|
Dynamic Security Protection
|
| bet | 11/14 | | Sana | 20.09.2020 | | Hajmi | 2,03 Mb. | | #11499 |
Web browsers perform a broad range of functions in the computing environment. They must be open and flexible enough to enable users to interact with multiple data sources housed on a range of systems around the globe and at the same time be secure enough to prevent unwanted data access or application behaviors. Managing this balance is a top priority for Microsoft’s customers. The combination of the ubiquitous and essential nature of the Web browser with the requirement for bidirectional network communications gives browsers the unenviable responsibility of being both a critical element of the computing infrastructure and the primary attack point for malicious software.
Vulnerabilities exist in all sophisticated software code; the differences essentially come down to the degree of difficulty required to exploit them and what a hacker can do upon exploiting them. Further, some security vulnerabilities are not even technological in nature. For example, malicious individuals can exploit social behaviors and user misinformation techniques, resulting in users being tricked into turning over personally identifiable information through obscured Web sites, confusing dialog boxes and unexpected add-on behavior. Web browsers represent an alluring target for hackers because many users can be easily confused and, historically, have not applied all security updates in a timely manner.
Windows XP Service Pack 2 greatly improved security in the operating system and the browser. Internet Explorer 7 goes well beyond those changes, providing a significantly strengthened browser by eliminating legacy code to deliver stronger and more secure software. When combined with Microsoft Windows Defender, Internet Explorer 7 helps users achieve an unprecedented level of security protection.
Microsoft has two primary security objectives with Internet Explorer 7:
Protection against malware. Microsoft is committed to giving customers more confidence in the security of their browsing activity and helping to prevent the installation of malicious software. The company defines malware as all malicious code or unwanted software, including worms, viruses, adware and spyware.
Personal data safeguards. Microsoft aims to protect users from phishing attacks, prevent fraudulent Web sites from stealing user data, and help users more safely and securely engage in legitimate e-commerce without divulging their personal information unintentionally.
Protection Against Malware
Malware, short for malicious software, refers to software applications designed to damage or disrupt a user’s system. The proliferation of malware and its impact on security is a driving force behind the design of Internet Explorer 7. The new version has been improved to reduce the potential for hackers to compromise a user’s browser or system. In addition, Internet Explorer 7 includes several technical features designed to thwart hackers’ efforts to lead users into giving away personal data when they should not. Core parts of the browser’s architecture also have been fortified to better defend against exploitation and improve the way the browser handles data.
Historically, attackers have taken advantage of internal code design issues within the Web browser to attack a system. A hacker would rely on a user clicking on an HTML link referencing some type of malformed URL that contains odd or excessive characters. In the process of parsing the URL, the system’s buffer would overflow and execute some code the hacker wanted to install. Given the size of Web browser application code, the most efficient solution to fixing these types of attacks was to issue updates as each was discovered and the root cause identified. Yet even with only a handful of such updates required, the more optimal solution was to rewrite the baseline application code. Internet Explorer 7 benefits from these experiences and the analysis of attack signatures. Rewriting certain sections of the code has drastically reduced the internal attack surface of Internet Explorer 7 by defining a single function to process URL data. This new data handler ensures higher reliability while providing greater features and flexibility to address the changing nature of the Internet as well as the globalization of URLs, international character sets and domain names.
ActiveX Opt-In
Internet Explorer offers Web developers the ActiveX® platform as a mechanism to greatly extend browser capabilities and enhance online experiences. Some malicious developers have co-opted the platform to write harmful applications that steal information and damage user systems. Many of these attacks were made against ActiveX Controls shipped within the Windows operating system, even though the controls were never intended to be used by Internet-facing applications. Internet Explorer 7 offers users a powerful new security mechanism for the ActiveX platform. ActiveX Opt-In automatically disables entire classes of controls — all controls the user has not previously enabled — which greatly reduces the attack surface. This new feature mitigates the potential misuse of preinstalled controls. Users will now be prompted by the Information Bar before a previously installed but as-yet unused ActiveX Control can be accessed. This notification mechanism will enable users to permit or deny access when viewing unfamiliar Web sites. For Web sites that attempt automated attacks, ActiveX Opt-In protects users by preventing unwanted access and giving the user total control. If the user opts to permit loading an ActiveX Control, the appropriate control is easily enabled by clicking in the Information Bar.
Protection Against Cross-Domain Scripting Attacks
Cross-domain scripting attacks involve a script from one Internet domain manipulating content from another domain. For example, a user might visit a malicious page that opens a new window containing a legitimate page (such as a banking Web site) and prompts the user to enter account information, which is then extracted by the hacker. Internet Explorer 7 has been improved to help deter this malicious behavior by appending the domain name from which each script originates and limiting that script’s ability to interact only with windows and content from that same domain. These cross-domain script barriers will help ensure that user information remains in the hands of only those the user intentionally provides it to. This new control will further protect against malware by limiting the potential for a malicious Web site to manipulate flaws in other Web sites and initiate the download of some undesired content to a user’s PC.
Protected Mode
Available only to users running Internet Explorer 7 in Windows Vista, Internet Explorer Protected Mode will provide new levels of security and data protection for Windows users. Designed to defend against “elevation of privilege” attacks, Protected Mode provides the safety of a robust Internet browsing experience while helping prevent hackers from taking over the browser and executing code through the use of administrator rights.
In Protected Mode, Internet Explorer 7 in Windows Vista is unable to modify user or system files and settings. All communications occur via a broker process that mediates between the Internet Explorer browser and the operating system. The broker process is initiated only when the user clicks on the Internet Explorer menus and screens. The highly restrictive broker process prohibits work-arounds from bypassing Protected Mode. Any scripted actions or automatic processes will be prevented from downloading data or affecting the system. Specifically, Component Object Model (COM) objects will only be self-aware and will have no reference information by which to identify and attack other applications or the operating system.
Internet Explorer Protected Mode helps protect users from malicious downloads by restricting the ability to write to any local machine zone resources other than temporary Internet files. Attempting to write to the Windows Registry or other locations will require the broker process to provide the necessary elevated permissions. Internet Explorer Protected Mode also offers tabbed browsing security protection by opening new windows — rather than new tabs — for content contained outside the current security zone.
Fix My Settings
Knowing that most users are likely to install and operate applications using the default configuration, Internet Explorer 7 ships with security settings designed to provide the maximum level of usability while maintaining controlled security. There are legitimate reasons why a custom application may require a user to lower security settings from a default, but it is critical the user reverse those changes when they are no longer needed. Internet Explorer 7 introduces users to the new Fix My Settings feature to keep users protected from browsing with unsafe settings. This new feature in Internet Explorer 7 warns users with an Information Bar when current security settings may put them at risk. When a user makes changes in the security settings window, they will see settings automatically highlight in red if they modify certain critical items. In addition to dialog alerts warning the user about unsafe settings, the user will be reminded by the Information Bar as long as the settings remain unsafe. Users can instantly reset the security settings to the ‘Medium-High’ default level by clicking the ‘Fix My Settings’ option in the Information Bar.
Microsoft Windows Defender enhances security and privacy protections when used with Internet Explorer 7. Extending the protections against malware at the browser level, Windows Defender helps prevent malware entering the machine via piggy-back download, a common mechanism by which spyware is distributed and installed silently along with other applications.
Although the improvements in Internet Explorer 7 cannot stop non-browser-based spyware from infecting the machine, using it with Windows Defender will provide a solid defense on several levels. Windows Defender is available for Windows XP and is also in Windows Vista.
|
| |
