Malware

Get the details on Internet Explorer 7's security improvements

IE 7 offers a number of enhancements designed to make browsing safer. Windows expert Deb Shinder examines some of the major features, such as Active X opt-in, the Phishing Filter, and cross-domain security, along with smaller changes, like 'no add-ons mode' and color coding to denote sites that have undergone identify verification.

This article is also available as PDF download.

IE 7 includes new end-user features such as tabbed browsing, but its main claim to fame is added security. Both as a browser upgrade for XP and as the built-in browser for Windows Vista, IE7 provides a number of new mechanisms to make Web browsing more secure. Let's look at some of the most important new security features.

Active X marks the (hot) spot

One of the biggest security complaints against Internet Explorer in the past, and the reason many people preferred Firefox and other browsers, was the risk that could be posed by Active X controls. Active X lets Web developers create more sophisticated Web pages than they can with regular HTML. However, because Active X controls are executable programs that can be automatically downloaded and executed by the Web browser, attackers can create malicious controls that manipulate the files on a user's computer, establish connections to other computers, and transfer data without the user's awareness.

Microsoft's response to security experts' concern over Active X led to some big changes in IE 7. A new feature called Active X opt-in disables by default the controls installed on your computer. If you go to a Web site that needs one of the disabled controls to work properly, you're prompted with a message in the information bar at the top of browser window that notifies you that the site wants to run the control (along with the name and publisher's name). You can choose whether to allow the control to run.

The problem with security mechanisms is balancing protection against user convenience. User complaints about Windows Vista's seemingly omnipresent UAC dialog box illustrate the frustrations that in-your-face security can present. In an attempt to enhance security without unduly inconveniencing users, Microsoft included a pre-approved list of controls that aren't automatically disabled by the Active X opt-in feature. These are commonly used controls that are known to be safe. Users won't be prompted before running those controls.

In addition, you can disable Active X opt-in on a per-zone basis. By default, it's enabled on the Internet and restricted sites zones and does not apply to intranet and trusted sites zones. The settings can be changed via the Internet Options | Security tab by selecting the zone and clicking the Custom Level button, then selecting the desired settings (Figure A).

Figure A

You can customize the Active X opt-in behavior for each security zone.

Developers of Active X controls can make their controls more secure by using site-locking (restricting the control to a particular Web site domain) and zone-locking (restricting the control to operate only when IE is in a specific zone, such as the intranet) and by digitally signing their controls.

No more going phishing

To cope with the escalating problem of phishing, IE 7 has added the Microsoft Phishing Filter. The Phishing Filter automatically checks the Web sites you visit against a list of known phishing sites and warns you if the site has been identified as a phishing site. If you prefer not to have sites checked automatically, you can check specific sites when you suspect they might be phishing sites. To do that, you just click Tools | Phishing Filter | Check This Web Site.

If you find a site that you believe is a phishing site and the phishing filter doesn't identify it as such, you can report it to Microsoft and it will be investigated and added to the database if appropriate. If the site you send is on a list of known good sites, it will not be checked. The Phishing Filter uses heuristics to determine whether a site displays common characteristics of phishing sites and if so, flags it as suspicious.

You can disable the Phishing Filter or turn automatic checking off and on through the Advanced Settings tab in Internet Options, shown in Figure B.

Figure B

You can configure the Phishing Filter through the Internet Options Advanced Settings tab.

For more information about IE 7's Phishing Filter, see the Phishing Filter FAQ on the Microsoft Web site.

Cross-domain security

Cross-domain scripting is a tactic used by attackers to cause browser windows that are opened in one security domain to be redirected to a different security domain. IE 7 makes scripts and other Web objects keep the same security context even if they are redirected. By default, the configuration settings are set to deny cross-domain data access in all security zones. IE 7 blocks scripts URLs and blocks redirected navigation in DOM objects when there's a threat of a cross-domain exploit. This means that scripts on Web pages can't interact with the data contained in other domains.

IE protected mode in Vista

In Windows Vista, IE 7 works with the User Account Control (UAC) feature to run the browser in protected mode by default. The browser has only the minimum permissions needed to surf the Web, and plug-ins and add-ons run with the lowest privileges possible.

Protected mode helps prevent Web sites from installing malicious code on the computer without the user's knowledge. It does this by prohibiting anything from being written to locations on the disk other than the Temporary Internet Files folder unless the user gives permission.

When it's necessary to write to files outside of the TIF folder, a "broker process" is used to provide a more secure means of elevating privileges. The broker process is designed so that it can't be scripted without user input. For a deeper technical understanding of IE 7 protected mode, see this MSDN article.

Locked down security zones

The security zones in IE 7 are more locked down, with the intranet zone now being disabled by default on computers that don't belong to a Windows domain. This zone typically has less restrictive settings than the Internet zone, but most home and small business users whose networks operate on a peer-to-peer basis don't need the intranet zone because they don't have access to an intranet. In addition, the default settings for the Trusted Zones site provides higher security than before, and you can no longer slide the security setting down to Low or Medium Low--you must use custom settings to attain security settings lower than Medium.

Better SSL/TLS notification

It's now easier for users to determine whether the transactions they engage in over a Web site (such as Internet banking or using a credit card to purchase goods from an online merchant) are secured by Secure Sockets Layer (SSL) or Transport Layer Security (TLS). These are protocols used by Web sites for authenticating the Web server and encrypting the information that's sent over the Internet.

IE 7 displays an icon to the right of the address bar when you access an HTTPS page, which you can click to view a report on the digital certificate used for encrypting the connection and information about it and the issuer, as shown in Figure C. In previous versions of the browser, the SSL icon appeared at the bottom of the browser window and was small and easy to overlook.

Figure C

The new, more prominent SSL/TLS icon makes it easier for users to determine whether a Web site is secure.

Additional security enhancements

Along with the major security improvements discussed above, a number of smaller changes were made to help make the browsing experience more secure. These include:

  • IE 7 uses a color coding scheme to identify Web sites that have gone through an identity verification process. These sites, which have obtained high assurance certificates, cause the address bar to change to green.
  • Three new registry keys, called Feature Control keys, keep HTML (both Internet and intranet) from getting a user's personal information. By default, IE 7 is configured to opt in to this security feature. Access to cached objects is blocked when browsing within the same domain, as well as browsing across domains.
  • You can more easily protect your privacy, especially on shared or public computers, by deleting your Web browsing history files, cached pages and objects (Temporary Internet Files), passwords IE has remembered, cookies, and data you've entered into forms, all from one simple interface (and all with a single button click if desired), as shown in Figure D.
    • Figure D

      You can cover your tracks with just one click to protect the privacy of your browsing history.
      • In the past, popups could open new windows that didn't contain an address bar. This made it easier to trick users into thinking a malicious site was legitimate if it was designed to emulate a Web site you'd normally trust. In IE 7, all windows contain address bars so you can see the URL of the site.
      • Security threats often sneak in the back door via browser add-ons and plug-ins. If you're concerned about this, you have the option to run IE 7 in "no add-ons" mode. This also allows you to fix problems caused by malware that renders the browser unable to open. Previously, if a browser extension was causing IE to crash and you didn't have an alternative browser installed, you couldn't get to the Web to download information or programs to help you fix the problem.
      • Some clever attackers have created URLs that use international characters to spoof legitimate Web sites. That is, the domain name might contain characters in another language that resemble the English characters making up a different domain. This type of domain spoofing is prevented in IE 7 because the browser lets you know that the characters are in a different language.

      Glossary

      • ActiveX: A technology developed by Microsoft that is an outgrowth of Object Linking and Embedding (OLE) and Component Object Model (COM), which allows Web developers to make Web pages interactive and provide the same types of functions as Java applets.
      • User Account Control (UAC): A security technology in Windows Vista that reduces exposure to attacks by running in nonadministrative mode, even when logged on with an administrative account, unless and until administrative privileges are required to perform a task. Users must give explicit permission to elevate to administrative mode and enter administrative credentials.
      • Phishing:A type of technology-based social engineering ploy in which computers users are directed, usually via e-mail, to a Web site that purports to be that of a bank, loan company, credit card company, e-commerce merchant, governmental agency, or other site that requires users to enter confidential information, such as account passwords, account numbers, social security numbers, and other personal data that is collected and used for identity theft.
      • Scripting:Use of a simplified programming language (calling scripting language) to create a set of instructions for a Web page.
      • Security zones:A technique used in Internet Explorer to allow you to assign different levels of security to different sets of Web sites depending on where they're located or how much you trust them. For example, if you consider a site to be untrustworthy, you can place it in the Restricted zone; if you know it's safe, you can place it in the Trusted zone. Sites on the Internet will, by default, have tighter security imposed than those on an intranet.
      • SSL/TLS:Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL), which was originally developed by Netscape to make e-commerce transactions over the Internet safer. It uses public key (asymmetric) encryption and digital certificates to assure users that the Web servers with which they're doing business have had their identity verified (authentication) and symmetric encryption, such as DES/3DES or AES, to encrypt traffic.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

22 comments
JodyGilbert
JodyGilbert

How well do you think IE 7's new security features will protect your users? Do you see some genuine improvements or are the features more hype than substance?

aa8vs
aa8vs

Is there a possibility that lockups can occur if folks are bypassing the system with patches from foreign sites. To avoid buying, auto updates, etc. And maybe the IE 7 catches this or can't deal with it and just stops?? Ever wonder?

bud_wood_jr
bud_wood_jr

Yahoo recommends this download. I did as suggested. After download - I had to reboot. When I got back on to my desktop - everything froze. Attempted to reboot - could not sign-off, had to crash my computer. Three times I did this - finally I restored my Windows XP. What is the old saying: if it ain't broke - don't fix it. IE-7 sucks big time.

dawgit
dawgit

Really bad timing on this, after it gets pulled from distrabution for the security bugs. There is some improvement in there, no arguement, but is it what Mss marketing hyped it up to be? Doesn't look like it. I would sugest MS totally dump their marketing dept. and stick to producing SoftWare. Their market hype is getting the company into way too many sticky situations.

pappasmurfsr49
pappasmurfsr49

Can anyone suggest an online site to scan my computer BEFORE loading IE7? I've cleaned this thing 3 times and it STILL crashes when i load IE7.

michaelring
michaelring

I bought a Dell laptop with a uxga video card. I use Netscape since IE 6 wasn't able to render jpgs clearly. I upgraded to IE 7 to see if that would "clear" up the issue. IE 7 still doesn't render graphics clearly, but it does crash my Netscape setup every time it updates itself.

morgan101
morgan101

What kind of system are you running? I downloaded and had no problems. It was seamless.

marquez
marquez

I've installed IE7 on three units and with no issues. IE7 will only work on Windows XP SP2 and Vista. Some of the other posting recommend that you check for malware prior to installing. I been using IE 7 on my work desktop and Laptop since its release date and everything has been going fine. Took me a little bit of time to get use to the new layout.

tomp12
tomp12

THIS IE7 PROGRAM WILL ONLY WORK WINDOWS XP, NOT 98, 95 OR 2000.

ByteBin-20472379147970077837000261110898
ByteBin-20472379147970077837000261110898

I have no problems here with IE7. In fact, I may switch regular browsers and use IE7 and keep Firefox as a backup instead of the other way around. I like Firefox too, so I won't be getting rid of that completely. I like IE7 though. Some of the "new" features are long overdue. Glad to see IE finally is catching up.

verd
verd

It could be that you did not remove adware and melware from your computer before you installed the program as this would cause you to have this kind of problem. It was recommeded you do this before you installed it.

tarkers
tarkers

I've been running IE7 since its been available and i must admit its been very stable. I've not had any probs whatsoever. Although, on saying that, i use third party tools to stop phishers etc so i've turned off most of the ahem, "security features". Do you have yours turned on ? Just trying to find whats different between our setups. Also, i think theres always these kinda problems with new releases of anything from M$. I guess its just different setups, apps etc.

?/\/\?|???\/???
?/\/\?|???\/???

You have a source for this claim? I haven't heard anything about IE7 being "pulled from distrabution".

johnfarnham
johnfarnham

Michael Ring If you're trying for a more obscure browser, I have had no problems with Seamonkey and IE 7 : nor Firefox 2.0 and Opera 9 on XP SP2 Home, all on one tower.

henkenm
henkenm

When I used IE7 Beta and clicked on a link Outlook Express would open. Now I have the official release IE7 and if I click on a link somebody can read my screen. Reporting of suspicious sites: I reported one to a security firm, received wonderful email thanking me and was notified that my email was being forwarded to the Lab. So I think I better report this to the bank involved, The Commonwealth Bank in Australia. No reply. Weeks later the site was still in business and today I get 3 emails at least that are obvious phishing sites. Obvious to me that is. IE7: Do this, Do that. Am I retired just to spend the day making IE7 safe enough to buy some Viagra on line? A.h. van Herp 11 Vernon Ave. Gorokan NSw 2263 Australia 0243921611 henkenm@tpg.com.au

AngyeGyrl
AngyeGyrl

Bill Gates, while not particularly active in deciding MS company policy and while also trying to remake his image as a humanitarian and world philanthropist, he should still be held accountable for MS's fouls! It never ceases to amaze me that Microsoft screws its end users into debugging the very product the end users had to pay for in the first place. So with these wonderfully "free" IE-7 upgrades, not only will perfectly functional W2K users have to pay for an OS upgrade to ensure they can download the "best, multi-feature, itegrated and secure" web browser available today. You can be sure the OS software upgrades are not cost effective when compared to the anticipated benefit IE-7 users are supposed to receive. Furthermore, even if the OS upgrades are available, the hardware that exists at many companies and households, may not meet the HCL for XP or VISTA. Imagine all the wasted time and lost productivity that will be spent on reporting bugs and backleveling to the previous versions of IE that actually didn't crash their PCs. Dare I admit it, but I've been an "officially" certified MCP since 2001, but I am still not ready to put IE-7 on any of my useful computers in my office or even at home-- at least until the second service pack is released. However, with the Hype over the New and Improved, More Secure, and Harder to Hack IE-7, I know many of my longtime clients will be calling for technical support to schedule an upgrade, for information to restore previous versions after their computer starts sizzling, and for my techs to spend hours answering their slew of hour long phone questions-- for free. ACK! Not to mention that we have so many dynamic websites in progress that I don't even want to debug for IE-7 right away-- that wasn't included in the original project plans or bid for what I've got in progress! (double yuk) I also provide services to several generations of coputers and Macs; Oh the generosity of the Baby Booming computer users!!! They are so kind when handing off their old paperweights to the grandchildren because the trash company considers monitors/CRTs as toxic waste with lead and other heavy metals harmful to the garbage man's health and damaging to the environment. Right now, if the faction of the Baby Boomers who still believe their computers could be invaded just through the electrical outlet, even while turned off and without internet access, I would have to hire a few PC demon exorcists to keep up with the calls. The remote Computer Deities would have to explain WHY THEY DON'T KNOW IE-7 WILL NOT WORK ON W98 OR 2000 and then transfer the call to Bill's personal line. I understand the lifecycle of W95 is over and W98 is soon to follow, but what is the logic of ignoring the thousands of stable corporate 2K workstations that can't have the IE-7 upgrade? Will working be more FUN with the enhancements? :? Any thoughts on this from someone a little more familiar with the press releases? Thanks, Ang Just something I'd considered when I didn't find an answer to why IE-7 was nixed on W2000. Anyone with a verified shamen phone number and approximate cost for the hex? ;-)

GOC
GOC

I ran into a similar problem, after I installed IE7 it kept crashing. I used add remove programs to remove it (it restored IE6) after some work I found a piece of malware that AVG was having trouble dealing with. Once I fixed that problem IE installed OK and has been working OK since.

herb.read
herb.read

We have IE 7 installed on 50+ PC with no problems

emar1000
emar1000

Like my subject lines reads. I havent has any issues with ie7. I have it on five machines and it is flawless so far.

dawgit
dawgit

I saw that too, when I went back to check myself. Problem is, I don't think I was the only one who jumped to that conclusion. There is so much stacked against MS in the Europian Market & Courts at this time, it kind of did make sense. That will teach me,- read more carefully... ?:| I will do just that too.

dawgit
dawgit

I read this and probably drew the wrong conclusion, but I think others did too. I've seen it in other places though. A rumer? That's a good question. I'm rechecking now. see: http://www.golem.de/0610/48350.html

Editor's Picks