RSSMS to Lock Down Security Zones in IE7
By Nate Mook | Published December 7, 2005, 3:05 PM
Continuing its endeavor to ensure Internet Explorer 7 is safe from the attacks that have plagued its predecessor, Microsoft is making changes to the browser's built-in security zones. Zones are used to classify Web sites into different security levels, but also bring risks themselves.
IE includes four standard zones: Internet, Intranet, Trusted Sites and Restricted Sites. Most browsing is done in the Internet zone, with the Intranet zone reserved for accessing local network sites, often used by businesses. The Intranet zone contains fewer restrictions, and in turn is more vulnerable to attack.
By default, Internet Explorer detects where the Web site is located -- on the Web or internally -- and utilizes the appropriate zone. However, it is possible to trick the browser. "If there is a flaw in IE's zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in," says IE developer Vishu Gupta.
Although Microsoft has improved URL parsing in IE6 SP2 and IE7, the company acknowledges there is an inherent risk associated with such an approach. To fix the problem, IE7 will no longer use the Intranet zone unless the computer has joined a domain.
If the browser is unable to detect a domain, "IE will show an information bar when visiting a probable intranet site. If a user wants to re-enable their intranet zone, they'll be able to," explains Gupta.
Microsoft is also taking steps to lock down the Internet and Trusted Sites zones.
If a URL is in the Trusted Sites, it is given complete access, such as automatically installing ActiveX controls without permission. However, such capability has opened the zone up to abuse. For example, malware could automatically add a malicious site to the Trusted list. That will change in IE7.
In the future, Trusted Sites will be given a default security setting of Medium, the same level as the Internet zone in IE6. Users can manually change the security level back if they so please. "We find that many users don't understand how powerful a site becomes when they make it a Trusted Site," says Gupta.
The Internet zone in IE7 has been moved to a new Medium-High security setting. The change means ActiveX controls will be disabled by default, and users must enable them as needed through the yellow Information Bar. Windows Vista will go even further by running in a "Protected Mode" that runs IE in isolation.
These new features will be available in the public pre-release version of Internet Explorer 7, due in the first quarter of 2006.
I wonder how many patches for Ie and windows will apper the week.Windows is realised as a final ... lets see if they can beat the record
Score: 0
|Now that Maxthon has been sort of officially recognized by MS (by inviting them to CES 2006), I hope the IE7 team could learn a thing or two from the Maxthon team.
Score: 0
|Internet Explorer 7 WILL BE safe and secure...
NOT.
VS....
Firefox IS safe and secure.
Having a hard time chosing?
Heres a hint USE Firefox!
Score: 0
|Thanks for the incredibly objective opinion.
Score: 0
|Your opinion would be a lot more credible and useful if you provided evidence to support your claims.
Score: 0
|Oh yes, because we have all seen that firefox never has security issues, exlcuding the several from 1.0 to 1.07 and 2 of which caused two new versions to be released within days of each other TWO TIMES, 1.03 to 1.04 and 1.05 to 1.06. Your post was about as helpful as a case of hemmerhoids
Score: 0
|Why doesn't M$ just buy Opera out and be done with it? No wait, they would just turn Opera into another piece of crap. Sorry. Bad idea, very bad idea. I never said that.
Score: 0
|Yeah, what were you thinking? They should buy OffByOne.
http://www.offbyone.com/
Oh, and...
lol no its not a virus.
clarissa17.pif,KUSD*(&#@
Score: 0
|That's creepy. It doesn't seem to load pages right. Either it can't support background images, or it can't support tables inside tables(or both).
Score: 0
|CSS...javascript...you name it, it don't support it.
Score: 0
|HTML 4.01?
Score: 0
|You're a real bas****, you know that?
Score: 0
|I try =)
Score: 0
|IE has just become a total mess with the fixes developed to secure it-- beaucoup functionalities have been removed w/o eliminating the risks.
Add to this the lack of meaningful updating(nor removing its structural defficiencies)for over 5 years, and I just don't see how anyone w/ heavy web work that involves interacting with numerous sites, researching, etc. can make do with it.
It needs a total makeover-- i don't think these announced changes, as well as other already-added ones(beta7), will suffice. If i was running things there i would just scrap IE division entirely-- s*** those resources into other critical areas, and designate one of the main alternatives(FF, Opera, Maxthon)the defacto Windows browser. It would not hurt MS one iota to farm out this division to a reliable & proven third-party-- in fact it would put extra money in its coffers.
Score: 0
|They *need* to keep their market dominance in this area for one reason, and one reason only.
The browser will be the next desktop.
Without dominance in this area, Microsoft loses. Period. Google will create a true Google Desktop and replace Microsft entirely. So long as Microsoft can at the very least control the portal to that desktop, they will continue to survive. Without it, they're dead.
Note: This is wild speculation, backed with a hefty amount of complete and total BS.
I'm just sayin'.
Score: 0
|microsoft would never scrap the IE department. but in a way they already have. microsoft has said IE7 will be the last internet explorer they develop. so they could make a nexy generation IE or they will just rest on IE7 itself. i think firefox is the better browser in it's state right now but IE7 does show promise. and in beta form right now it is extremely buggy. can't wait to get my hands on the public beta 2 once in final code IE7 should be a decent browser.
Score: 0
|What does your rant have to do with the article? Nothing. Apparently you missed the fact that the entire article discussed meaningful solutions to many of the security threats that currently plague IE.
Score: 0
|"Note: This is wild speculation, backed with a hefty amount of complete and total BS."
Very nice. haha
Score: 0
|I couldn't agree with you more.
IE is junk.
Poop is still poop no matter how much you dress it up.
Score: 0
|Thanks for this retro 90's newsfalsh. It has now many times been proven that, no, browsers wont be the next desktop, mainly be course its just plain A BAD IDEA.
The computer desktops as we see them today in there many incarnations are pretty optimal for the job they need to do.
The "browser as a desktop" idea came back when it was the popular belif that soon everything would be written in Java, and you kinda needed a browser to make that easily availeble. Thats just not that state of technology today.
Sure applications are headed in a platformless, distributed internet format, but that does NOT mean that browsers will be the uber medium to use these apllications in.
Score: 0
|Why are you so insecure & defensive-- oxymoron of your handle?
I did not miss any point of any article-- i am addressing its main thesis directly: patchwork fixes, now matter how noble & well-meant, without altering & strengthening the base & roots, as with a swaying tree-- are/won't be sufficient.
Plus i made a constructive suggestion-- farm out the work... just like they've done with many other windows components-- who says MS has to write every line of code of every component? And to boot it'll save a ton of resources.
Come on, now-- it's not a browser for serious, heavy work-- for grownups. But it just may do for you if all you need to do is watch the latest Milf, have a smoke after that-- and afterwards play a song while you bask in the glow, relax, recover, then download the next episode...
Score: 0
|This was a test to see which users read the entire post before firing off a knee-jerk reaction.
You. Failed.
Have a nice day. :)
Score: 0
|It's too little too late.
IE7 sucks and it looks really clunky.
Score: 0
|I personally have always thought it would be nice to have a "Security Settings" popup slider on the right side of the clock. If you click it, it pops up your security setting. Dragging the bar down leads to a warning/confirmation message. Dragging the bar up requires a password.
That way you could flip to admin in 4s to install a game, then lower it back down to "User" so that you can browse the net or play that game.
I'd rename the security settings though to something like...
"System Access"
"System User"
"Protected User"
"Guest"
Where guest would only be able to run programs you allow, so you could restrict it to FireFox, Calculator, a couple games, and nothing else.
Score: 0
|People would just slide it to Admin and never use it again.
Forcing the user to type in a password for anything that changes settings, or modifies security settings is the next best thing.
It should only be allowed to be disabled on a system on which no outside conectivity is present. (No Network, parallel, serial, floppy, cdrom, or usb/firewire)
Score: 0
|A simple solution to this will be available when Vista is released. Forced LUA(Limited User Access), turned on by default.
Any modifications to zone info or levels would require the administrator password (regardless of account used...even administrator).
Anything else is just going to be an additional headache.
Score: 0
|I still think that the way that most *nix systems make you do it is nice... you need the root password to modify almost anything beyond user apps. My kids both use Fedora for their computers because I know for certain that I can lock down anything and everything without them ever being able to break it (too badly)
FLUA is something that is WAY overdue for an operating system such as Windows. Someone at MSFT has obviously finally installed a distro of Linux and tried to update something in the OS ;-) (lol)
Score: 0
|