IE 7 needs tweaking for safety

Brian livingston By Brian Livingston

Microsoft’s new Internet Explorer 7.0 browser, which was released to the public last week, includes several security improvements but still has weaknesses inherited from IE 6.

I’ll show you an easy way to “harden” IE 7 so you’re protected against hacker threats that haven’t even been invented yet.

IE 7 suffers from some IE 6 weaknesses

IE 7 does benefit from some significant updates over IE 6. For example, the so-called Phishing Filter in IE 7 warns you if a page you’re about to visit is in a real-time database of hacked sites. (You must turn on this filter for it to work. Hopefully, most users will do so because IE 7 asks for the filter to be enabled the first time you use the new browser.)

Also, IE 7’s new Protected Mode, which only works in Windows Vista, will prevent Web sites from modifying system files or settings. I described several of these new features in my Executive Tech column on Oct. 24.

Unfortunately, IE 7 still contains some security weaknesses that were present in IE 6 — and which Microsoft still hasn’t fixed in that older browser. The most publicized example since IE 7 went gold is the so-called MHTML hole. This problem allows a hacked site to read information from the window of a different site you’re visiting, such as an online banking service.

The respected security firm Secunia published an advisory on Oct. 19 publicizing a free test for the weakness in IE 7. The problem in IE 7 is almost identical to the one described by Secunia in an April 2006 advisory that affects IE 6. (Contributing editor Chris Mosby has more in his column in today’s paid newsletter, below, about this and other flaws that IE 7 has inherited from IE 6.)

Neither the IE 6 nor the IE 7 problems are considered severe. Secunia rates them only 2 on a scale of 5 in severity, mainly because a hacker must first get you to visit a rogue Web site before being able to read information from other sites you may visit. You can close the holes in both browser versions by changing Active Content to a setting of Disable in the Security tab of IE’s Internet Options dialog box. (See Figure 1.)

IE 7 internet options
Figure 1: You can easily disable active scripting using IE 7’s Internet Options dialog box.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.

= Paid content

All Windows Secrets articles posted on 2006-10-26: