Security problems have plagued Microsoft’s Internet Explorer
for years, and the Web browser continues to suffer from critical
vulnerabilities. In fact, Microsoft has known about one of IE’s latest
security threats since May 2005. Considered a critical vulnerability that
affects most versions of IE, the threat has languished in IE,
and black hats have taken advantage of its presence to wreak havoc on the
Web—at least until this week.

As part of its monthly release of security bulletins, which
typically falls on the second Tuesday of the month, Microsoft has released Security
Bulletin MS05-054, “Cumulative Security Update for Internet Explorer.”
MS05-054 focuses on four vulnerabilities in Internet Explorer, two of which
have a critical rating for most versions. The bulletin addresses the following
flaws:

  • File
    Download Dialog Box Manipulation vulnerability
  • HTTPS
    Proxy vulnerability
  • COM
    Object Instantiation Memory Corruption vulnerability
  • Mismatched
    Document Object Model Objects Memory Corruption vulnerability

To learn how attackers can take advantage of these
vulnerabilities to reveal unauthorized information, cause your system to become
unstable, or take over your system using a hostile Web application, read the
security bulletin for more details.

Further compounding these problems is the fact that hundreds
of COM object add-ins written by third parties are out there. And when was the
last time you updated a COM object you downloaded from another vendor?

While not updating third-party software isn’t a good idea
and can have its own repercussions, there’s a bigger issue at hand: IE’s integration
with other functions on your computer. That integration of functionality—along with
the accompanying vulnerabilities—happens through Active Scripting and ActiveX
controls.

By disabling Active Scripting and ActiveX controls on your
computer, you may give up a little functionality—but you’ll gain a lot more
security. Let’s look at how you can disable both.

Disable Active Scripting

You can better protect your system from some vulnerabilities
by configuring IE settings to prompt before running Active Scripting. Or, you
can disable Active Scripting in the Internet security zone altogether.

Follow these steps:

  1. In
    Internet Explorer, go to Tools | Internet Options.
  2. On the
    Security tab, click the Internet icon, and click the Custom Level button.
  3. In the
    Settings list box, scroll to Scripting.
  4. For
    Active Scripting, select Prompt or Disable, and click OK.
  5. If IE
    prompts you to confirm the change, click Yes.
  6. Click
    OK to save your settings, and close all dialog boxes.

Now that you’ve taken care of Active Scripting, it’s time to
disable the more dangerous component—ActiveX.

Disable ActiveX controls

You can also protect your system from some vulnerabilities
by configuring IE settings to prompt before running ActiveX controls. And
again, you can also disable ActiveX controls in the Internet security zone
altogether.

Follow these steps:

  1. In
    Internet Explorer, go to Tools | Internet Options.
  2. On the
    Security tab, click the Internet icon, and click the Custom Level button.
  3. In the
    Settings list box, scroll to ActiveX Controls And Plug-ins.
  4. For
    Run ActiveX Controls And Plug-ins, select Prompt or Disable, and click OK.
  5. If IE
    prompts you to confirm the change, click Yes.
  6. Click
    OK to save your settings, and close all dialog boxes.

Maintain a list of trusted sites

Keep in mind that disabling Active Scripting and ActiveX controls
in IE’s Internet security zone may cause some Web sites to work incorrectly. I’ve
configured these settings to Prompt on my own system, so when I visit a new
site that includes Active Scripting or ActiveX controls, I must decide whether
to trust the site.

If it’s a site I’m going to use frequently, I put the site
address in my list of trusted sites, which keeps the prompts from popping up. To
add sites to your trusted sites list, follow these steps:

  1. Right-click
    the URL in your browser, and select Copy.
  2. Go to Tools
    | Internet Options.
  3. On the
    Security tab, click the Trusted Sites icon, and click the Sites button.
  4. Right-click
    the Add This Web Site To The Zone text box, and select Paste.
  5. Deselect
    the Require Server Verification (HTTPS:) For All Sites In This Zone check
    box.
  6. Click
    Add, and click OK.
  7. Click
    OK to save your settings, and close all dialog boxes.

Final thoughts

Disabling Active Scripting and ActiveX controls makes IE
safer for browsing the Web. While Internet Explorer has had more than its fair
share of security problems, it remains the most popular Web browser in use
today. If you don’t want to switch to a different browser such as Firefox
or Opera,
you need to increase your security settings in order to safely browse the
Internet.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.