Over the past few years, Microsoft Internet Explorer (IE) has had its share of bad publicity as a result of security vulnerabilities that fall into two basic categories: viewing malicious content or installing unsafe code. The browser might bring you a link to a nefarious Web site or a maliciously coded HTML-based email message. Also, phishing email messages and links to software on fringe sites (e.g., pornographic or gambling sites) sometimes lure users to install ActiveX controls that give attackers privileged access to their computer systems.
The browser's tight integration with the OS includes a flexible application programming interface (API) and has launched a burgeoning Application Service Provider (ASP) market and a popular platform for corporate-intranet programming. Unfortunately, attackers took advantage of this flexible framework, and soon IE became a popular target for spyware, adware, worms, and other browser-based exploits. Of course, the fact that IE has come standard on every Windows OS for more than 10 years makes it a natural target for attackers as well. IE's perceived—and real—security vulnerabilities have become so bad lately that many pundits recommend switching to an alternative browser such as Mozilla FireFox, even in light of the compatibility problems that arise from using a browser that doesn't support ActiveX. (For more information about whether choosing an alternative browser is a good idea, see the Web sidebar "Firefox or IE 7.0?" at InstantDoc ID 48823.) Now, IE 7.0 is in beta, and although it doesn't completely address all the problems (yes, you must still educate users about how not to install unfamiliar software), the new release adds many security improvements. Of course, regardless of IE's security improvements, the greatest security vulnerability is still the end user. Many of IE 7.0's security improvements help users assess the safety and integrity of a site and make informed decisions about Internet use. Let's take a look at what you can expect from the next release of IE and specifically at the user-targeted security features you'll find.
Two Versions
Microsoft will release two versions of IE 7.0. Users of Windows XP Service Pack 2 (SP2) will be able to download a standalone version that will upgrade IE 6.0. Also, Microsoft is including IE 7.0 in its new Windows OS, Vista. This integrated browser will include additional security features, such as protected mode, that aren't available in the standalone version. Protected mode provides a wrapper around IE 7.0 that leverages Vista's User Account Protection (UAP) technology and prevents the browser from directly accessing the OS. This feature should prevent the elevation-of-privilege attacks that plague earlier versions of IE. While in protected mode, IE 7.0 will be unable to directly access local resources, such as the user or system files or the registry, and will be able to write only to Temporary Internet Files. You must initiate any requests for privileged access—such as installing an ActiveX control or saving a Web page—by clicking the IE UI. This action invokes a broker process to manage the connection between the browser and the OS. Additionally, you'll be able to classify which ActiveX controls are available to the browser (e.g., Macromedia Flash) and which will be accessible to the OS. Although this code is still in beta and Vista isn't expected until the second half of 2006, this feature alone will be one of many compelling reasons to upgrade to Vista.
Microsoft has tweaked numerous IE security features to make them more accessible in version 7.0. IE 7.0 exposes several security features directly in the IE 7.0 interface so that users don't have to search the menus. For example, the Tools menu now includes several new options, including the phishing filter and a new feature, Delete Browsing History, which deletes all of the currently saved cookies, history, Web-form data and passwords, and temporary files. This accessibility is good because most browser users probably never visit the menus, choosing instead to interact by using just the address bar and associated buttons such as Home, Forward, Back, and Refresh.
A Site Security Report
Web sites encrypt sensitive information over HTTP Secure (HTTPS) by using either Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and today, most Web sites encrypt all personal information. IE 7.0 changes the default HTTPS protocol settings and will disable SSL 2.0 and enable TLS 1.0 to provide stronger Web site encryption. In addition, IE 7.0 makes the status of an HTTPS connection more visible to users. Most browsers signal an SSL-protected page by displaying a padlock icon, or you can look at the URL designator— "HTTPS" indicates a protected page. IE 7.0 goes further and presents a security report for the site. When you visit an SSL-encrypted site, you can access this report by clicking the lock icon to the right of the address bar. Alternatively, you can access the security report by selecting View, Security Report. As Figure 1 shows, the security report summarizes the site's SSL status, including the encryption level and certificate owner. Clicking View Details shows you the same certificate information dialog box you see in current IE releases. Knowing this information can help a user discern a legitimate Web site from the kind of spoofed Web site common to phishing attacks.
IE 7.0 also provides more information than previous releases about problematic HTTPS certificates to better notify users when problems exist. If a Web site contains an invalid certificate (e.g., the certificate was issued to a host name different from the name in the URL, the certificate root CA is untrusted, or the CA is expired), IE 7.0 will redirect users to a warning page. Users can continue to the page, but if they do, they'll see a constant reminder of the site's questionable security: IE 7.0 will paint the URL address bar bright red. I'm sure this feature will cause many companies to redeploy internal certificates or URLs to ensure that the sites' certificates are valid. For example, many intranets signed with company certificates will be marked invalid by home users who haven't installed the company's root certificate.
Finally, you probably recognize the message This page contains both secure and nonsecure Items. Do you want to see the nonsecure items?, which prompts users to click Yes or No to continue. IE 7.0 will now block the nonsecure content and will permit access only through the information bar, in much the same way that IE 6.0 blocks file downloads and popups today.
Phishing Filter is the New Popup Blocker
The most remarkable (and debated) new security feature in IE 7.0 is the phishing filter. Phishing is the nefarious act of luring someone to a spoofed Web site under false pretenses, usually by sending an enticing email message containing a link to the site. For example, in one popular phishing scam, an attacker impersonating a bank sends an email message that directs the recipient to a false Web site to "update account information." Victims end up giving their account information to the attacker. The IE 7.0 phishing filter analyzes each Web site you visit for characteristics common to phishing Web sites. If IE makes a match, it will allow access to the site but will flag the site as suspicious and warn you by displaying a dialog box. Then, IE takes the warning one step further: It inspects the URL of every Web request by using two methods to attempt to validate that the target Web site is legitimate. First, IE compares the Web-site address with a list of legitimate Web sites, which is stored on the local computer. The computer periodically downloads updates to the list from Microsoft. The list contains many prominent sites, such as the largest banks and services, which are often targets of phishing attacks. If the URL matches a URL on the list, IE permits access.
Phishing sites come and go fairly quickly, so to actively check URLs in realtime, Microsoft employs an innovative (and hotly debated) feature: live links to a phishing database. When you first run IE 7.0 after installation, it will ask if you want to opt in to this feature. If you consent, IE 7.0 sends Microsoft each URL that you visit to confirm that the address isn't that of a known phishing site. If the site is deemed a phishing site, IE 7.0 will block navigation to that page, warn you, and ask whether you want to visit the site or close the Web page. Microsoft updates this phishing database several times an hour and includes in IE options to report a false positive or a new phishing site. Many of Microsoft's anti-phishing initiatives originated from MSN and MSN Hotmail and now have made their way into the browser to provide an unprecedented level of protection from both known and unknown phishing sites. If active URL checking is disabled and the site isn't listed on Microsoft's downloaded list of safe sites, IE displays a clickable warning icon at the bottom of the browser window that prompts you to take action, as Figure 2 shows.
It's hard to imagine an effective phishing filter that doesn't reference the latest database of information because many phishing sites are up and running for less than a day. But Microsoft's method of automatically checking sites has stirred up quite a bit of controversy. Many people applaud Microsoft's effort to solve a real problem that's plaguing Internet users. But others are suspicious of how Microsoft will use the information it collects or wonder how the automatic checking will affect network performance.