No matter what type of Internet connection a company or individual uses, whether broadband, dial-up, or local area network (LAN), it is important to address the security vulnerabilities that Web browsers introduce to the systems and network. Many of the most commonly used Internet service client software programs, such as Web browsers and e-mail utilities, are vulnerable to an ever-expanding list of malicious attacks. Most of these attacks are made possible by the dynamic and automated capabilities that these tools have acquired over the years. The inclusion of scripting and programming languages in these utilities (for example, JavaScript, Java, and ActiveX) has introduced new and easily exploited security vulnerabilities to an already imperfect environment. In an effort to maintain browser market share by offering the widest range of capabilities and features, Microsoft's Web browser Internet Explorer and e-mail clients Outlook and Outlook Express have become immensely popular and consequently are the most commonly attacked Internet service clients.
It is important to remember that Microsoft is not the only vendor whose Internet service products are susceptible to attacks—it's merely because this company's products are the most popular that they have become the favorite target of attackers. Some users—including networking professionals who should know better—operate under a false sense of security because they use non-Microsoft products. Each time a security flaw in Internet Explorer, Outlook, or a Microsoft operating system is announced, they proudly boast that they would never use such an insecure product. Meanwhile, a Web search for UNIX or Linux security vulnerabilities turns up thousands of pages detailing security holes in various UNIX/Linux versions. It bears repeating that there is no truly secure network-connected computer.
When it comes to Web browsers, the truth is that any utility that supports the execution of scripts or programming code downloaded from a Web page or an e-mail message is vulnerable. This includes not only Internet Explorer, but also other browsers such as Firefox, Opera, Safari, and so on. The proliferation of these vulnerabilities is the result of pursuing functionality in hopes of obtaining market share instead of thoroughly investigating and dealing with the security implications.
Most vulnerabilities found in Web and e-mail clients relate to buffer overflow errors or arbitrary code execution. Both of these vulnerabilities enable a remote system, whether a Web site or a sender of an e-mail message, to execute malicious code on your computer. In most cases, the executed code is granted system-level privileges, meaning that there are literally no restrictions on what actions such code can take.
In the next sections, we look at the technologies that create security risks in Web browsers and e-mail, and then we discuss how to make each of the popular browser programs more secure.
Types of Dangerous Code
Several different types of code can be used to enhance Web pages and e-mail and to perform unwanted and even dangerous actions on a computer. The following sections provide an overview of the most popular of these types of code: JavaScript, ActiveX, and Java.
JavaScript
JavaScript is a scripting language developed by Netscape to allow executable code to be embedded in Web pages. All major Web browsers support JavaScript. JavaScript is used to manipulate browser window size, open and close windows, manage forms, and alter browser settings. JavaScript itself is relatively secure. However, improper implementations (such as vendor programming errors) have enabled numerous attacks. Each vendor has patched most of these vulnerabilities, but it is still possible to use JavaScript to perform a malicious activity if you can trick Web surfers into doing something they shouldn't. Unfortunately, it is usually easy for a malicious Web site to trick visitors into providing access or enabling code execution when they shouldn't.
ActiveX
ActiveX is a code-embedding technology developed by Microsoft. It employs a security control known as
code signing. Each ActiveX program is called a
control. When a control is downloaded to a Web browser, it is scanned for a digital signature using the Authenticode technology to verify the signature with a certificate authority (CA) and ensure that it hasn't been altered before downloading the control. A dialog box is displayed, indicating that the ActiveX control is signed by a specific
company or individual and prompting the user to indicate whether to accept this control, always accept controls from this entity, or deny this control. Once an ActiveX control is on a system, it can do anything it is programmed to do, whether benign or malicious. Just because you know who are the authors of a control doesn't guarantee that the control is secure or that its interactions with other controls will not introduce new vulnerabilities to your system.
Java
Java is a programming language developed by Sun Microsystems. It is fundamentally different from JavaScript in that it uses a technique known as sandboxing to restrict its capabilities. Java programs that execute locally are called applets. Each applet is checked to make sure it is coded properly and is not corrupted before it is allowed to execute. Then a security monitor oversees the applet's activity to prevent it from performing actions that it should not be able to perform, such as reading data, opening network connections, or deleting files.
Unfortunately, some implementations of Java have been compromised using various exploits. Hostile applets can also crash browsers and systems, kill other applets, extract your e-mail address and send it to the applet's distributor, and perform other nasty acts.
Making Browsers and E-mail Clients More Secure
Network administrators and users can take several steps to make Web browsers and e-mail clients more secure and protect against malicious code or unauthorized use of information. These steps include restricting the use of programming languages, keeping security patches current, and becoming aware of the function of cookies.
Restricting Programming Languages
Most Web browsers have optional settings that allow users to restrict or deny the use of Web-based programming languages. For example, Internet Explorer can be set to always allow, always deny, or prompt for user input when a JavaScript, Java, or ActiveX element appears on a Web page. Restricting all executable code from Web sites, or at least forcing the user to make choices each time such code is downloaded, reduces security breaches caused by malicious downloaded components.
A side benefit of restricting these programming languages for a Web browser is that those restrictions often apply to the e-mail client as well. The same malicious code that can be downloaded from a Web site could just as easily be sent to a person's e-mail account. If you don't have such restrictions in place, your mail client could automatically execute downloaded code.
Keeping Security Patches Current
New exploits for Web browsers and e-mail clients seem to appear daily. Product vendors usually address significant threats promptly by releasing a patch for their products. To maintain a secure system, you must remain informed about your software and apply patches for vulnerabilities when they become available.
However, you must consider a few caveats when working with software patches:
▪ Patches are often released quickly, in response to an immediate problem, so they may not have been thoroughly tested. This can result in failed installations, crashed systems, inoperable programs, or additional security vulnerabilities.
▪ It is extremely important to test new patches on nonproduction systems before deploying them throughout your network.
▪ If a patch cannot be deemed safe for deployment, you should weigh the consequences of not deploying it and remaining vulnerable to the threat against the possibility that the patch might itself cause system damage. If the threat is minimal, it is often safer to wait until you experience the problem a patch is designed to address before deploying such a questionable patch.
Cookie Awareness
A cookie is a kind of token or message that a Web site hands off to a Web browser to help track a visitor between clicks. The browser stores the message on the visitor's local hard disk in a text file. The file contains information that identifies the user and his or her preferences or previous activities at that Web site. If the user revisits the same Web site, the user's browser sends the cookie back to the Web server. Cookies are extremely useful in allowing a Web site to provide a seemingly continuous communications session with a visitor, such as maintaining a shopping cart, remembering search keywords, or customizing displayed data based on the user's preferences. However, because cookies contain identifying information, they might be used for less noble purposes.
Cookies have been discussed extensively in the popular press. These stories sometimes grant cookies more power than they really have and assign them more regard than they deserve. Cookies raise questions about privacy, but they are unable to execute code or access files. Instead, cookies simply store data from Web browsing sessions and send that same data back to a Web server. Cookies can be delivered to a computer via Web pages or HTML-enabled e-mail. Malicious, or at least unscrupulous, use of cookies occurs when they are used to track a user's surfing habits from one system to another, to grab a user's logon information from one site and send it to another, or even to capture a user's e-mail address and add the user to mailing lists without the user's knowledge. Fortunately, cookies can be disabled in the same manner as programming languages.
Securing Web Browser Software
Although the same general principles apply, each of the popular Web browser programs has a slightly different method to configure its security options. Securing Web browser software involves applying the latest updates and patches, modifying a few settings, and practicing intelligent surfing. Microsoft seems to release an Internet Explorer-specific security patch just about every week. This constant flow of patches is due to both the oversights of the programmers who wrote the code and the focused attacks on Microsoft products by the malevolent cracker community. In spite of this negative attention, you can still employ Internet Explorer as a relatively secure Web browser—when it is configured correctly.
The first step in securing Internet Explorer is to install the latest patches and updates. Users can do this automatically through Windows Update, or they can do it manually. Either way, only through patch application will most of the known vulnerabilities of Internet Explorer programming be resolved.
The second step is to configure Internet Explorer for secure surfing. Users can do this through the Internet Options applet. In Internet Explorer 7, you can access this applet through the Windows Control Panel or through the Tools menu of Internet Explorer. If the default settings are altered on the Security, Privacy, Content, and Advanced tabs, as shown in
Figure 9.4, Internet Explorer security is improved significantly.
Zones are defined on the Security tab. A
zone is nothing more than a named collection of Web sites (from the Internet or a local intranet) that can be assigned a specific security level. Internet Explorer uses zones to define the threat level a specific Web site poses to the system. Internet Explorer offers four security zone options:
▪ Internet Contains all sites not assigned to other zones.
▪ Local intranet Contains all sites within the local intranet or on the local system. The operating system maintains this zone automatically.
▪ Trusted sites Contains only sites manually added to this zone. Users should add only fully trusted sites to this zone.
▪ Restricted sites Contains only sites manually added to this zone. Users should add any sites that are specifically not trusted or that are known to be malicious to this zone.
Each zone is assigned a predefined security level, or a custom level can be created. The predefined security levels are offered on a slide controller with a description of the content that will be downloaded under particular conditions. You can also define custom security levels to exactly fit the security restrictions of your environment. There are security controls related to how ActiveX, downloads, Java, data management, data handling, scripting, and logon are handled. The most secure configuration is to set all zones to the High security level. However, keep in mind that increased security means less functionality and capability.
The Privacy tab, shown in
Figure 9.5, defines how Internet Explorer manages personal information through cookies.
The Privacy tab offers a slide controller with six settings ranging from full disclosure to complete isolation. You can also define a custom set of cookie controls by deciding whether first-party and third-party cookies are allowed, are denied, or initiate a prompt, and whether session cookies are allowed. You can define individual Web sites whose cookies are either always allowed or always blocked. Preventing all use of cookies is the most secure configuration, but it is also the least functional. Many Web sites will not function properly under this setting, and some will not even allow you to visit them when cookies are disabled.
The Content tab, shown in
Figure 9.6, gives you access to the certificates that Internet Explorer trusts and accepts. If you've accepted a certificate that you no longer trust, you can peruse this storehouse and remove it.
The Content tab also gives you access to Internet Explorer's AutoComplete capability. This feature is useful in many circumstances, but when it is used to remember usernames and passwords to Internet sites, it becomes a security risk. The most secure configuration requires that AutoComplete be turned off for usernames and passwords, that prompting to save passwords is disabled, and that the current password cache is cleared.
On the Advanced tab, shown in
Figure 9.7, several security-specific controls are included at the bottom of a lengthy list of functional controls. These security controls include checking for certificate revocation, not saving encrypted pages to disk, deleting temporary Internet files when the browser is closed, using Secure Shell/Transport Layer Security (SSL/TLS), and warning when forms are submitted insecurely. The most secure configuration has all of these settings enabled.
Another option that is available through the Advanced tab is turning on the Phishing Filter.
Phishing is a method of tricking computer users to reveal personal information to fraudulent Web sites that appear authentic. When the Phishing Filter is enabled, Internet Explorer will analyze the sites you visit to check for features that are common to phishing sites. It will compare the address of a Web site to a list of sites, reported to Microsoft, which is stored on your computer. If the site is on the list, a warning will appear, notifying you whether the site has characteristics of a phishing site.
A final step in maintaining a secure Internet Explorer deployment is to practice safe surfing habits. Common sense should determine what users do, both online and offline. Unfortunately, as many law enforcement officers have observed in the course of their duties, common sense isn't all that common. Most of us wouldn't walk down a dark alley in the middle of the city at 3:00
a.m., but people do it—and unfortunately, they sometimes learn a lesson the hard way. Visiting Web sites of questionable design is the virtual equivalent of putting oneself in harm's way in a dark alley, but Internet users do it all the time. Here are some guidelines that should be followed to ensure safe surfing:
▪ Download software only from original vendor Web sites.
▪ Always attempt to verify the origin or ownership of a Web site before downloading materials from it.
▪
Never assume that anything presented online is 100 percent accurate.
▪ Avoid visiting suspect Web sites—especially those that offer cracking tools, pirated programs, or pornography—from a system that needs to remain secure.
▪ Always reject certificates or other dialog box prompts by clicking No, Cancel, or Close when prompted by Web sites or vendors with which you are unfamiliar.