Feeds

Getting on the right side of IE 7 security

Like it or loathe it, you have to know about it

Combat fraud and increase customer satisfaction

As Internet Explorer tries to get serious on security, you have to find out how to make sure you don't look like one of the bad guys. When it comes to security, things are rarely black and white: my handy IM Web client is your potential security hole. The issue is, who is in control: you as the site developer; or the user who owns the PC Internet Explorer is running on.

You want to get a site that looks and works the way you want; the user wants a browser that blocks phishing attacks and doesn't let sites reset the home page. IE Program Manager Rob Franco jokes about it: "My goal with IE 7 is to protect the system against the most destructive force in the universe; my brother, who believes that everything on the internet should be free and will click on anything to get it."

But protecting the naïve user from the malicious attacker can mean the blameless developer loses a feature they were relying on. Vista Beta 2 secures what's just been renamed Internet Explorer 7+ by running it in a new protected mode, which restricts the changes IE can make to the registry and the files it can update; but other security-related changes apply to IE 7 for Windows XP as well.

Take the phishing filter built into IE 7 to spot fake sites; this has already been triggered over 170,000 times during the beta, which is good news - if they're really fake banking sites or some such. But what do you do to make sure your site doesn't trip it accidentally?

To avoid making it too easy for the phishing sites, Microsoft hasn’t produced a full list of the heuristics the filter uses and as well as blocking URLs collected by security companies like Cyota and Internet Identity, it's a learning system, so the list of sites blocked will change as phishing sites evolve. If you're collecting personal information about users, secure your site with SSL and don't link to a site by the IP address rather than the URL.

From the few details in the Anti-Phishing white paper, the filter will also look for sites incorporating content or scripts from another domain. But the best approach is to test your site in IE 7 (or use the Phishing Filter add-on for the MSN Toolbar); if it is marked as a suspicious site or blocked as a malicious site, you'll see a link to report that it's not malicious. Franco promises reports from site owners will go to the top of the list for checking [but don't underestimate the potential business problems, to do with reputation and email for example, from being a "false positive" - test early and, presumably, retest at intervals - Ed].

The gopher protocol is now disabled fully, rather than just off by default; telnet is gone as well. You can't change the status bar via script for sites in the internet and restricted zones. You can't close a browser window from a script unless you created it by scripting in the first place. You can't hide the address bar in a pop-up window any more. And DHTML scriptlets are disabled by default (although users can turn them back on from the control panel).

There aren't many sites left using the weaker SSL 2.0; IE 7 won't support this, so now is a good time to switch to SSL 3.0 or Transport Layer Security (TLS). Virtual HTTPS hosting (with TLS Server Name Indication) is supported, but only in Vista. IE 7 also blocks sites with expired or revoked certificates, and where the certificate doesn’t match your URL (so you can’t use the certificate for www.mydomain.com on secure.mydomain.com, say, unless you have a wildcard *.mydomain.com certificate). And if you're only using base64 encoding to protect usernames and passwords, your users will see a warning that this is insecure.

If you mix secure and insecure content on a page, instead of seeing a dialog box that everyone turns off straight away, the content delivered by HTTP will be blocked until the user allows it from the InfoBar. This helps ensure that everything on the login page comes from your secure server and there are no links that could send users to a malicious secure server instead - all the lock icon proves is that you have a secured connection, not who you're connected to.

IE 7 will also support higher assurance SSL certificates when the standard is finalised, turning the address bar green to show you're using a certificate that's the legal equivalent of a company-approved signature. You can get a test root certificate here and try it out in IE 7 at this Microsoft demo site.

ActiveX handling has changed yet again. There are some popular ActiveX controls like Flash, Acrobat Reader and RealPlayer that will always work but, by default, ActiveX controls that are already installed on a PC will be disabled until the user allows them from the InfoBar. If they download an ActiveX control through IE 7, it won't be blocked and if they've already chosen to use an ActiveX control before they upgraded to IE 7 it won't be blocked, but you won't be able to access ActiveX controls on a user's PC without them knowing about it.

You can write to the Windows registry to pre-activate controls that are already on the PC; or to activate controls installed as part of your application (because they've been installed by software rather than a user, they'll be disabled).

Franco admits there is some risk of hackers using social engineering to reactivate a vulnerable control already on the PC, but Microsoft can block insecure controls directly. And no matter how many security improvements Microsoft makes in Internet Explorer, there isn't a security process that the determined user can't find a way to bypass. ®

SANS - Survey on application security programs

More from The Register

next story
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.