IE 7 needs tweaking for safety

Brian livingston By Brian Livingston

Microsoft’s new Internet Explorer 7.0 browser, which was released to the public last week, includes several security improvements but still has weaknesses inherited from IE 6.

I’ll show you an easy way to “harden” IE 7 so you’re protected against hacker threats that haven’t even been invented yet.

IE 7 suffers from some IE 6 weaknesses

IE 7 does benefit from some significant updates over IE 6. For example, the so-called Phishing Filter in IE 7 warns you if a page you’re about to visit is in a real-time database of hacked sites. (You must turn on this filter for it to work. Hopefully, most users will do so because IE 7 asks for the filter to be enabled the first time you use the new browser.)

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8 Hacks: Tips & Tools for Unlocking the Power of Tablets and Desktops

Subscribe and get our monthly bonuses - free!

Want to hack the new Start screen and tiles for your Win8 Device, the new Lock screen, the new tile-based apps, or the automatic notification information? Yes, you can do that. How about running other operating systems inside Windows 8, running Windows 8 on a Mac, or hacking SkyDrive and social media? We'll show you how to do that as well. Get this excerpt and other 5 bonuses if you subscribe now!



Also, IE 7′s new Protected Mode, which only works in Windows Vista, will prevent Web sites from modifying system files or settings. I described several of these new features in my Executive Tech column on Oct. 24.

Unfortunately, IE 7 still contains some security weaknesses that were present in IE 6 — and which Microsoft still hasn’t fixed in that older browser. The most publicized example since IE 7 went gold is the so-called MHTML hole. This problem allows a hacked site to read information from the window of a different site you’re visiting, such as an online banking service.

The respected security firm Secunia published an advisory on Oct. 19 publicizing a free test for the weakness in IE 7. The problem in IE 7 is almost identical to the one described by Secunia in an April 2006 advisory that affects IE 6. (Contributing editor Chris Mosby has more in his column in today’s paid newsletter, below, about this and other flaws that IE 7 has inherited from IE 6.)

Neither the IE 6 nor the IE 7 problems are considered severe. Secunia rates them only 2 on a scale of 5 in severity, mainly because a hacker must first get you to visit a rogue Web site before being able to read information from other sites you may visit. You can close the holes in both browser versions by changing Active Content to a setting of Disable in the Security tab of IE’s Internet Options dialog box. (See Figure 1.)

IE 7 internet options
Figure 1: You can easily disable active scripting using IE 7′s Internet Options dialog box.

But why stop there? If other weaknesses loom in IE 7 — and you can easily close these holes without waiting for a threat to attack you first — why not protect yourself proactively?

Changing IE’s profile from weak to strong

I contacted Arie Slob (pronounced "slobe"), a Dutch citizen who lives in Malta but works for a U.S. company named Infinisource. Arie runs Web servers for the company and, more importantly, has analyzed the inner workings of most of IE’s Internet Options settings.

After a telephone discussion with me, Arie completed an analysis of IE 7′s Internet Options and posted it on Oct. 25. Back in 2004, I used his findings to recommend changes to 19 of the options in IE 6 SP1. (A link is shown at the end of this article.)

Arie told me in a telephone interview that only a couple of IE 6′s Internet Options settings had been changed in a more secure direction in IE 7 by Microsoft. He’s particularly concerned that, in his words: "There are new settings for XAML and they’re all enabled by default."

XAML — Extensible Application Markup Language, pronounced "zammel" —  is a Microsoft-specific technology designed for corporate developers who wish to deliver simple but striking user interfaces, similar in some ways to Flash animations. There’s a risk, however, that XAML might some day be used by hackers to deliver infected code to unsuspecting users.

Why would Microsoft enable such technologies by default in IE 7? At Microsoft’s Professional Developers’ Conferences in recent years, company officials have stated that technologies won’t be enabled in Windows by default unless 90% of users would use a technique. (Printing is an example of a technology that should be "on" while macros and other active content should be "off" unless enabled by users or administrators.) Since corporate admins could easily enable XAML companywide using Group Policy, why turn XAML on for all IE 7 users? Why create yet another code monoculture for hackers to take advantage of?

The answer is that XAML is built on Microsoft’s Windows Presentation Foundation (WPF), a key feature of .NET Framework 3.0. This technology is aimed at corporate developers who Microsoft wants to build Windows-only applications. Rather than ask these large enterprises to flip a simple switch to enable XAML in IE 7, Microsoft apparently decided that compiled .xaml files should run in the browser by default for every Windows user in the world.

How to configure IE 7 to protect yourself

Just because certain features are enabled in IE 7, that doesn’t mean you have to leave them on and expose yourself to rogue examples of such code in the future. Shown below is a concise list of the way Arie recommends that you configure Internet Options in IE 7 to protect your system.

In IE 7, click Tools, Internet Options, and then select the Security tab. With the Internet zone selected, the security level by default should be set to Medium-High. Click the Custom Level button. Set the following choices:
  • .NET Framework
    Loose XAML: Disable
    XAML browser applications: Disable
    XPS documents: Disable
  • ActiveX controls and plug-ins
    Binary and script behaviors: Disable
    Run ActiveX controls and plug-ins: Disable
    Script ActiveX controls marked safe for scripting: Disable

  • Downloads
    Font download: Disable
    Enable .NET Framework setup: Disable
  • Enable .NET Framework setup: Disable
  • Miscellaneous
    Allow META REFRESH: Disable
    Allow Web pages to use restricted protocols for active content: Disable
    Display mixed content: Disable
    Drag and drop or copy and paste files: Disable
    Installation of desktop items: Disable
    Launching applications and unsafe files: Disable
    Launching programs and files in an IFRAME: Disable
    Navigate sub-frames across different domains: Disable
    Software channel permissions: Maximum Safety
    Submit non-encrypted form data: Disable
    Userdata persistence: Disable
    Web sites in less privileged Web content zone can navigate into this zone: Disable
  • Scripting
    Active scripting: Disable
    Allow programmatic Clipboard access: Disable
    Scripting of Java applets: Disable
Some of the above settings will interfere will the operation of some legitimate Web sites. I’ll describe in the following section how to work around this.

Firefox is still a better browser than IE 7

Changing IE 7′s default settings can remove some functionality from Web sites you may regularly visit. For example, disabling "active scripting" turns off JavaScript. Many sites use JavaScript to activate various menu options. For example, the menu at the WindowsSecrets.com site (but not in the newsletter) shows you what second-level options are available when you hover your mouse over a top-level option.

We’ve designed the menu at our site so it works (less slickly) even if JavaScript is disabled in a visitor’s browser. For example, you can simply click a top-level menu item and the resulting page then shows your second-level choices.

But not all sites have this kind of fall-back design. Here are my recommendations on how to use the Web effectively, despite the fact that you’ve made IE 7 more secure:

Use Firefox, not IE 7. Firefox is inherently a more secure browser that Internet Explorer, even version 7.0. For example, Firefox is not vulnerable to Secunia’s test of the MHTML hole that IE 7 (and IE 6 and IE 5) suffers from.

Most sites today work with both Firefox and IE (and other major browsers, such as Opera, Netscape, and Mac Safari). Sites that really require IE are declining. If you haven’t already installed Firefox, the new version 2.0 can be downloaded from the Mozilla release notes page. (Be sure to read the notes before installing.)

Add legitimate IE-only sites to the Trusted Sites zone. If you encounter a site that you know to be responsible — but it requires Internet Explorer for some reason — you can easily add the site to IE’s Trusted Sites zone. In IE 7, pages in the Trusted Sites zone run at the Medium security level (not Medium-High as in the Internet zone) and aren’t restricted by the customizations you’ve applied to the Internet zone.

To add a Web address to the Trusted Sites zone in IE, click Tools, Internet Options, and then select the Security tab. Select the Trusted Sites zone, click the Sites button, and add the address of the site you wish to visit. If the site doesn’t use encrypted pages, turn off the option Require server verification (https:) for all sites in this zone.

It’s even easier to add an address to your Trusted Sites if you install Microsoft’s Power Tweaks Web Accessories from the company’s download page. This applet inserts an option called Add to Trusted Zone right on IE’s Tools menu. (Microsoft’s download page says the download is only for IE 5, but it works fine on IE 6 and IE 7.)

Easily open pages in IE while in Firefox. If you use Firefox routinely, you can quickly open an IE-only page in IE by clicking an icon on the Firefox toolbar. To do this, install IE View, an extension available from Mozdev.org. You can even set specific sites to automatically open in IE, if you absent-mindedly surf to them in Firefox.

Install IE 7 just to protect yourself against IE 6. If you run Firefox or some other secure browser, you may wonder why you should upgrade to IE 7 at all. The answer is that you might be induced to visit an IE-only site some day, and that site turns out to be infected (deliberately or accidentally). Browsing with IE 7 instead of IE 6 does provide you with better protection, especially if you’ve made the changes shown above. To install IE 7, visit Microsoft’s download page.

Why not just set IE 7′s security level to “High”? It’s always possible to crank IE’s Internet Zone up to the High security level instead of Medium-High. Doing this, however, makes most Web sites unusable, because IE then pops up a warning every time some harmless page script runs. Sometimes, several warnings appear on every page of a site. Using the customized settings shown above — and adding respected companies to your Trusted Sites zone — provides you with fairly good protection without subjecting you to such pointless harassment.

Watch out for ClearType after installing IE 7. Rudely, IE 7 (when installed on XP machines) enables ClearType in browser windows, even if you had previously disabled it. ClearType makes text look less jagged on LCD screens, but it can make type look fuzzy on CRT monitors. This can affect other applications that use the IE rendering engine, such as the preview pane in Outlook and FrontPage.

You can turn ClearType off by running IE 7, clicking Tools, Internet Options, and selecting the Advanced tab. Under the Multimedia section, turn off Use ClearType. Alternatively, you can try tuning the effect to see if you like it, using MS’s online tuner page.

How to test your browsers for safety

As mentioned earlier, Secunia provides harmless test pages that can show you whether a particular browser is vulnerable to a known security threat. You should test every browser that you use.

Secunia’s test for the MHTML hole is linked to from two separate pages that apply to IE 7 and IE 5/IE 6 and Outlook Express 5.5 and 6.

Another set of tests demonstrates a new threat first reported on Oct. 25. This flaw, which Secunia rates as only 2 on a severity scale of 5, allows a rogue Web site that you visit to fake the address bar in a pop-up window that appears later. The pop-up window can appear to originate from a legitimate site that you happen to be visiting at that moment. This can lure you into entering passwords or other personal data.

This pop-up test is linked to from a page that specifically mentions IE 7. Firefox 1.x, however, also appears to be vulnerable to this kind of spoofing. There’s no workaround to correct this in either browser at this time, so always be suspicious of any pop-up window that appears unexpectedly.

Important note: If you’ve made the changes shown above to harden IE 7, the link on Secunia’s test pages entitled Test Now — Left Click On This Link won’t do anything when you click it. The lack of action demonstrates that the vulnerability has been eliminated. But it can be confusing if you don’t know why the link isn’t working.

Arie Slob provides three separate pages that explain the weaknesses in different versions of Internet Explorer and how the Internet Options should be changed. These pages cover IE 7, IE 6 with Service Pack 2, and IE 6 with Service Pack 1.

My original Windows Secrets story, which described how to harden IE 6 with Service Pack 1 (for people who, for whatever reason, couldn’t upgrade to SP2) was published on Nov. 18, 2004.

How to get more information

As I mentioned earlier, Chris Mosby’s column in the paid version of this newsletter explains how to protect yourself against new threats that haven’t yet been patched. Susan Bradley’s column describes how to work around any problems that have been found with officially released patches, and Ryan Russell’s column teaches you how to know when you have adequate protection.

To get these columns, and gain access to all of our old and new paid content for a full year, you can upgrade to the paid version of the newsletter. We don’t require any fixed fee. You can contribute whatever it’s worth to you. We want as many people as possible to have this information. How to upgrade

That’s it for now. If you have further information to share about IE 7, or you have a tip on any other topic, send it to me using the Windows Secrets contact page. You’ll receive a gift certificate for a book, CD, or DVD if I print a comment that you send. Thanks!

Brian Livingston is the editor of WindowsSecrets.com and the coauthor of Windows Me Secrets and nine other books.
= Paid content

All Windows Secrets articles posted on 2006-10-26: