 can be downloaded from the Mozilla release notes page. (Be sure to read the notes before installing.)
• Add legitimate IE-only sites to the Trusted Sites zone. If you encounter a site that you know to be responsible — but it requires Internet Explorer for some reason — you can easily add the site to IE’s Trusted Sites zone. In IE 7, pages in the Trusted Sites zone run at the Medium security level (not Medium-High as in the Internet zone) and aren’t restricted by the customizations you’ve applied to the Internet zone.
To add a Web address to the Trusted Sites zone in IE, click Tools, Internet Options, and then select the Security tab. Select the Trusted Sites zone, click the Sites button, and add the address of the site you wish to visit. If the site doesn’t use encrypted pages, turn off the option Require server verification (https:) for all sites in this zone.
It’s even easier to add an address to your Trusted Sites if you install Microsoft’s Power Tweaks Web Accessories from the company’s download page. This applet inserts an option called Add to Trusted Zone right on IE’s Tools menu. (Microsoft’s download page says the download is only for IE 5, but it works fine on IE 6 and IE 7.)
• Easily open pages in IE while in Firefox. If you use Firefox routinely, you can quickly open an IE-only page in IE by clicking an icon on the Firefox toolbar. To do this, install IE View, an extension available from Mozdev.org. You can even set specific sites to automatically open in IE, if you absent-mindedly surf to them in Firefox.
• Install IE 7 just to protect yourself against IE 6. If you run Firefox or some other secure browser, you may wonder why you should upgrade to IE 7 at all. The answer is that you might be induced to visit an IE-only site some day, and that site turns out to be infected (deliberately or accidentally). Browsing with IE 7 instead of IE 6 does provide you with better protection, especially if you’ve made the changes shown above. To install IE 7, visit Microsoft’s download page.
• Why not just set IE 7’s security level to “High”? It’s always possible to crank IE’s Internet Zone up to the High security level instead of Medium-High. Doing this, however, makes most Web sites unusable, because IE then pops up a warning every time some harmless page script runs. Sometimes, several warnings appear on every page of a site. Using the customized settings shown above — and adding respected companies to your Trusted Sites zone — provides you with fairly good protection without subjecting you to such pointless harassment.
• Watch out for ClearType after installing IE 7. Rudely, IE 7 (when installed on XP machines) enables ClearType in browser windows, even if you had previously disabled it. ClearType makes text look less jagged on LCD screens, but it can make type look fuzzy on CRT monitors. This can affect other applications that use the IE rendering engine, such as the preview pane in Outlook and FrontPage.
You can turn ClearType off by running IE 7, clicking Tools, Internet Options, and selecting the Advanced tab. Under the Multimedia section, turn off Use ClearType. Alternatively, you can try tuning the effect to see if you like it, using MS’s online tuner page.
How to test your browsers for safety
As mentioned earlier, Secunia provides harmless test pages that can show you whether a particular browser is vulnerable to a known security threat. You should test every browser that you use.
Secunia’s test for the MHTML hole is linked to from two separate pages that apply to IE 7 and IE 5/IE 6 and Outlook Express 5.5 and 6.
Another set of tests demonstrates a new threat first reported on Oct. 25. This flaw, which Secunia rates as only 2 on a severity scale of 5, allows a rogue Web site that you visit to fake the address bar in a pop-up window that appears later. The pop-up window can appear to originate from a legitimate site that you happen to be visiting at that moment. This can lure you into entering passwords or other personal data.
This pop-up test is linked to from a page that specifically mentions IE 7. Firefox 1.x, however, also appears to be vulnerable to this kind of spoofing. There’s no workaround to correct this in either browser at this time, so always be suspicious of any pop-up window that appears unexpectedly.
Important note: If you’ve made the changes shown above to harden IE 7, the link on Secunia’s test pages entitled Test Now — Left Click On This Link won’t do anything when you click it. The lack of action demonstrates that the vulnerability has been eliminated. But it can be confusing if you don’t know why the link isn’t working.
Arie Slob provides three separate pages that explain the weaknesses in different versions of Internet Explorer and how the Internet Options should be changed. These pages cover IE 7, IE 6 with Service Pack 2, and IE 6 with Service Pack 1.
My original Windows Secrets story, which described how to harden IE 6 with Service Pack 1 (for people who, for whatever reason, couldn’t upgrade to SP2) was published on Nov. 18, 2004.
How to get more information
As I mentioned earlier, Chris Mosby’s column in the paid version of this newsletter explains how to protect yourself against new threats that haven’t yet been patched. Susan Bradley’s column describes how to work around any problems that have been found with officially released patches, and Ryan Russell’s column teaches you how to know when you have adequate protection.
To get these columns, and gain access to all of our old and new paid content for a full year, you can upgrade to the paid version of the newsletter. We don’t require any fixed fee. You can contribute whatever it’s worth to you. We want as many people as possible to have this information. How to upgrade
That’s it for now. If you have further information to share about IE 7, or you have a tip on any other topic, send it to me using the Windows Secrets contact page. You’ll receive a gift certificate for a book, CD, or DVD if I print a comment that you send. Thanks!
Brian Livingston is the editor of WindowsSecrets.com and the coauthor of Windows Me Secrets and nine other books.