Schneier on Security
A blog covering security and security technology.
« The Militarization of Police Work |
| Internet Worms and IPv6 »
February 9, 2006
The New Internet Explorer
I'm just starting to read about the new security features in Internet Explorer 7. So far, I like what I am reading.
IE 7 requires that all browser windows display an address bar. This helps foil attackers that operate by popping up new windows masquerading as pages on a legitimate site, when in fact the site is fraudulent. By requiring an address bar, users will immediately see the true URL of the displayed page, making these types of attacks more obvious. If you think you're looking at www.microsoft.com, but the browser address bar says www.illhackyou.net, you ought to be suspicious.
I use Opera, and have long used the address bar to "check" on URLs. This is an excellent idea. So is this:
In early November, a bunch of Web browser developers got together and started fleshing out standards for address bar coloring, which can cue users to secured connections. Under the proposal laid out by IE 7 team member Rob Franco, even sites that use a standard SSL certificate will display a standard white address bar. Sites that use a stronger, as yet undetermined level of protection will use a green bar.
I like easy visual indications about what's going on. And I really like that SSL is generic white, because it really doesn't prove that you're communicating with the site you think you're communicating with. This feature helps with that, though:
Franco also said that when navigating to an SSL-protected site, the IE 7 address bar will display the business name and certification authority's name in the address bar.
Some of the security measures in IE7 weaken the integration between the browser and the operating system:
People using Windows Vista beta 2 will find a new feature called Protected Mode, which renders IE 7 unable to modify system files and settings. This essentially breaks down part of the integration between IE and Windows itself.
Think of it is as a wall between IE and the rest of the operating system. No, the code won't be perfect, and yes, there'll be ways found to circumvent this security, but this is an important and long-overdue feature.
The majority of IE's notorious security flaws stem from its pervasive integration with Windows. That is a feature no other Web browser offers -- and an ability that Vista's Protected Mode intends to mitigate. IE 7 obviously won't remove all of that tight integration. Lacking deep architectural changes, the effort has focused instead on hardening or eliminating potential vulnerabilities. Unfortunately, this approach requires Microsoft to anticipate everything that could go wrong and block it in advance -- hardly a surefire way to secure a browser.
That last sentence is about the general Internet attitude to allow everything that is not explicitly denied, rather than deny everything that is not explicitly allowed.
Also, you'll have to wait until Vista to use it:
...this capability will not be available in Windows XP because it's woven directly into Windows Vista itself.
There are also some good changes under the hood:
IE 7 does eliminate a great deal of legacy code that dates back to the IE 4 days, which is a welcome development.
Microsoft has rewritten a good bit of IE 7's core code to help combat attacks that rely on malformed URLs (that typically cause a buffer overflow). It now funnels all URL processing through a single function (thus reducing the amount of code that "looks" at URLs).
All good stuff, but I agree with this conclusion:
IE 7 offers several new security features, but it's hardly a given that the situation will improve. There has already been a set of security updates for IE 7 beta 1 released for both Windows Vista and Windows XP computers. Security vulnerabilities in a beta product shouldn't be alarming (IE 7 is hardly what you'd consider "finished" at this point), but it may be a sign that the product's architecture and design still have fundamental security issues.
I'm not switching from Opera yet, and my second choice is still Firefox. But the masses still use IE, and our security depends in part on those masses keeping their computers worm-free and bot-free.
NOTE: Here's some info on how to get your own copy of Internet Explorer 7 beta 2.
Posted on February 9, 2006 at 3:37 PM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Just keep an eye out for the switched-on-by-default phishing detector.
Really, it sends every single url view to Microsoft, where it gets matched against a remote database of known phishing sites. This has ticked off a fair amount of people who really would rather getting an updated, local database rather than have it phone home on every hit.
Using "rundll32.exe" as part of RSS updating is an accicident waiting to happen. This browser won't be fully formed until it ships with Vista - I'll stick with Opera and Firefox.
>>it sends every single url view to Microsoft
Is this a joke?
"IE 7 requires that all browser windows display an address bar." sounds good.
My problem; I've received legitimate e-mails from banks and businesses that redirect to third parties (surveys etc.) or use another URL from within the businesses domain.
So having an address bar for each window doesn't always help determine authenticity when the companies URL is unrecognizable. I'm glad Microsoft is finally getting at this problem, I just hope other web-present businesses pay attention and start making it easier for their customers to figure out who's who.
> Is this a joke?
No. That'sthe way it works.
Isn't this just another case of using technology to try to overcome operator ignorance? I think it's great that Microsoft is installing features that 5% of the computer users will pay attention to, but my guess is that most people will still blindly click through from www.illhackyou.com to www.nowthatihackedyou,whydontyougivemeyourcarkeystoo.com. Operator laziness or ignorance is simply a problem to which there is no technological solution.
Firefox(ver 220.127.116.11) already colors the address bar yellow with the SSL lock icon.
"will display the business name and certification authority's name in the address bar."
Firefox also does this, but in the status bar, where one would normally look for just the lock icon.
Well, that sounds better than the existing situation, and having the more user-friendly security features will make it easier to educate people on how to identify malicious sites.
On the other hand, I worry that these changes are primarily cosmetic and will give people a false sense of security. For instance, an infected PC could easily fake those security features. DNS poisoning and other man-in-the-middle attacks will probably be more effective since folks will think they are safe.
"IE 7 does eliminate a great deal of legacy code that dates back to the IE 4 days, which is a welcome development."
Unless they are getting rid of ActiveX, I can't imagine IE ever being secure under the hood and I doubt they are going to get rid of ActiveX since so many companies depend on it.
The worst thing with IE7 is that you still need Windows to run it.
But kidding aside: the only halfway(!) secure way to avoid phishing is
whitelisting. One can do that in a corporate environment with known endpoints,
but it is not very comfortable for the private user. The IE-developers seem to
have choosen a blacklist--a band-aid so to say. Typical Microsoft-Way(TM)?
Unfortunately, they are not alone, you can see a lot of examples at Sourceforge
et al and within the commercial offers too, of course.
Is there any browser one can use in medium to high sensitive environments
e.g. for the frontend of a medication database in a clinic? I think I can asume
your answer will be something around "What the *beep* do you want to use a
*beeep* browser here, you *beeeeeeeeeep*?" in a more or less polite way? No? A
browser is very usefull for research at the internet, so why don't we use it as
a generic frontend too if we have it installed already?
I am very thankfull for the money I get for cleaning up the mess, but there
shouldn't be a mess in the first place, should it? It doesn't make much sense if
you have a formaly specified backend where the database design and the queries are formaly prooved too but the frontend is an IE. It may kill people if the output is incorrectly displayed! Use FF/Opera instead of IE? Yes, that's a good idea.
Good luck if some legacy apps do not work anymore or--even worse!--the favorite pr0nsite of the assistant medical director!
And with the outlook that the IE7-Beta offers the question on how to get rid of IE without attracting much of attention is more and more urging for an answer.
As Longwalker points out above, a lot of the problems would be stopped or severely restricted if people ran programs with least user privileges. Most users have little need to run with admin privileges most of the time. And users who run Internet apps with admin privileges without good reason deserve everything that comes their way.
Vista will apprentently force non-admin this on the masses but for those who don't want to wait there is lots of information and tools to be found here: http://nonadmin.editme.com/
The interesting is, we actually intentionally hide the address bar for some of our internal applications.. Does that mean this will no longer be feasible?
(Yeah, I know, Security through Obscurity hardly works and control-n will show the address bar anyway)
I have read about the planned features to prevent phishing some months ago on an MS webpage, and remember it to work slightly different.
a) The browser decides on some aspects whether to care for a page at all.
b) If it looks a bit phishy, the url is send to MS
c) MS looks into its blacklist
d) if not found, MS looks at the whitelist
e) if not found, MS takes a more close look at the page.
After that, the page is listed in the black or the whitelist.
If it is blacklisted, you receive a warning.
And here are my doubts:
The decision to decide whether to prove at all could depend on input-fields and keywords, I guess. Of course keywords could be faked with small 'Enter your PIN'-images.
- A phisher might test his page in a local network without connection to the web, until IE stops trying to phone home.
- A phisher might set up a honeypot, to find out, from where MS is trying to test his page. Later he is bringing up the real page on a different server, and if a request is comming from the known IP-Range of MS, he might answer with a pretty, non-phishing page, to get on the whitelist.
- He might first publish a proper page, to get on the whitelist, and later change it to start phishing.
- The question raised, whether MS is trying to create a big data-warehouse, and create profiles of users. One answer has been, that only the part of the url is reported, which leads to a file, but not parameters, handled in the URL.
Mhm. I normally get different results when I ask my browser to show http://www.google.de/ or http://www.google.de/search?...
If they would really try to check the pages live, how many requests will they have to solve per second in 4 or 5 years, when most people migrated to IE7?
That's much more traffic than google has.
And why not using that information-pool for data-warehousing?
The MS security competence is in painting nice transparent padlock-icons; get the facts :)
Will protected mode prevent ActiveX components from accessing local files?
>it sends every single url view to Microsoft
This is just sooooo wrong.
davidg: I think (read: hope) that if you run IE in one of the more protected modes it prevents calls to the filesystem and the registry (see the "Protected Mode in IE" link I included above).
You can also just disable ActiveX, which I do the second I start using a new Windows machine (for some reason they moved all the menus away from where they sit in every...other...app, so you'll find Tools on the right, under the search box - then go Security -> Custom Level to find it). I've very, very rarely come across a site that requires it. Some intranet apps do, though, especially if your company runs everything MS. If that happens, I'd set security levels for the outside world to fairly restricted and the intranet to semi-trusted (you never know what someone else in the company will click on...).
I'm just looking forward to the IE7 implementation of AES from RFC3268 and RFC3546! It's about time.
No, it does not send every URL to Microsoft.
Bruce -- happy to talk with you about this or any other part of IE and what we've done to make it safer. The article you read discusses some but not all our work.
The first Internet Explorer wasn't designed to be part of the OS, it was supposed to be a program running under the OS and sandboxed to prevent damage to the OS. Spyglass designed it that way. When Microsoft decided to make it the GUI in their OS, they made a big mistake. Pretty much all of the remote hacks deal with IE's integration into the OS. Now it seems that MS is now trying to strip IE out of the OS and attempting to run it sandboxed, just like Win95+IE were originally designed.
Adding: Spyglass was bought out by www.opentv.com
Displaying the certificate info in the address bar is a great idea, but it actually *creates* a reason to shade it yellow (or some other color). We don't want confusion between information taken from a certificate and information taken from a URL. Phishers would buy domain names that look like someone else's certificate info.
@ Dean Hachamovitch from Microsoft
A bit more than just "No, it doesn't" would be appreciated, even as little as a URL to information which explains the anti-phishing feature. Also, there's a community here interested in discussing this. Your response makes me feel you don't care to educate us, but that you're more interested in feeding Bruce PR.
slightly off topic, but: regardless of whether IE sends all your URLs to MSFT, Google Toolbar does exactly that, and they admit it. I'm mentioning this just because (a) few people seem to be complaining about it, and (b) the consternation the idea of MSFT having all your URLs seemed to cause in this thread.
> few people seem to be complaining about it
That's because Google's company statement is, "Do No Evil". Therefore, we can trust them implicitly, right?
From the top:
"But the masses still use IE"
The masses may still use IE, but the tide is slowly turning.
"and our security depends in part on those masses keeping their computers worm-free and bot-free.""
Another reason to spread the word about open source software like Firefox. I'll never use another closed source web browser ever again, and that includes Opera, no matter how fantastic it is, if it's not open source, it's not for me.
The updated privacy statement also explains how and when the Phishing Filter will check sites.
* No site will be checked on the server unless you choose to enable the feature.
* Phishing Filter only checks sites that aren’t in IE’s downloaded “known-safe��? list
* Potentially sensitive data, like the URL query string, is stripped out of the URL before it’s sent to the server for checking. Other types of navigation-related information, like http cookies, are not sent to Microsoft.
* The URL is sent securely over an encrypted SSL connection to help protect your privacy
@ The masses
> I'll never use another closed source web browser ever again, and that includes
> Opera, no matter how fantastic it is, if it's not open source, it's not for me.
Unless you're actively checking the code, what's the difference between an open source piece of software and a closed source piece of software?
If you're not doing a code review yourself, with either solution you're relying upon a trusted third party to provide you security.
Then it's just a matter of who do you trust more, a corporation or the general community of geeks...
"Unless you're actively checking the code, what's the difference between an open source piece of software and a closed source piece of software?"
Sounds like a good time to read the GNU philosophy, in addition to the virtues of open source vs. closed source. But to personally reply short of quoting many fine publications already available on the web, with closed source YOU don't have the option of auditing the source code, nor does anyone else save those who developed it in the first place and those whom they wish to share it with. If I want to add something to an open source program, I can do so, I can improve upon it. If I want to file a bug report in the hopes it gets fixed I may do so and stand a fair chance of the bug being fixed. Compare that with closed source where, in most cases, you can't modify the source and good luck on your feedback reaching anyone, let alone being considered by a real, live human being.
"If you're not doing a code review yourself, with either solution you're relying upon a trusted third party to provide you security."
True, but with closed source you're relying on a corporation to provide you security. We've seen how well that works in the world of closed source OS and third party lipstick on a pig programs to plaster on top and scan for ever increasing amounts of spyware, adware, viruses, trojans, keyloggers, and other malware. I would much rather trust running OpenBSD, FreeBSD, or to a lesser extent a flavor of Linux vs. the closed source popular OS.
"Then it's just a matter of who do you trust more, a corporation or the general community of geeks..."
I'll trust 'geeks' over corporate blackboxes any day, thank you, like I have been doing since before Windows even existed.
I don't doubt that there are advantages to open source software; generally speaking I prefer open source software for much the same reasons you probably do, because I think that commercial software (as part of the design process) has incentives that open source software does not, and those incentives are usually not to my advantage as a consumer.
But, I'm fully cognizant of the fact that a great many open source projects have bad security records, just like closed source projects.
If you're really worried about security, you shouldn't stand on statements like "all closed source software is bad" or "all open source software is good". If Opera has a good security track record, there are reasons to use Opera, in spite of the fact that it's closed source.
If a closed source vendor offered me a browser with a EULA that permitted me to cash in $100 per day that the browser had a published vulnerability without a published patch, I'd probably take that over any open source browser, because I'm too lazy to do code reviews myself, and they're actually offering a meaningful guarantee (and incenting themselves to produce a quality piece of software).
I trust open source geeks more than most current software vendors, because EULAs pretty much absolve the vendor from the side effects of producing something lacking quality.
If that's removed, I'd probably have more trust in a corporation that was physically hemmoraging money for every day their software was insecure vs. an open source project that is maintained by volunteers.
Interesting article, interesting comments, but I would like to point to a couple of points where the suggested measures fail, already, today.
>IE 7 requires that all browser windows display an address bar.
This *helps* foil attacks that have an unrelated domain name. IE7, however, will also support IDN, which means there are at least (rough estimate) about 20 domain names, all looking (render wise) exactly like "microsoft.com", but none of them actually spelled using the standard ASCII method of doing it.
Which leads me to:
>when navigating to an SSL-protected site, the IE 7 address bar will display the business name and certification authority's name in the address bar.
Definitely an improvement, but not far enough. Today, CAs will issue you two kind of certificates. There is the usual certificate, that checks the business name, and there is a "quick" certificate, that only verifies the domain name. As of today, I have not seen any browser that displays different "confirmation" levels based on the type of certificate you got!
Add this to the IDN problem above, and you get an attacker that can display practically any domain name she wants, and even include a valid certificate for it. As a start, I would suggest painting the former kind in a "green", while the later kind in a "yellow".
As an MS employee, I can assure you we have more than enough 'geeks' to satisfy anybody's needs!
> If a closed source vendor offered me a browser with a
> EULA that permitted me to cash in $100 per day that
> the browser had a published vulnerability without a
> published patch,
Chances are, the vendor would just spend far more money on lawyers to intimidate researchers into not publishing vulnerabilities than they'd spend on developers to close vulnerabilities in a timely fashion. There are always progressive and regressive responses to market forces. Regressive responses involve dumping losses and externalities on others. Businesses will always do what's cheapest--and dumping losses on other people is always cheaper than taking the hit yourself.
"As an MS employee, I can assure you we have more than enough 'geeks' to satisfy anybody's needs!"
All in my opinion:
Closed formats and closed source do not satisfy me. It doesn't matter to me how many geeks work on these type of projects, I prefer like minded geeks who choose the philosophy of FOSS all the way from a free and open source Operating System on down to applications and documentation.
I can't wait for the day when a big soft drink corporation has employees posting replies on forums to those who prefer homemade beverages in support of the corporate product. How amusing.
@ Pat Cahalan
"If a closed source vendor offered me a browser with a EULA that permitted me to cash in $100 per day that the browser had a published vulnerability without a published patch, I'd probably take that over any open source browser, because I'm too lazy to do code reviews myself, and they're actually offering a meaningful guarantee (and incenting themselves to produce a quality piece of software)"
"Hey, if you want me to take a dump in a box and mark it guaranteed, I will." - Tommy, Tommy Boy - http://www.imdb.com/title/tt0114694/quotes
I think that sums it up pretty well
Considering microsoft's track record on security my advice is rely as less as possible on anything from microsoft when it comes to security.
LOL, move along, people... just the usual meaningless opinionated debates on open vs closed that just generalise and driblise.
And the guy that said "Considering microsoft's track record on security my advice..." is a phuckn moron who has his head stuck up somewhere dark, dank and smelly. I don't think that kind of person knows what the word intelligence means.
Well, decoupling is a wonderful thing and I look forward to it. This signifies a big win for the consumers since MS was clearly lacking in innovation.
The more we use firefox, opera, etc. the the faster MS will have to catch up. Ironic, no, that if you want a better IE you have to use something else?
The only truly pervasive use of IE that I find is generally related to proprietary applications unable to render in other browsers -- what does that tell you about some peoples' opinion of the "browser" market -- and users who use all defaults. Neither of those spaces are rich with innovation in security, let alone functionality.
Any word on the new drag-and-drop exploit reported by Matthew Murphy? Looks like file objects derived from HTML have been blocked in a recent fix, but file objects within a folder view can still be used for an attack?
A malicious web site, with a minimum of social engineering, may be able to compromise user systems by triggering an unintended installation of malicious software."
How many internal resources are diverted to these things as opposed to prior/existing work schedules? You might have lots of 'geeks' but who sets their priorities?
Oh, and just to be clear I should probably mention the "vendor response" issue related to Matthew's assessment of the drag-and-drop vulnerability (see link above):
Microsoft was informed of this vulnerability on August 3, 2005. Currently, the company has no plans to issue a security update to correct this vulnerability. Fixes for this issue are scheduled to be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. Of particular note is that Windows 2000 users will *NOT* receive an update to correct this vulnerability.
Microsoft's internal risk-assessment concluded that this issue was not sufficiently serious to be fixed in a security bulletin. This conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft. In particular, the drag-and-drop vulnerability patched by MS05-013 received an 'Important' rating.
I disagree with the technical conclusion behind Microsoft's decision and I further find the timeframe of delivery and deployment for maintenance releases to be largely unsuitable for security fixes of any significant magnitude. I find the harm this decision could potentially inflict upon down-level users (most importantly, users of Windows 2000) to be unjustified by the technical concern Microsoft has raised to me. Microsoft also rejected a request that it consider the issue for inclusion in a later security update as a 'Moderate' risk issue.
Due to Microsoft's noncommittal and generally unimpressive response to the issue, this advisory is being issued to inform users of this vulnerability such that defensive action may be taken as desired."
Oh, seems there's another gem in that report. They say they have rewritten a large portion of the core and then call that improved security. Now, since when has "large portion of rewritten code" been more secure than old and time tested codebase?
They've more likely made it even more mess than it currently is and introduced lots of new security holes to be find in the process.
I honestly think microsoft has no credibility whatsoever when it comes to anything security related.
Heh, just scanned up to read rest of the comments and noticed some bitter guy responding to my earlier comment. Scanning a bit further up follows a couple of writers that indicate they're from microsoft. I'm actually laughing (sorry, couldn't resist, but that just gave me the best laughs I've gotten for a while:).
At home, I run OpenBSD, with Firefox to surf the 'net, plus Thunderbird for email, and OpenOffice to do just about everything else I need to do.
At work, I am forced to use a Win-XP system, with M$ Office tools. This is because the IT executives at the company I work for think that if you don't pay any money for something, then there must be something wrong with it. Even though we run anti-spy and anti-virus software, and are behind multiple firewalls, we have had MANY security panics over the 4 years I have been with this company. Our network and workstations are managed by a large staff of credentialed professionals, and we update our systems as soon as Micro$oft makes updates available. [BTW-- Most of the security panics have been due to vulnerabilities in "Micro$oft Internet Exploder" and "Micro$oft Outlook".]
At home, I have NEVER had a computer security problem, even though 99% of what I do with my computer is to surf the Internet and get/send email.
Microsoft is worth BILLIONS-- it will take a long time for M$ to die, but at the end of the day, "Free and Open Source Software" [FOSS] will win the war, and Microsoft WILL go the way of the Dodo bird...
Can we stick to the subject of IE capabilities without constantly digressing into FOSS/antiOSS screeds?
Many thanks to the MS employees who are posting here; although I confess I don't use your browser, my employer must due to the requirements of our business partners. I appreciate your willingness to share information!
Can you confirm or deny MS is trying to move away from ActiveX? That would be extremely important information for my employer, anything you can share on that subject would be very helpful.
Can we just confirm this; according to my understanding of the above statement from the MS guys, IE will send off a) the hostname and b) the path part of SSL urls to Microsoft for sites which are private.
Sending the hostname shouldn't really be seen as a problem since that can normally be determined by seeing where the connection is made, but sending the path part of the URL is a serious security flaw, since the HTTP+SSL security model is designed to ensure that URLs remain secure from eavesdroppers.
> standards for address bar coloring [...]
> Sites that use a stronger, as yet undetermined
> level of protection will use a green bar.
I've said it before (elsewhere), and I'll say it again: If you want the browser to tell the user "you may enter your purpose-XYZ confidential data here", there IS NO WAY around having the user first tell the browser what purpose(s) XYZ he *does have*.
In other words: If the connection is secure *and the hostname belongs to MY bank*, tell me "it's safe to enter your banking PIN". If the connection is secure *and the hostname belongs to MY local IRS office*, tell me "it's safe to enter your tax form data". Etcetera. But do ***NOT*** throw any fancy visual cues at me just because I'm having a secure communications channel to somewhere I don't want to say anything to in the first place.
I have been doing some reading on IE7 and the beauty of the phishing filter presented.
Has anyone got ANY IDEA of where this "white-list" is stored on the client machine.. if it's encripted/encoded if it is updated and when/how...
I tried sniffing some traffic when going to a confirmed phishing site and i see some towards a urs.microsoft.com.nsa
Any clear idea on this rather than blah blah about the validity of FIrefox & co is appreciated..
Everyone knows about the validity of Open source so lets discuss some meat here.. I still don't see how in large scale network this idea will not affect intra/inter net traffic.
Thanks in advance
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.