Security for Internet Explorer (IE) is a crucial part of keeping a computer safe. This is true even if you use another browser for the Internet because IE is tightly integrated into the operating system; its components are used for other functions as well as for Web browsing. Beginning with Windows XP SP2 and continuing with Internet Explorer 7, Microsoft has upgraded the security considerably and some of the changes will be outlined. More details are in a Microsoft document that can be downloaded at this Microsoft site.
Tightened security settings for ActiveX and Scripting
As described on another page, IE divides Web sites into security zones. In IE 7, the settings for the Internet Zone have been raised to medium-high from the medium setting used in IE 6. A comparison of the settings for the two browsers is given here. Along with the increased security has come some loss of convenience. For example, sites using scripting or ActiveX components may require additional steps to fully open a page. Users will now be prompted first before certain functions will run. An example is shown in Figure 1. The message appears in area called the “information bar” and appears just below the address bar. Clicking in it will open a menu where you can choose to allow the component to run.
Reducing “Buffer Overflow” problems
One of the major sources of security holes in Windows and in many applications is the buffer overflow weakness. A hacker would create an HTML link containing odd or excessive characters. When the browser parsed the URL, the system’s buffer would overflow and unsafe code would get into the system, allowing the execution of the malware. Microsoft has rewritten the URL handling code for IE 7 so that malformed URLs are now more reliably parsed.
Cross-Domain Scripting Attacks
This type of security problem happens when a script from one Internet domain manipulates content from another domain. For example, a phishing message might get a user to visit a malicious page that then opens a new window containing a banking or other legitimate page. The user is prompted to enter account information, which is then stolen by the hacker. Internet Explorer 7 limits a script’s ability to interact with windows and content from domains other than the domain that originated it.
A defense against phishing has been added called the Microsoft Phishing Filter. The Phishing Filter automatically checks the Web sites you visit against a list of known phishing sites and warns you if the site has been identified as a phishing site. Note that this method depends on a database of known sites plus some heuristic methods so it may not defend against very new sites.
Protected mode in Vista
In Windows Vista, IE 7 works with the User Account Control to run the browser in protected mode by default. The browser has only the minimum permissions needed to surf the Web; plug-ins and add-ons run with lowered privileges. Writing or installing to the computer is confined to the Temporary Internet File unless the user grants permission.
Although the default settings in IE 7 provide more security than ever before, vulnerabilities remain. Those who wish added security can follow the directions for configuring the Internet security zone given on the next page. There is also a page giving a quick and easy way to configure ActiveX settings.