How secure is Internet Explorer?

By Roger A. Grimes, InfoWorld |  Security, Internet Explorer

Although Microsoft's Internet Explorer (IE) Web browser has lost market share to worthy competitors over the last few years, it is still the market leader and remains the browser to beat. IE has many significant security features and enterprise options that cannot be easily discounted. Unfortunately for its many users, IE's dominance and complexity have made it the browser to attack. IE is also the only browser natively vulnerable to ActiveX control exploits.

From a security standpoint, it doesn't pay to be popular. IE has had at least 70 announced vulnerabilities over the last two years, a frequency rivaled only by the second most popular browser, Mozilla Firefox. Firefox 3.0 has seen at least 39 vulnerabilities in six months. By contrast, Opera 9.x has seen 45 in two years, while Apple's Safari and Google's Chrome have 26 and 10 announced vulnerabilities, respectively, in their short lives.

[ See also " How secure is Google Chrome?" and " How secure is Firefox?" as well as " How secure is Opera?" | Tomorrow: "How secure is Safari?" | For more on browser security and protection against Web-borne threats, see Security Adviser and " Test Center: Browser security tools versus the evil Web." ]

For this security review, I tested IE 8 Beta 2. As IE installs, it runs an anti-malware detection tool (the only browser to do so) and downloads the latest updates. On Vista, the installer asks for User Account Control privilege elevation, and the IE application (Iexplorer.exe) runs one parent process with medium integrity, as well as multiple rendering processes with low integrity in Protected Mode. This is a change from IE 7, where a single process runs with low integrity in Protected Mode, along with additional broker processes (ieuser.exe and ieinstal.exe).

On Vista, all IE 8 processes run virtualized, with DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) enabled. Rendering processes are started in Protected Mode by default for all Web sites except those in the Trusted Sites security zone. Protected Mode brings many additional protections to the browser, including running all default browser components (toolbar, history, favorites, temporary download areas, and browser helper objects) with restricted privileges and lower integrity. They cannot access the command prompt or write to system areas. Google's Chrome has a more restrictive base security model for the main browser instance but doesn't offer nearly the same protections for further components and add-ons.

Security spec sheet

IE has all the usual security features: anti-phishing, pop-up blocking, private browsing sessions (called Inprivate Browsing), cookie security, MIME content-type sniffing, anti-XSS (cross-site scripting), and so forth. IE won't allow files to be automatically downloaded or helper programs to be automatically launched, and it can globally prevent images, sound files, animated images, and other objects from downloading. Only Opera can compete with IE on content blocking.

IE 8's updated anti-phishing filter, called SmartScreen, now also blocks sites confirmed by Microsoft host malware, regardless of whether phishing is involved. Like the anti-phishing features in Firefox and Opera, SmartScreen is not yet accurate enough to be completely relied upon. You'll still need anti-malware software and common sense.

One of the smallest, but best security improvements is IE 8's highlighting of the true domain name in the address bar when the name is embedded in a much longer URL. Phishers often embed the spoofed target's domain name inside a much longer fake domain name string. This one small change makes it significantly easier to recognize phishing sites Microsoft has not yet confirmed. Chrome has this feature, but in addition to the domain name, it highlights the Web server name, which is often spoofed by phishers as well. Microsoft's choice is more discriminating.

IE has always had good protections around privacy and cookie handling. By default, all first-party cookies are allowed, as are third-party cookies if the originating site has an explicit and available privacy policy (many don't). Either way, IE restricts personal information gathered by both first- and third-party cookies. Cookie policies are applied on a per-security-zone basis, and they can be set on individual sites as well.

IE 8's new Inprivate Blocking feature attempts to prevent other types of third-party tracking besides the normal cookie tracking techniques. If IE 8 notices a single third party tracking you over 10 Web sites, it will give the user a chance to block the tracking. You can also enable Inprivate Subscriptions, which implements Inprivate Blocking lists updated by Microsoft.

Add-ons and ActiveX

Only IE and Firefox have an add-on manager, and IE's is easily the best. As in Firefox, add-ons can be globally enabled or disabled by clicking a single button. But IE 8 allows add-ons to be restricted to running on a single site or be used by any Web sites. The initial decision is made during the add-on's first download, but can also be modified later. IE's add-on manager will show which add-ons are currently loaded, which have been used, and which have not been used.

IE users have always been able to disable ActiveX controls or allow only signed ActiveX controls to launch. (Java and JavaScript can also be enabled or disabled on a per-zone basis.) Microsoft now allows vendors to restrict the use of their ActiveX controls to certain Web sites via a feature called SiteLock ATL. Thus, even if a third-party vendor unknowingly creates a control found to be vulnerable to malicious exploitation in the future, it would only be usable from the vendor's Web site, which could be trusted not to contain malicious commands.

A new feature that has sparked great controversy is IE 8's support for per-user ActiveX controls. Formerly, most ActiveX controls require that the end-user be logged on as Administrator to install them. Now, vendors can repackage their existing ActiveX controls (or code new ones) to allow installation into the current user's profile without needing elevated permissions. Microsoft is attempting to promote more software products that can be installed without admin rights, which in turn means the underlying OS kernel will be harder for rogue applications and malware to modify. This type of system access control has been available on other browsers (such as in Firefox extensions) and operating systems (Linux, BSD, and so on) for many years, but is now being promoted in the Windows world as well. Many security admins see per-user ActiveX controls as an additional security and management headache. In any case, Microsoft allows per-user ActiveX controls to be disabled using the normal methods, and it's hard to argue with flexibility.

IE is one of the few browsers to have built-in Parental Controls, which block objectionable content as defined by a rating system. The settings are password protected and apply to all users, although a master password can be entered to temporarily bypass the default settings. There are several different categories of potentially objectionable content, and the administrator can choose whether to block all related content (for example, all nudity) or to allow exceptions (such as educational and art-related nudity). You can choose from various rating systems, and you can whitelist specific Web sites.

Security zones

Without a doubt, one of Internet Explorer's most powerful enterprise features is its ability to change browser functionality and security settings based on five different security zones: Internet, Local intranet, Trusted sites, Restricted sites, and Local Computer. Most other browsers don't have the concept of security zones or only allow limited per-site exceptions, essentially creating two zones. Any nonlocal Web site is launched in the Internet zone by default, unless the user places the site into a more trusted zone. Each security zone can be paired with a particular security level (High, Medium-High, Medium, Medium-Low, Low, and custom). Some zones cannot be paired with particular security levels. For example, the Internet zone cannot be placed in a security level lower than Medium.

Zones allow not only custom control over dozens of security settings, but also play a role in keeping Internet content from exploiting a system. By default, executables downloaded from the Internet zone cannot automatically run in the Local Computer (the most trusted) zone. ActiveX controls intended to be launched only in the browser can execute only in the browser. By the same token, ActiveX controls intended for Local Computer execution cannot be launched via the browser. This prevents malicious Web sites from using installed ActiveX controls in malicious ways.

IE has always had good cryptography support. IE's initial SSL/TLS (Secure Sockets Layer/ Transport Layer Security) ciphers aren't as strong as those of Firefox and Opera. However, IE was one of the first browsers to support AES (Advanced Encryption Standard), EV (Extended Validation) certs, server revocation checking, ECC (Elliptical Curve Cryptography), and OCSP (Online Certificate Status Protocol), and it is the only browser to allow the enforcement of the U.S. government's Federal Information Process Standards ciphers. Not only is IE very "in your face" about certificate errors, but administrators can prevent end-users from visiting Web sites without valid digital certificates.

IE passed all of my Web browser security tests and scored in the middle on the remote password-handling tests. Local password handling was excellent; passwords are never revealed, and they are securely stored. Like the other leading browsers I tested (Firefox, Chrome, Opera, and Safari), IE didn't allow any malware to be silently installed from real-life malicious sites, and in most cases, it was very vocal about Web sites trying to install malware. Unfortunately, it too eventually got overwhelmed by the most malicious DoS Web site in my tests, and the browser had to be restarted. It should be noted that IE lasted more than a minute before succumbing to the DoS attack; in contrast, most browsers fell in less than 30 seconds, and some required complete system reboots.

IE has no peer in enterprise deployment features. Using the Internet Explorer 8 Deployment Guide, administrators can deploy and configure more than 1,300 IE-related settings via Active Directory Group Policy or the Internet Explorer Administration Kit. It is the only browser in the review to support Kerberos authentication over the Web.

IE's popularity makes it the most attacked Web browser by far, and its support of ActiveX controls has invited many exploits that are not possible on other browsers. But IE's mature security granularity, security zones, and deep enterprise features backs up its acceptance in the enterprise.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness