Manage updates with the Download App
IE's problems at the time were pervasive, and many of them were rooted in its complicated architecture. Vulnerabilities in IE were being reported almost monthly, and users faced risk until Microsoft released updates.
By June 2004, attackers had started targeting IE. Exploits appeared "in the wild" on Web sites that installed malicious software on visitors' computers. This trend culminated in a "zero day" IE vulnerability, disclosed in an attack where malicious software captured information typed into bank Web sites, giving attackers access to victims' accounts.Since then, there have been two developments. First, Microsoft released security enhancements in its Windows XP Service Pack 2. Second, attackers have begun to exploit vulnerabilities similar to IE's in alternative browsers.
Service Pack 2 makes important security improvements to IE. Though IE's architecture stays fundamentally the same, these improvements go beyond updates that address only one vulnerability at a time. In some instances, SP2 improvements favor security over functionality. Two of the most important improvements are the lockdown of the Local Machine zone and improved restrictions for "chromeless" windows.
Local Machine zone lockdown almost eliminates the ability of Web pages in the Local Machine zone to run scripts. That introduces a defense against cross-domain scripting vulnerabilities, which result from a failure to determine the source of a script. It is crucial for a Web browser to isolate scripts from different domains. For example, scripts from www.cert.org should not be able to access data from www.cnet.com. Nor should a browser treat scripts from a remote Web site as originating on the local computer.
With IE, scripts in the Local Machine zone have much greater privileges than in the Internet zone; an attacker's Web page in the Local Machine zone could download and run programs of the attacker's choosing. Local Machine zone lockdown limits the actions an attacker can take, making it difficult for an attacker to run malicious programs.
"Chrome" is what makes a window look like a window: a border, an address bar, navigation buttons and so on. IE, like some other browsers, allows Web site developers (and attackers) to create windows without chrome. Before SP2, attackers could create deceptive chromeless windows that cover important elements such as the address bar, the security padlock icon, or even the Windows Start menu. This functionality made it easy to mislead users by making a spoofed Web site appear legitimate.
Other browsers, similar threats
All Web browsers face similar threats, and some share similar design features. IE is essentially a wrapper program around two Windows components: the Web browser ActiveX control that handles browser windows and navigation, and the MSHTML rendering engine that displays HTML and runs scripts. Outlook and Outlook Express use MSHTML.
Similarly, Apple Computer's Safari browser is based on an operating system component called Web Kit. The Mozilla Foundation's Web browsers, including the Mozilla suite and Firefox, use the Gecko Runtime Environment, or GRE. A vulnerability in any of these components could affect not only the Web browser but also any other programs using the component parts.
Like the IE Local Machine zone, Mozilla browsers have the concept of chrome scripts. If Mozilla incorrectly determines that an attacker's script from a remote Web site should be treated as a chrome script, the attacker can perform any action the user can, including downloading and running programs.
Attackers are paying attention. Some recent attacks target both IE and Mozilla-based browsers. Another uses an ActiveX control installed by Microsoft Office, again illustrating the dangers of tightly integrating the browser with the operating system (through shared ActiveX technology).
Safe browsing
There is no silver bullet, no such thing as 100 percent secure. Security requires a balance between functionality and cost, and relies on concepts of trust and risk tolerance. With this in mind, here are some recommendations for safe Web browsing.
• Keep your browser updated. Windows (IE), Mozilla/Firefox, and Apple (Safari) all can be updated automatically.
• Use caution on the Web. Don't enter sensitive information like passwords or account numbers on any Web site that doesn't use HTTPS to authenticate the site and encrypt information. Don't click on links in e-mail messages. When you visit a sensitive Web site, type the URL into the browser address bar, or use a bookmark you created after typing in the URL. If a browser window looks right but does not have an HTTPS connection, do not enter any information into that window.
• Consider changing your browser configuration. Disabling scripts can make browsing much safer, but also less functional or enjoyable. In IE, consider locking down the Internet zone and putting regularly used Web sites in the Trusted sites zone.
Biography
Art Manion is an Internet security analyst at
60 comments
Join the conversation! Add your comment
Big difference.
If I were a hacker, I'd ignore the browser with 0.5% share, too.
Big difference.
If I were a hacker, I'd ignore the browser with 0.5% share, too.
It would appear that Apple was mentioned only in some strange
sort of "equality of negativity" campaign. You would have served
your audience better if you had touted diversity, and suggested
that people move to browsers that have low rates of vulnerability.
It would appear that Apple was mentioned only in some strange
sort of "equality of negativity" campaign. You would have served
your audience better if you had touted diversity, and suggested
that people move to browsers that have low rates of vulnerability.
Zone is an unworkable solution because so many sites use functions on completely different URLs to complete transactions. It is maddening, for example, to put a shopping site URL in the Trusted Zone and then at checkout time have the transaction fail because the checkout function is handled by another site which is not in the TZ. And there is no way of knowing in advance the entire list of URLs that a site uses for all its functions. Sites like BOFA and AMEX may uses as many as 5 other URLs, none of which are linked to bofa.com, thereby preventing the use of wildcarding in the TZ. The Trusted Zone technology is stuck way back in 1995 when sites used only use a single URL for perform all functions.
Did you even read the article?
This isn't a Microsoft-only problem anymore. I use Firefox with the popular "NoScript" extension ( <a class="jive-link-external" href="http://noscript.net" target="_newWindow">http://noscript.net</a> ), and it adds security, but also adds inconvenience--and sometimes, the exact same inconveniences and hassles you outlined.
Get real. If you use something other than MSIE, and find it more convenient, it's only because you're oblivious to the security risks.
Zone is an unworkable solution because so many sites use functions on completely different URLs to complete transactions. It is maddening, for example, to put a shopping site URL in the Trusted Zone and then at checkout time have the transaction fail because the checkout function is handled by another site which is not in the TZ. And there is no way of knowing in advance the entire list of URLs that a site uses for all its functions. Sites like BOFA and AMEX may uses as many as 5 other URLs, none of which are linked to bofa.com, thereby preventing the use of wildcarding in the TZ. The Trusted Zone technology is stuck way back in 1995 when sites used only use a single URL for perform all functions.
Did you even read the article?
This isn't a Microsoft-only problem anymore. I use Firefox with the popular "NoScript" extension ( <a class="jive-link-external" href="http://noscript.net" target="_newWindow">http://noscript.net</a> ), and it adds security, but also adds inconvenience--and sometimes, the exact same inconveniences and hassles you outlined.
Get real. If you use something other than MSIE, and find it more convenient, it's only because you're oblivious to the security risks.
For reading news and forums, I've found nothing better, and it doesn't have the security encumberance that a thousand unused bells and whistles can subject me to.
For reading news and forums, I've found nothing better, and it doesn't have the security encumberance that a thousand unused bells and whistles can subject me to.
After having used mozilla/firefox for more than two years without the tiniest problem, I had to go back to IE on a new pc to download firefox.
I made a typo in the adressbar and after 30 seconds of Internet-Exploring I got stuck in a webring and had some spyware installed on my brand new pc...
So much for 'the same flaws in mozilla'...
Regards,
Huddie
After having used mozilla/firefox for more than two years without the tiniest problem, I had to go back to IE on a new pc to download firefox.
I made a typo in the adressbar and after 30 seconds of Internet-Exploring I got stuck in a webring and had some spyware installed on my brand new pc...
So much for 'the same flaws in mozilla'...
Regards,
Huddie
Apart from that with all the hype surrounding Firefox hackers and virus makers are now specifically making exploits for Firefox users too.However since opera has a lower market share it's users remain more safe!
Then I turned off the PC, opened the case and tried to look at my CPU (which I thought was ruined) after a couple of housr I started my PC and it seemed like it was working fine. Until I tried to start Firefox which worked for about two seconds and crashed. IE also crashed once in a while. Parts of the CPU are volatile and are generating messsed up memory data it seems as the problems shift around. I traced the main cause of the problems to JavaScript. Opera also failed to work but it has an easy way to turn off JavaScript (by hitting F12 key). So I did and my Opera runs without any crashes. I know I will have to buy a new computer, but now it works with MSN and e-mail and simple web-browsing until I can get enough money for a new PC.
Apart from that with all the hype surrounding Firefox hackers and virus makers are now specifically making exploits for Firefox users too.However since opera has a lower market share it's users remain more safe!
Then I turned off the PC, opened the case and tried to look at my CPU (which I thought was ruined) after a couple of housr I started my PC and it seemed like it was working fine. Until I tried to start Firefox which worked for about two seconds and crashed. IE also crashed once in a while. Parts of the CPU are volatile and are generating messsed up memory data it seems as the problems shift around. I traced the main cause of the problems to JavaScript. Opera also failed to work but it has an easy way to turn off JavaScript (by hitting F12 key). So I did and my Opera runs without any crashes. I know I will have to buy a new computer, but now it works with MSN and e-mail and simple web-browsing until I can get enough money for a new PC.
When bugs are discovered and fixed, the product improves. For Opera's faults to remain a mystery is actually a bad thing, not a good thing.
When bugs are discovered and fixed, the product improves. For Opera's faults to remain a mystery is actually a bad thing, not a good thing.
Opera is the last browser to be constructed. It is the only one of the common browsers that it is not based on NCSA Mosaic, written in a clear slate. Maybe Opera will die but its DNA will survive: page zoom (yes, I know you do not know what it is), a multi-document interface browsing environment and mouse gestures, small footprint, great support for HTML, XML, WML, CSS (one of the best implementations), JavaScript, DOM and Java, RSS, mail client, you name it. Firefox is still a year behind, at least.