Microsoft Corp. has announced plans to make several key default changes to Internet Explorer 7's security zones to further harden the browser from malicious hacker attacks.
The built-in zones, used in IE to enforce security rules for Web sites by grouping them into categories, will be changed to scrap the use of the "Intranet" zone unless the computer has joined a domain.
According to details posted on the official IE Blog, Microsoft will also making significant default changes in the "Internet Zone" and "Trusted Sites" zone to provide defense-in-depth against some dangerous IE attack vectors.
"The Internet zone, where most users browse, will be tightened down with two very notable changes. The Internet zone will run in Protected Mode on Windows Vista," the company explained. "ActiveX Opt-In will also help reduce the attack surface of ActiveX controls in the internet zone."
With the "Trusted Sites" zone in IE6, Microsoft's Vishnu Gupta said the company found that many users do not understand how powerful a site becomes when they make it a Trusted Site. "For example, a Trusted Site in IE6 can automatically install signed ActiveX controls on the user's machine. As a safety precaution in IE7, we have set the default for the Trusted Sites zone to Medium, the same level as the Internet zone in IE6," Gupta explained.
He said customers who depend on the IE6 level of the Trusted Sites zone will be able lower settings back to IE6 levels with a slider on the "Security" tab of "Internet Options" or through policy settings.
The most significant default change will be the way the browser deals with the "Intranet Zone," a setting that is primarily designed for sites built by a network administrator.
"Because security zones allows more power to some Web sites, zones also open the possibility of zone-spoofing attacks: If there is a flaw in IE's zone detection logic, a malicious Web site could try to run in a less restrictive security zone than they should run in. With URL parsing and other improvements in Windows XP SP2 and IE7, we have helped to ensure this doesn't happen," he explained.
"We realized that the intranet zone (and its lower restrictions) is not relevant at all to the typical home user running IE. This change effectively removes the attack surface of the intranet zone for home PC users," he explained.
In an enterprise IT setting, IE7 will check if a machine has joined a domain and automatically detect intranet sites and run them with settings for the Intranet zone.
"There will be cases where IE might not detect an enterprise IT network correctly. For example, a PC might be on a workgroup rather than a domain or it may not have joined the domain. For those cases, network admins will be able to set group policy on the settings for the Intranet to make sure that IE behaves as they wish. Even if the network admin can't set policy, IE will show an information bar when visiting a probable intranet site. If a user wants to re-enable their intranet zone, they'll be able to," Gupta added.
The IE makeover will also feature a "low-rights" security feature to prevent cross-domain vulnerabilities from installing malicious software on users' machines.
Microsoft will also discontinue the use of the SSLv2 (Secure Socket Layer) protocol in IE7 and use the stronger TLSv1 (Transport Layer Security) protocol—part of an overall plan to improve the security and user experience for HTTPS connections.
The new browser will also block navigation to HTTPS sites that present problematic digital certificates.
Beyond the security improvements, IE7 promises support for IDN (International Domain Names), tabbed browsing, built-in RSS and seamless search that will include choices of search providers. The browser also will improve Web page printing capabilities such as the automatic "fit-to-page" feature.
The built-in zones, used in IE to enforce security rules for Web sites by grouping them into categories, will be changed to scrap the use of the "Intranet" zone unless the computer has joined a domain.
According to details posted on the official IE Blog, Microsoft will also making significant default changes in the "Internet Zone" and "Trusted Sites" zone to provide defense-in-depth against some dangerous IE attack vectors.
"The Internet zone, where most users browse, will be tightened down with two very notable changes. The Internet zone will run in Protected Mode on Windows Vista," the company explained. "ActiveX Opt-In will also help reduce the attack surface of ActiveX controls in the internet zone."
With the "Trusted Sites" zone in IE6, Microsoft's Vishnu Gupta said the company found that many users do not understand how powerful a site becomes when they make it a Trusted Site. "For example, a Trusted Site in IE6 can automatically install signed ActiveX controls on the user's machine. As a safety precaution in IE7, we have set the default for the Trusted Sites zone to Medium, the same level as the Internet zone in IE6," Gupta explained.
He said customers who depend on the IE6 level of the Trusted Sites zone will be able lower settings back to IE6 levels with a slider on the "Security" tab of "Internet Options" or through policy settings.
The most significant default change will be the way the browser deals with the "Intranet Zone," a setting that is primarily designed for sites built by a network administrator.
"Because security zones allows more power to some Web sites, zones also open the possibility of zone-spoofing attacks: If there is a flaw in IE's zone detection logic, a malicious Web site could try to run in a less restrictive security zone than they should run in. With URL parsing and other improvements in Windows XP SP2 and IE7, we have helped to ensure this doesn't happen," he explained.
"We realized that the intranet zone (and its lower restrictions) is not relevant at all to the typical home user running IE. This change effectively removes the attack surface of the intranet zone for home PC users," he explained.
In an enterprise IT setting, IE7 will check if a machine has joined a domain and automatically detect intranet sites and run them with settings for the Intranet zone.
"There will be cases where IE might not detect an enterprise IT network correctly. For example, a PC might be on a workgroup rather than a domain or it may not have joined the domain. For those cases, network admins will be able to set group policy on the settings for the Intranet to make sure that IE behaves as they wish. Even if the network admin can't set policy, IE will show an information bar when visiting a probable intranet site. If a user wants to re-enable their intranet zone, they'll be able to," Gupta added.
The IE makeover will also feature a "low-rights" security feature to prevent cross-domain vulnerabilities from installing malicious software on users' machines.
Microsoft will also discontinue the use of the SSLv2 (Secure Socket Layer) protocol in IE7 and use the stronger TLSv1 (Transport Layer Security) protocol—part of an overall plan to improve the security and user experience for HTTPS connections.
The new browser will also block navigation to HTTPS sites that present problematic digital certificates.
Beyond the security improvements, IE7 promises support for IDN (International Domain Names), tabbed browsing, built-in RSS and seamless search that will include choices of search providers. The browser also will improve Web page printing capabilities such as the automatic "fit-to-page" feature.