Internet Explorer Security

Summary: InternetExplorerFeedback about security problems

Other pages that might be a better place for your contributions:
* Report InternetExplorerBugs or InternetExplorerProgrammingBugs
* Add to the InternetExplorerFeatureRequests
* Talk about InternetExplorerStandardsSupport
* Find out about InternetExplorerAlternatives

Locking down Internet Explorer

I'm not sure whether this is the right place to post this info. Please feel free to move it around if you know a better location. Thanks -Ovidiu
Securing Internet Explorer is very simple. I've tested this only on Windows XP with Service Pack 2, but most of this should work fine on other Windows / IE versions.

The very first recommendation is to run as a limited user, not as an administrator. Then, in order to secure Internet Explorer, I suggest disabling "Enable Install On Demand" for both IE and 3rd party components (Internet Options - Advanced). If these settings are available, one should set the privacy level to "Medium-High" at least, and enable the popup blocker with a security level of High (Internet Options - Privacy). Finally, on Internet Options - Security one should set the "Local Intranet" and the "Restricted Sites" zones' security to the default value; I strongly suggest setting the security level for the "Trusted Sites" zone to "Medium"; if this is too strict, it can be lowered to "Medium-Low" or even to "Low" or the settings can be tweaked individually. The most important settings relate to the "Internet" zone. I suggest setting the zone's security to "High" and then customizing it as follows:

* Click the "Custom Level..." button to open the "Security Settings" dialog
* Go to the "ActiveX controls and plug-ins" section and set "Run ActiveX controls and plug-ins" to "Enable"
* Go to the "Downloads" section and set "File download" to "Enable"
* Go to the "Miscellaneous" section and set "Allow META REFRESH" and "Submit nonencrypted form data" to "Enable"
* Go to the "Scripting" section and set "Active scripting" to "Enable"

I've used this configuration for a while and it's very secure. It's impossible to get spyware and you're not vulnerable to the current cross-site scripting bugs (not even to the not-yet-fixed ones). The performance level is above other browsers in terms of working set. Now the only thing that remains to be done is to convince the IE team to ship the product with these settings by default. -- Ovidiu

Address bar vs redirects

When IE caches a page which previously had 200 OK status and that page changes status to 301 or 302 (a redirect) and the cached version is re-loaded, Internet Explorer will show the old address in the address bar, it should show the address of the redirect destination to avoid user confusion.

Auto-install abilities should be disabled

Spyware creators have been taking advantage of gaping holes in IE's security model, allowing them to install NT services and OS extensions through the IE auto-install functionality. This is the primary reason I use FireFox rather than IE; I don't care about things like tabbed browsing so much, but I do like to know that my web browser does not have permission to modify the OS. :-)
I should mention that both "install on demand" checkboxes are unchecked, and the "enable third-party browser extensions" checkbox is unchecked. Yet I stall occasionally get things like the eXact Search Bar installed when using IE.

Give control back to the users

When IE turned from a browser to a "platform" it took control from the users and gave it to the web developer. With the IE object model, if I visit a web site, it's owner 03nz my screen, and my windows. Suddenly new windows open up, I loose the status bar, the address bar, and the menu! I even loose the ability to resize windows. This is so annoying and frustrating when a 30-page lagal contract is displayed in a 10x10 character window that cannot be resized.

Throw away backward compatibility and give us back control over Explorer windows.

Furthermore, web developer can remove the menubar but, as an user, I can not remove the menubar on non-javascript initiated windows: so the web developer owns more control, power on the window he created than the ones the user uses. Incredibly absurd!

Earlier versions of Internet Explorer ignored the resizable=no feature and allowed you to resize the new window. http://support.microsoft.com/default.aspx?scid=kb;en-us;211068

MSIE 5.01 and previous were always ignoring "resizable=no". Opera 7+ always ignore "resizable=no". Mozilla-based browsers also have options allowing users to counter "resizable=no".

Removing scrollbar(s) when needed, when content overflows requested window dimensions is another frustrating possibility of the window.open() method. Scrollbar(s) should appear when needed, when content overflows document box for the sake of accessibility to content: this should be understood as a sane, normal fallback mechanism ensuring that content is accessible. By allowing web authors to disable scrollbar(s) when needed, web authors defeat the purpose and usability of scrollbars. This goes against the best interests of web authors as well as against the best interests of users.

Window resizability, window scrollbars (if needed, if content overflows requested window dimensions), window menubar and window statusbar should always be enabled visible and/or non-removable and/or non-disableable. Even the location bar should probably be on, visible always. If a web author has decided that I need/deserve another window when clicking a link, then an user certainly deserve to have all the features of a normal window according to his defaults. The web author should never be able to disable certain basic fundamental features of non-chrome windows. --DU/GT

opener property should be a read-only property

Web developers often create this piece of code

window.opener = window;
window.close();
or
window.opener = "SomeString";
window.close();

These web developers can successfully bypass and override the security restriction on closing windows which have not been initiated/opened by javascript. Again, please make the window.opener a read-only property. This is a security issue.

Reduced testcase clearly demonstrating the issue

Reference: 'Invoking the window.close method on a window not opened with script displays a confirmation dialog box. Using script to close the last running instance of Microsoft Internet Explorer also opens the confirmation dialog box.'_0.asp?frame=true

--DU/GT

GUI enhancements related to security

1. Two options in Tools menu: "Add this site to Trusted Sites" and "Add this site to Restricted Sites". That would allow to quickly add sites to security zones. Of course IE should display warning message before adding to Trusted Sites.
2. Display all security prompts (for example if you have scripting set to Prompt) in Information Bar. Currently IE displays only ActiveX and popup blocker prompts in Information Bar. Information Bar is much less annoying than "Do you want to run script?", "Do you want to accept cookies?" or other security popups because it's modeless (displays without changing focus and interrupting work).

More Granular Security

Note: I'm not sure of the ettiquite here - so I'm adding this at the bottom (as in a threaded view in news). If this is the wrong place, please move it to where it should go!

The current security zone model divides all Gaul into a mere four parts. Sadly, security needs are more granular than that. It also needs to be heirarchical. What I'd like to see is IE use a scheme like .NET Code Access Security to allow the needed flexability. As an example: I have on-line accounts with 6 banks and building socities (personal bank accounts, joint account, mortgage - all the usual stuff!). For most of the the web sites related to these accounts are ones I trust with regard to popups, I'll trust their activex controls, allow cookies, etc. But parts of some of these sites have gratutious popups that I do want to block. I'd like a hierarchical set of rules to allow the admin (or me!) to define the general sites I fully trust, then have some exceptions where partial trust is needed. Then there are the other sites where I'm happy with cookies, but do not want pop-ups. Etc.

I'd like to be able to define a MyOnlineBankZone for my bank accounts, and place the 4 top level site names into that zone. Then I'd like a child zone MyOnlineBankZone.NoPopupSubzone and be able to place the three sub sites where the no pop ups kick in. I'd like a GreatSiteShameAboutThePopUpandScripts zone for the sites I want to visit sans pop-ups and scripting. Then there's the sites where I don't want scripting, or popups, but do want other things. etc, etc, etc.

So:

1. IE needs to provide the ability to creat arbitrary numbers of nested security zones.
2. Each zone should have the ability to inherit polcy from a parent (with the normal don't inherit, no override as in GPO handling).
3. These zones should be expressed in a form that can be understood directly by a local browser (e.g. a .securityconfig file that contains the XML that describes the security zones and settings)
4. There should be an easy to use GUI based admin tool to create this format
5. This format should be directly importable into Group Policy. And for more flexibilty, it should be possible to map zones to OUs. That is ou=finaceusers might have the FinanceUsersZone applied, but the ou=seniormanagers,ou=finance might have the child FinanceSeniorManagers child zone applied giving more (or less!) rights.

That's my .02€ worth! -- Thomas (doctordns@gmail.com) 2004.08.04

Improve Restricted Sites

Allow webpages to run in "mixed" mode, so that if I have www.foo.com in the "restricted" zone, and www.bar.com in another zone, when I visit www.bar.com, if it attempts to access content on www.foo.com, the site should be in mixed mode. Ensure that doing something like <script src="http://www.bar.com/script.js"> will honor zone restrictions; in this case IE should prevent the script for running; for extra bonus points, it could even avoid downloading it.

Improve Content Advisor

Especially the "Approved Sites" feature does not work like i would expect it to do. The problem is somewhat related to the "mixed" mode problem mentioned in the Restricted Sites topic. Content from sites added to the "Never" allow list is still shown when referenced from other sites not on the list. For example an image hosted at src=http://www.uglyxxx.com/ still displays when main page is hosted at www.interestingsite.com.

Running IE as admin should be impossible

When running IE in admin mode, all code executed by the browser has full control over the system (admin rights) You can use the secondary logon/run as service, but how many non geeks use that feature, not to mention coders and admins that browse with admin rights cuz its easier. IE should run by default with a service account with minimal privilegies. When you need to access the configuration (internet options)a msg box will pop up, asking you for proper credentials, or a security code. The latter can be included in the auto complete feature. By using a shuch procedure, one can seperate the user mode from the configuration mode, and any irregular attemt to change the system, will be futile/unsuccesful. -- prog_dotnet

That feature would make many things harder. How can the IE save the website to my own files if he hasn't got enough rights? What about all the applications that use IE as internal browser (don't have to be browsing the net). The problem isn't the IE itself but the behaviour of most users: working as admin. MS should create no admins at installation but normal users. But then you get even more trouble - for example: how many games require admin-rights for installation? MS has the chance to create guidelines for Longhorn (e.g. "all setup-programs should require admin-rights only if this rights are really needed") -- Jtb

Stricter security zones/levels

*Don't allow third-party (cross-site) scripting in Medium-high and Medium levels. Display Information Bar message that scripts are blocked and display <NOSCRIPT> contents instead of running scripts.
*Change Low/High levels: Low level should allow everything (even unsigned ActiveX controls) without prompts. The user should be allowed to set this level only in Trusted Sites zone. High level should block everything including font download, drag&drop copy/paste, unencrypted form data and displaying cross-zone content. In high level authentication should be disabled (don't even prompt, just log in anonymously).
*Enable ActiveX control installing (signed and unsigned) only in Low security level (and add Windows Update, Office Update and anti-piracy check to Trusted Sites).
*Enable MS Java (if installed) only in Low security level because it's no longer updated and may contain bugs.
*Set "Software channel permissions" to "High safety level" in Medium-low and Medium levels. IE should never download software to my computer without permission.
*Don't allow directly opening executable, batch, PIF and script files (only save).
*Check for server certificate revocation by default.
*Enable TLS 1.0 by default (it's more secure than PCT/SSL).
*Disable "Install on demand" for 3rd party components.
*Increase default Privacy level (cookies) from Medium to High. Display "Information Bar" (as in popup blocker) that cookies are being blocked.
*Don't allow running programs and files in IFRAMEs in Medium and Medium-high levels.
*Prompt before running unsigned .NET framework applets in Medium and Medium-high levels.
*Prompt when script is doing paste operations in Medium and Medium-high levels.
*Enable popup blocker in Medium level.

Vulnerabilities

This is a serious issue! There are a lot of unpatched Internet Explorer vulnerabilities. Exploiting some of them can lead to code execution!

(The link previously here was out of date. However, there are some reports of unfixed vulnerabilities at http://secunia.com/advisories/11793/ -- MikeDimmick).

There is a recently discovered vulnerability which leads to code execution by simply visiting a malicious website.

Note that most vulnerablities require Active Scripting enabled. Default settings for all zones should be changed to Active Scripting:Disabled as a proactive security measure. -- SV

It is not very practical to expect that IE would have Active Scripting turned off by default. Many other products delivered by MicroSoft are dependent on have Active Scripting available, for example Share Point Services or ASP.NET. The actual requirement is to have Active Scripting available and implemented in such a manner that it does not increase overall risks - assuming that the level of risk was acceptable to begin with. This is not the case with current IE versions. While end users may suggest how this should be implemented - sandbox, restricted user, etc - the IE developers need to determine all the requirements, prioritize them and then pick implementations that fulfill the greatest number of requirements, hopefully in a securee manner. -- jwd

Note that not only IE but all other major browsers are plagued with security problems with active content. A major security breakthrough would be needed before leaving it activated could be considered reasonably safe. Even Microsoft recommends disabling Active Scripting(http://www.microsoft.com/security/incident/download_ject.mspx). SP2 will also break some applications, but that's the price we have to pay for security. Sandbox-like restrictions might be a part of the solution but i'm afraid that won't be enough since they're basically adding another layer of the same security system that already failed once when the javascript security model got circumvented. --SV
Pregnancy & Maternity Products

Vulnerabilities of one-size-fits-all programming

There's two aspects of the security problem that IE has: one for the non-domain user, and one for the domain administrator (who, presumably, will make decisions for all the users in the domain). The IEAK is already unwieldy, and as far as I've seen it's not possible to directly import its settings into Group Policy (a feature that I would dearly love to see); this means that it has to be rolled out as a software package, instead of directly modifying the settings and pushing them out as part of a policy. Focusing here would be wonderful, but please remember not to leave the home/workgroup users in the lurch, and remember to let them set all of the same settings if they need to. Make the default settings 'no permissions', and then ask the user as necessary.

I think that most of the problems related to security in IE are flaws in how the COM security model works, and the current implementations of objects that don't enforce enough separation between roles. I would very much like to see the scripting objects be run with Anonymous permission, for example, with callbacks to a <currentuser> worker process that does the things required by the script. (This <currentuser> worker process could be what accesses the clipboard, requests more data from MSIE, writes the home page, saves files, etc -- it could log /exactly/ what it did, and in debug mode could even write the exact arguments that it was called with. It could also enforce the permissions of the security certificate that the active script was signed with, to make administrators' lives easier -- import the certificate in to the 'trusted developers' store, and grant specific permissions to that certificate a la Java.) This would allow for a smaller realm of 'trust exposure' -- there would be a well-defined interface to the callback, and only a limited number of things that you could do with it.

(and this doesn't really fit here, but I don't know where else to put it: My biggest pet peeve with IE's security model is, there is an 'always trust this developer' option, but there is no 'never trust this developer' option. How many times do I have to click 'no' to installing Macromedia Shockwave? Or that porn dialler? Or WeatherBug? Or something equally irritating?) --aerolupus

Other Frequent Requests

* secure by default: disable active content in default settings
* no drive-by downloads
* force plugin manufacturers to display a privacy policy and a clear and understandable statement what this plugin does when installing/updating
* the browser should run completly in a sandbox
* get rid of ActiveX
* remove nagging "this website may not be displayed properly" messages when activeX is set to disabled
* options to disable ActiveX and JavaScript seperately
* finer control of security settings per site(assuming the security problems with the zone model can be worked out)
* zone-model: remove the zone for not secure sites. All unknown and/or not trusted sites should be in the Internet-zone with biggest security. (There is no need for a zone "under" that. And the trusted sites could be moved in the trustworthy zone.
* Maybe with a good sandbox the whole zone-model is unnecessary. The zone model is too complex, esp. for beginners and many "normal" users. To remove the whole zone model and make it much clearer like the settings in other browsers would be very fine.

Create a system that would allow user to revoke certain code signing certificates.

For example I'm annoyed with the company producing the Gator stuff and I'd like to personally revoke their code signing sertificate or otherwise block content signed with it (of course this would only apply to my machine). I think this could have a huge impact, as people would start collecting lists of "vendors behaving badly", certificates used by them and distributing these lists through Internet. This is effective since the certificates cost money to vendors, so they can't be constantly changing them.

Easy way to implement this would be to add "Do not bug me!" button to the dialog asking whether or not I want to run this activex control signed by xyz. I guess it currently has a button like "always trust xyz" so this new button would be the opposite version.

Apply XP SP2 - this feature is already included. In the Security Warning window:

http://common.ziffdavisinternet.com/utilgetimage/7/0,1311,sz=1&i=77604,00.gif
http://linknew.info news link http://linknew.info/medicine.html medicine http://tiny-search-engine.com Free catalog : Catalog Find all http://www.samarainternet.ru/spyware/index.html spyware http://linknew.info/bankofamericaconstructionloan.html loan http://linknew.info/mortgage.html mortgage
click More Options, then select 'Never install software from...', and click Don't Install.

Anyone - before suggesting new features, please install XP SP2 first. -- MikeDimmick

Re-enable no-prompt printing, disabled by XP SP2

A well known technique once allowed Javascript to print a page to the default printer without bringing up a print dialog box. This no longer works after Windows XP Service Pack 2 is installed, presumably for security reasons. This has made XP+IE unsuitable for use in embedded applications where automated printing is required. Please re-enable dialog-less printing, perhaps only on pages with URLs in a trusted zone. -- AMI May 27 05.