IE7 and Vista: Using IE7 and Vista Safely

Wednesday May 9th 2007 by Tony Piltzecker
Share:

Internet Explorer 7 has a number of safety features to enable you to protect against Internet threats.

IE 7 and Vista Improvements

With the release of Windows Vista, you can expect to use the newest and most secure version of Microsoft’s Web browser to date. New features in Internet Explorer 7 help to prevent the inception and spread of malware. To help protect a user’s personal information and the security of Vista in general, IE 7 comes with many new advances in security and tools to help prevent or limit damage from an attack.

One simple change is with the Secure Sockets Layer (SSL) protection offered when using the browser. Commonly, a padlock icon will show up in the bottom of the browser indicating that you are entering a “secure” site that uses encryption technologies. Now, the new security status bar helps by showing you in clearer terms that a site you are visiting is safe. The padlock also appears closer to the top of the browser and is highlight blue when safe. This is but one very simple example of things that have changed to make your browsing experience easier and safer.

Basic Browser Behavior

ie7 and vista, internet explorer and vista

This article is excerpted from “Vista for IT Security Professionals.” To order this book, please visit Syngress.

When surfing the Internet, it’s easy to visit sites that you think are safe, but are not. These sites can introduce malware when you click on the site itself, when you download a file from the site manually and install it, or worse, when you are conned into believing that the site you’re visiting is a real site, but in fact is nothing more than a fake used to garner your personal information.

Browser Exploits

Web browsers are client software programs, such as IE7, Netscape, and Opera, that connect to servers running Web server software (such as IIS or Apache) and request Web pages via a URL, which is a “friendly” address that represents an IP address and particular files on the server at that address. The browser receives files that are encoded (usually in Hypertext Markup Language [HTML]) and must interpret the code or “markup” that determines how the page will be displayed on the user’s monitor.

Browsers are open to a number of attack types. The embedded scripts (and even some of the markup language) can be used to exploit your browser. With Internet Explorer 7, new tools such as the Phishing Filter help to thwart these attacks.

Early browser programs were fairly simple and could be exploited by using minimal techniques. Today’s browsers are highly complex, signaling the need to secure them even further. These newer browsers are capable of not only displaying text and graphics, but also playing sound files and movies and running executable code. The browser software also usually stores information about the computer on which it is installed, as well as the user (via data stored as cookies on the local hard disk), which can be uploaded to Web servers—either deliberately by the user, or in response to code on a Web site.

These characteristics serve useful purposes. Support for running code (as “active content” such as Java, JavaScript, and ActiveX) allows Web designers to create pages that interact with users in sophisticated ways. Cookies allow users to set preferences on sites that will be retained the next time they visit the site.

However, hackers and attackers can exploit these characteristics in many ways. For example, an attacker can program a Web site to run code that transfers a virus to the client computer through the browser, erases key system files, or plants a “backdoor” program that then allows the hacker to take control of the user’s system.

Web Spoofing

Web spoofing is a means by which an attacker is able to see and even make changes to Web pages that are transmitted to or from another computer (the target machine).These pages include confidential information such as credit card numbers entered into online commerce forms and passwords that are used to access restricted Web sites. JavaScript can be used to route Web pages and information through the attacker’s computer, which impersonates the destination Web server. The attacker can send e-mail to the victim that contains a link to the forged page, or put a link into a popular search engine. SSL doesn’t necessarily prevent this sort of “man in the middle” attack; the connection appears to the victim to be secure, because it is secure.

The problem is that the secure connection is to a different site than the one the victim thinks he is connecting to. Hyperlink spoofing exploits the fact that SSL doesn’t verify hyperlinks that the user follows, so if a user gets to a site by following a link, he can be sent to a spoofed site that appears to be legitimate.

ie7 and vista, internet explorer and vista

This article is excerpted from “Vista for IT Security Professionals.” To order this book, please visit Syngress.

Web spoofing is a high-tech form of con artistry. The point of the scam is to fool the user into giving confidential information such as credit card numbers, bank account numbers, or Social Security numbers (SSNs) to an entity that the user thinks is legitimate, and then using that information for criminal purposes such as identity theft or credit card fraud. The only difference between this and the “real-world” con artist who knocks on a victim’s door and pretends to be from the bank, requiring account information, is in the technology used to pull it off.

Certain clues may tip off an observant victim that a Web site is not what it appears to be, such as the URL or status line of the browser. You may think you are going to a Web site simply because it’s listed in the URL field, while in another location on the browser, it’s indicated that you are going to a different URL. An attacker can also use JavaScript to cover his or her tracks by modifying these elements from your view.

An attacker can even go so far as to use JavaScript to replace the browser’s menu bar with one that looks the same but replaces functions that provide clues to the invalidity of the page, such as display of the page’s source code. Later versions of browser software have been modified to make Web spoofing more difficult. Older browsers are highly vulnerable to this type of attack. Improvements in Internet Explorer thwart spoofing attacks, because now you can check the validity of each site you visit.

Configuring Internet Explorer Securely

Now that you have a clear understanding of the types of malware in existence and the steps Microsoft has taken to prevent you from being exploited, let’s discuss how to configure and use these tools and settings. With Internet Explorer 7, there are many ways to improve security. Internet Explorer 7 in Windows Vista represents a major step forward in browser security and privacy protection. All of Internet Explorer 7’s security features revolve around making your computer and Web browsing experience all that it can—and should—be.

Protected Mode

Internet Explorer 7 has a new mode, called Protected Mode. When in Protected Mode, the browser will run without fear of malware taking over with elevated privileges. In addition to providing a more secure architecture in which to work, Protected Mode also assists with handling and verifying any scripted or automated action that would move data around the system, such as from the Temporary Internet Files folder, a haven for malware. Figure 2.1 shows the browser with Protected Mode enabled (or on) by default.

ie7 and vista, internet explorer and vista

This article is excerpted from “Vista for IT Security Professionals.” To order this book, please visit Syngress.

ActiveX Opt-In

Internet Explorer 7 allows for tighter control and security when working with ActiveX components. Many attacks have exploited ActiveX in the past. ActiveX components can handle file download and installation for the computer user. Although this is handy, malware takes full advantage of it whenever it can. ActiveX runs only on Microsoft-based systems, as it is made and updated by Microsoft in a proprietary fashion.

A new feature called ActiveX Opt-In will disable all ActiveX controls that haven’t been prescreened. In other words, if an ISV does not preset the control to work with Vista and Internet Explorer 7, it will not work. In fact, the security status information bar in Internet Explorer 7 will give you the option to work with each ActiveX control on a case-by-case basis. This allows the user to know exactly what each control is doing, what’s being installed, and so on.

Note:

ActiveX is a software technology developed by Microsoft that enables Internet Explorer to download applets and other tools and programs to be used with the browser to display pictures and video as examples. These programs are similar to Java applets, although Java is not constrained to using Microsoft-based products only.

Fix My Settings

Nothing could be easier than pressing one button to accomplish multiple tasks. Toward that end, Internet Explorer 7 has a new feature called Fix My Settings, which allows you to adjust the browser’s default settings with just a single click. Used with the Security Status Bar, Fix My Settings helps users quickly determine whether a Web site is authentic and whether changes to their settings by a site are appropriate, and will even suggest settings for the user.

If you visit a Web site that is questionable and Internet Explorer believes you may be at risk, the Security Status Bar will warn you of danger and give you options to fix or avert the danger. Here, you can see the Fix Settings for Me option, which will walk you through adjusting your settings so that you are not exploited.

If you have issues with your browser, you can always reset it from within the Internet Options settings found in Internet Explorer, by going to the Tools menu and selecting either the Security tab (which will allow you to reset the zone directly) or the Advanced tab (where you can choose the Restore advanced settings option). Then, you can turn your browser back to the manufacturer’s settings.

Security Status Bar

ie7 and vista, internet explorer and vista

This article is excerpted from “Vista for IT Security Professionals.” To order this book, please visit Syngress.

As mentioned earlier, the new Security Status Bar used with Internet Explorer 7 keeps an eye out for you as you browse, and makes suggestions based on your browsing habits. In other words, if Internet Explorer feels you are at risk, it will warn you and suggest a way to protect yourself from the possible threat.

The Security Status Bar operates by alerting you to issues that it believes may harm your system, and gives you options to help you navigate a potential issue. Users can now very quickly be warned about Web sites that are either authentic or spoofed/malicious in nature. By enhancing access to digital certificate information, which in turn helps validate the trustworthiness of e-commerce Web sites, you can now shop online with more confidence.

Windows Defender Windows Defender enhances security and privacy protections when used with Internet Explorer 7. Although we will cover Windows Defender in more depth later in this chapter, it’s important to know how it works with Internet Explorer 7 to secure your browsing experience.

Windows Defender is Microsoft’s new spyware destroyer. When used with Internet Explorer 7, Windows Defender can help to scan all data traversing the browser for malware signatures. If it finds such a signature, it will work with Internet Explorer 7 and help you rid yourself of it. Defender will also keep an eye on spyware that is attached to (piggybacking onto) legitimate software which tries to install without your knowledge.

NOTE: Windows Defender is a powerful new tool and we will cover it later in another article. Be aware, however, of how it ties into Internet Explorer to provide security against malware threats.

Setting Internet Zones

One of the most important features of Internet Explorer 7 is the ability to configure zones. When you open Internet Explorer’s properties, you will find the Security tab, which houses the Internet, Local intranet, Trusted sites, and Restricted sites zones.

You can configure these zones to allow for tighter security, or less-restrictive security, based on your browsing habits. For example, if you access the Internet and your local intranet simultaneously, you may need to configure security differently in each zone.

ie7 and vista, internet explorer and vista

This article is excerpted from “Vista for IT Security Professionals.” To order this book, please visit Syngress.

You can set each zone to the specific level of security you need. For instance, you may want to set the Internet zone to a very high level to avoid malware attacks (for the most part), even though it will reduce your browsing functionality severely, or you may want to set the Internet zone to a very low level so that you can do anything you want to do with your browser. You also can enable Protected Mode within this dialog.

If you need to configure more granular security, you can click on the Custom level button, which will open the Security Settings dialog for the zone you have selected. So, if you want to configure more granular levels of security on the Internet zone, select that zone and select Custom level, which will open the settings for that particular zone. Figure 2.5 shows advanced settings in which you can adjust for the Internet zone to include advanced cookies.

Configuring Privacy

The next tab you can configure within Internet Options is your privacy level. In the Internet Options dialog box, select the Privacy tab. In the Privacy tab, you will find many settings to help secure your browser further. For example, you can select privacy settings based on a specific zone.

When configured correctly, you can either raise or lower the privacy settings you want based on your browsing habits. When the Internet zone is configured with a medium privacy rating, this makes sure that all third-party cookies are blocked from doing things you may not want them to do.

You can also select the Site s button, which will allow you to configure specific sites that you will either allow or not allow to use cookies, regardless of the privacy policy you select. Although the privacy settings may disallow cookies altogether, this setting allows you to manually override Internet Explorer’s privacy settings to allow any site you feel is not a threat.

You can also use the Advanced button on the Privacy tab to specify how cookies should be handled in a particular zone. For the Internet zone, you can configure to override automatic cookie handling, and specify more granular settings.

Internet Explorer 7 also provides settings that allow you to control your security. On the bottom of the Privacy tab dialog you will find the Pop-up Blocker. Here, you can enable the Pop-up Blocker to block any pop up (or warn of a pop up) whenever you surf the Internet. By clicking on the Settings button, you can further control the Pop-up Blocker. You also can specify sites from which you will allow pop ups without the need to be prompted, in case you visit sites often that have pop ups which are generally benign in nature.

Other settings include a filter level, which can help you select a filtering level that makes sense for your browsing habits, as well as information bar settings and notifications such as sounds that will play when a problem occurs.

Advanced Security Settings

The last tab in the Internet Options dialog is the Advanced tab, as seen in Figure 2.10. Within this tab, you will find more than 100 settings that you can adjust. The best way to see what you can do is to scroll through all the options and read them one at a time, as they are very self-explanatory. You can see a few settings that are crucial to applying security to Internet Explorer 7 and should not be overlooked.

For example, you can set more advanced security settings within the Security branch of the Advanced tab. Here you can adjust Internet Explorer’s behavior by further controlling what it can and cannot do. For example, you can select to Allow software to run or install, even if the signature is invalid. Obviously, you would want to leave this unchecked because an invalid signature could lead to an exploited browser, depending on the nature of the site visited.

Here you can adjust how the Phishing Filter behaves, as well as use of the SSL and Transport Layer Security (TLS) protocols.

Once you have completed setting your Advanced security options, click on OK to close the dialog box. Some changes may require you to restart Internet Explorer. Simply close the browser and reopen it to continue working with your new settings.

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved