The new version of Internet Explorer, version 7, has been available for a while now for Windows XP, but a lot of users will be getting a first taste of it as Windows Vista hits the streets for consumers. Let's take a look at some features and recommendations for keeping IE7 secure and hardened.
The MHTML hole
In late 2006, Secunia, a security firm based in Denmark, discovered a non-critical yet important vulnerability in IE7. Essentially, the vulnerability involves the potential for Web sites with malicious code to steal data from other sites opened in another window of IE7. Its level of seriousness is debatable, and Microsoft claims that the vulnerability exists in Outlook Express rather than IE. Whatever the reason, the vulnerability is demonstrated at this sample site hosted by Secunia.
To work around this, disable the ability for ActiveX content to run automatically. The setting is covered in my checklist, which I explain a bit later in this article.
Protected mode and the phishing filter
Rarely will I advise upgrading to a new operating system just to take advantage of a new feature. But if you are a die-hard Internet Explorer aficionado, then you'll like a new feature, available only in IE in Windows Vista called Protected Mode; it helps create what is arguably the safest browsing environment bar none.
Protected Mode could be described as IE7 running in an extremely limited security context, lower than even that of a Limited User-based account. It removes a lot of capabilities from potentially dangerous applications and effectively limits Web browser-based applications and scripts to writing to the Temporary Internet Files folder only. It's enabled by default on Windows Vista; if you refuse to use Firefox or, for some reason are unable to do so, then the security is worth the price of admission to Windows Vista.
Another feature available in all versions of Internet Explorer, not just in IE coupled with Windows Vista, is the Phishing Filter. Microsoft has a database of the names of suspect Web sites. It works to notify the user if he or she opens a Web site deemed problematic by Microsoft after running the name through the database. The address bar will turn red and a warning will appear that the Web site is problematic. You can see the status of the phishing filter in the status bar at the bottom of the window; click it to turn it on and off. (Experienced users may find the behavior annoying, and there is a slight lag in loading pages while the URL is checked against Microsoft's phishing site database.)
Settings checklist
Here is a list of my recommended settings for a custom level within IE7. To implement these recommendations, select Options from the Tools menu in IE7. Navigate to the Security tab. Click the Custom Level tab after ensuring that the Internet zone is selected, and then select the following choices from the list (some less important settings can be left alone):
ActiveX controls and plug-ins:
- Binary and script behaviors: Disable
- Run ActiveX controls and plug-ins: Disable
- Script ActiveX controls marked safe for scripting: Disable
Miscellaneous:
- Allow Web pages to use restricted protocols for active content: Disable
- Display mixed content: Disable
- Installation of desktop items: Disable
- Launching applications and unsafe files: Disable
- Launching programs and files in an IFRAME: Disable
- Navigate sub-frames across different domains: Disable
- Software channel permissions: Maximum Safety
- Submit non-encrypted form data: Disable
- Web sites in less privileged Web content zone can navigate into this zone: Disable
Scripting:
- Active scripting: Disable
- Scripting of Java applets: Disable
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
