فا

‫ Security in Internet Explorer 9

IRCAR201107106
Date: 2011-07-09
In this article, we'll look at the security mechanisms in IE 9 and compare it with earlier versions of IE.
Introduction
Microsoft has released the latest version of its web browser, Internet Explorer 9, in March. It’s sleek and pretty, and it’s definitely faster than its predecessor - but is it more secure?
Why browser security matters more than ever
There are two components to web security: the security of web sites and the servers on which they reside, and the security of the client software that accesses those sites – the web browser. There was a time when the web browser was just one of many Internet applications.
Whereas we once used separate email clients, FTP clients, IRC clients, newsgroup readers and more, today many computer users do the majority of their computing tasks through their browsers.
Now that the web browser has taken center stage and is inextricably involved with most of what users do on their computers, it’s more important than ever that the browser provides a secure environment not just for surfing sites for information, but for actually performing sensitive tasks. The web browser is one of the most frequently exploited applications, and at the annual Pwn2Own event, security researchers compete to bring down the popular web browsers. At this year’s competition, IE 8 was successfully hacked, along with Safari 5.0.3.
The evolution of Internet Explorer security
Microsoft’s web browser has come a long way since IE 1.0, which came in the Windows 95 Plus! Pack. Security wasn’t nearly so much of an issue back in those early days of the commercial Internet, although by the end of 1995, when version 2.0 was released, Microsoft had added support for Secure Socket Layer (SSL). Subsequent versions of the browser focused more on adding features such as multimedia enhancements and increasing performance and stability. However, enhanced functionality also meant more features that could be exploited, and IE used the concept of security zones to.
IE 6.0, which came preinstalled on Windows XP, was the first version to actually start to address security and privacy, with a new cookie handling tool and the first implementation of the P3P protocol for controlling privacy settings. This is a bit ironic, given that IE 6 is now considered a big security risk and everyone, including Microsoft, is urging computer users to stop using it.
The real push for security came with IE 7, which came with a phishing filter to protect against malicious web sites but this feature wasn’t support on XP computers. In addition, Active X opt-in helped to defend against some of the dangers of Active X controls and IE 7 allowed you to enable it on a per-zone basis, and security zones themselves were more locked down by default. Another security improvement in IE 7 was designed to protect against cross-domain scripting by making scripts keep the same security context. Better SSL/TLS notification made it easier for users to know whether a web transaction was secured, and web sites that obtained high assurance certificates (which require an identity verification process) were identified by a color coded (green) address bar. New registry keys were added to prevent HTML access to users’ personal data. There was even a “no add-ons mode” to ensure that threats couldn’t be introduced via browser add-ons. All in all, IE 7 was a big step forward for Microsoft, security-wise.
IE 8 came out in 2009 and added more security improvements such as domain highlighting, which makes it easier to determine the domain of the site you’re accessing, and the SmartScreen filter, which was a new and improved version of IE 7’s phishing filter that, in addition to protecting against phishing sites, also protects you from sites that are known to deliver malware. Although the browser gives users the option to disregard the warning, administrators could use Group Policy to prevent them from doing so. In addition to the blacklist, the filter also used heuristics to detect potentially dangerous sites. IE 8 also includes changes to ActiveX, so that controls are now installed on a per-user basis by default and can also be installed on a per-site basis. ActiveX killbits was integrated with Windows Update so the controls could be automatically disabled when an exploit was discovered. Data Execution Prevention (DEP) was enabled by default, the XSS Filter offered better protection against cross-site scripting, and the Cross Domain Request and Cross Document Messaging features make it more secure for sites to share information with one another.
What does IE 9 bring to the table?
IE 9 builds on all the security features that were introduced in IE 7 and IE 8. It also brings with it some additional protections, such as enhanced memory protection features that are aimed at preventing malicious code from running when a memory-related vulnerability is discovered. DEP/NX is the foundation of memory protection, and it causes the processor to terminate a process when a block of memory doesn’t contain the proper marking indicating that it is executable code. That means if an attacker places data in memory, the processor raises an exception and causes a “safe crash” rather than execute the potentially dangerous instructions.
IE 9 also improves on another IE 8 feature, Address Space Layout Randomization (ASLR), which helps prevent attackers from bypassing DEP/NX protections by ensuring that a process’s memory space is laid out in a way that’s not predictable. The randomization process has been improved in IE 9 to eliminate predictable memory mappings. IE 9 also supports a new feature call SEHOP (Structured Exception Handler Overwrite Protection) that validates the integrity of the exception handling chain to prevent structured exception handling from being exploited. This overcomes some of the limitations of SafeSEH (Safe Structured Exception Handling) which was designed to prevent malicious structured exception handlers from being introduced into the chain, but which was enabled on a per-DLL basis and required add-ons to be compiled with the SafeSEH flag.
Another focus of IE 9 security is protection against social engineering attacks. This makes sense, because many experts believe social engineering is one of the biggest threats to the IT infrastructure..
And the social engineering contest, in September of last year, showed that most organizations easily give up vital information to social engineers.
Social engineering is attractive to attackers because they don’t need deep technical skills to pull off an attack; all they have to do is convince a computer user to do something that will allow the attacker to get in. IE 9 improved the SmartScreen Filter by adding the SmartScreen Application Reputation feature, which works with URL Reputation to improve protection against socially engineered attacks. Application Reputation attempts to distinguish between reputable downloads and those that are potentially malicious. The SmartScreen filter is also integrated into the new download manager in IE 9.
Yet another security/privacy feature that’s built into IE 9 is called Tracking Protection. This feature makes it easier for users to block or allow third party content by using Tracking Protection Lists from trusted organizations.
Finally, the Pinned Sites feature in IE 9, while it may seem like merely a convenience, also provides some security benefits. By pinning the sites you use often, such as your banking site, to your toolbar, you make it easy to go to the site. Another advantage is that because pinned sites run in a separate session of IE, cookies used by those sites can’t be accessed. Another good thing about pinned sites is that they run without add-on toolbars or helper objects so attackers who use those as an attack vector won’t be able to attack your pinned sites sessions. You can also ensure that you always connect to the secure (https) version of the site and don’t get redirected to the non-secure (http) version. And you get some protection from man-in-the-middle attacks aimed at the HTTPS protocol, because the connection will be terminated if there’s a problem with the site’s certificate.
What more could you want?
There have been complaints that the default security settings are not stringent enough, and that all active content should be completely locked down by default, then users could add trusted sites one at a time.
Along those same lines, security purists might object to the blacklist method used by SmartScreen. This basically allows sites that aren’t known to be malicious (although as mentioned earlier, heuristics are also used). Those folks would prefer a whitelist method, which disallows all sites except those that are known to be trustworthy. Certainly that is the more secure approach – but it’s also one that would probably earn the ire of many users.
Another commonly heard complaint is that IE’s security settings, while they provide very fine grained control, are overly complex for the average user.

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها: 0