Internet Explorer Safety

Internet Explorer contains a wealth of embedded functionality making it extremely complicated and prone to implementation mistakes. It is widely installed and has been the focus of much vulnerability research and exploit attempts. Over the past four years, security related defects have been discovered in the product almost every other month. Many of these defects can be, and/or have been, exploited by maliciously crafted web pages and/or email messages and/or automated worms.

Outlook and Outlook Express, as well as some other programs,  use components of Internet Explorer to process HTML email messages so defects in Internet Explorer also affect these products.

When a defect is exploited, the internal security controls of the product are often bypassed. Often, in such cases, no action is needed on the part of the computer operator to become a victim. Simply reading a malicious email message, clicking a malicious web link, or visiting a malicious web site is sufficient to turn control of the computer and all its data over to either a virus or an individual. No email attachments need to be clicked and no files downloaded from the web site.

Because of its widespread deployment, its record of security related defects, and the instantaneous and global nature of Internet communications connecting us to all manner of people, it is important that Internet Explorer be properly maintained and configured in order to protect our computing assets and privacy.

Contents

 

Minimum Security Measures

 

Minimum Internet Explorer Security Measures

The following Internet Explorer versions are the current minimum necessary to prevent a computer running Internet Explorer to be at the mercy of anyone on the Internet. This information was last updated on May 30, 2006. Setting up a computer according to StartSafe procedures will ensure you have the latest patches for the version you are currently running.

In most cases, you must have both the minimum base version AND the latest security patches.

1. Base Internet Explorer Installation

The installed version of Internet Explorer must be one of the following which are the only versions for which the latest security patches are available. Also, be aware that Microsoft no longer supports Windows 95, 98, or ME so IE security patches may or may not  install or be effective on those systems. To determine what version of Internet Explorer is running, click HELP and then ABOUT INTERNET EXPLORER.

It is highly recommended that ALL users upgrade to Internet Explorer 6 Service Pack 1. This must be done manually. Windows Update will not offer version upgrades...only patches.

  • Internet Explorer 6 Service Pack 1 (6.00.2800.1106)
  • Internet Explorer 5.5 Service Pack 2. (5.50.4807.2300)
  • Internet Explorer 5.01 Service Pack 3 on Windows 2000 and NT4 SP6 only.

If an upgrade is necessary to get to a supported version use the following procedures:

  • If the computer is not owned by JMU or doesn't log into a campus Novell Netware file server or runs Windows 2000, upgrade to IE 5.5 SP2 or, preferably, IE 6 SP1 using one of the following methods :

  • If the computer is owned by JMU and isn't running Windows 2000 and logs into a campus Novell Netware file server, you can upgrade using a Novell ZEN object in your Start menu if your computer has at least 32Mb of memory:

    • Click Start->JMU Apps->Internet->Install Internet Explorer 5.5.
    • Make sure to apply the security patches below after the installation is complete!

Internet Explorer 6 Service Pack 1 will also install Outlook Express 6 Service Pack 1 which will change the default way Outlook Express handles unsafe email attachments. This is easily reversed if it causes problems. Click here for details.

2. Security Patches

After installing or upgrading Internet Explorer, perform a manual Windows Update to install all available security updates as described in StartSafe.

 

Miniumum Outlook/Outlook Express Email Handling Security

All critical patches offered by the Microsoft Windows Update site and the Microsoft Office Update Site should be installed as described in the StartSafe procedures. Security configuration changes won't do any good if the software has defects that allow the security measures to be bypassed.

Since HTML formatted email messages may be received unsolicited and since they are a common source of viruses, one of the first things to do is tighten restrictions on how Internet Explorer handles email messages. This is done by having Internet Explorer handle email messages using the settings in its Restricted Sites zone. Either upgrade to one of the products that does this automatically or manually configure your existing client.

  • Outlook Express 6 and Outlook 2002 handle all incoming email messages according to Internet Explorer's Restricted Sites Zone settings. You do not need to do anything more.
  • Prior versions of Outlook Express and Outlook require manual configuration so email messages are handled in the Restricted Sites zone.

  • Click the Tools menu item and select Options

    Click the Security tab

    In Outlook Express, make sure the Virus Protection security zone is set to Restricted site zone as shown in the window below:

    IE

    In Outlook, make sure the Secure Content Zone is set to Restricted Sites as shown in the window below:

    IE

    These are the default settings for Outlook 2002 and Outlook Express 6. Users of earlier versions should change the setting to Restricted.

    If you're running Outlook 98 or Outlook 2000 SR1, you may also make the change by installing the Outlook Email Security Update which makes the configuration change during installation and also adds additional anti-virus capabilities.

After the email client is configured to handle messages in the Restricted Sites zone, ensure that that zone is configured to use the "High" security setting and that it meets Microsoft's most recent definition of "High" security. In Internet Explorer:

  • 1. Select Internet Options from the Tools menu.
  • 2. Click the Security Tab.
  • 3. Select the Restricted sites icon.

  • IE

  • 4. Click the Default Level button
  • 5. Move the slider on the left to High security.
  • 6. Click Apply.
  • 7. Somewhere around version 5 or 5.5, Microsoft changed their definition of "High" security. To make sure the Restricted Sites zone security meets the more stringent, current definition, perform the following:
    • 7a. Click Custom Level
    • 7b. Scroll down and find the following two activities and make sure they are disabled:
      • Script ActiveX controls marked safe for scripting
      • Active Scripting

      • IE

    • 7c. Click OK

     

  • 8. Click OK.

 

Optional, Risk Reducing Security Measures

 

Optional Outlook/Outlook Express Email Handling Security

Although not related to Internet Explorer directly, Outlook and Outlook Express have some anti-virus settings that can improve overall security. One of the features blocks delivery of attachments defined by Microsoft as "unsafe". This may result in usability problems if you want to receive these attachments but the feature can easily be configured to suit your needs. If you experience problems, read the information here.

  • Outlook 2002 and 2000 SR2 have additional anti-virus capabilities built-in and enabled by default.
  • Outlook 98 and Outlook 2000 SR1 can be given anti-virus protection similar to Outlook 2002 by installing the Outlook Email Security Update. This will also reconfigure the computer to handle all incoming email messages in Internet Explorer's Restricted Sites Zone.
  • Outlook Express 6 service pack 1 has the anti-virus capabilities enabled by default.
  • Outlook Express 6 (without the service pack) has similar anti-virus capabilities but they are not enabled by default. You can enable them by:
    • Start Outlook Express
    • Select Options off the Tools menu
    • Click the Security tab
    • Under Virus Protection, check the box labeled "Do not allow attachments to be saved or opened that could potentially be a virus".

    • IE

    • Click OK

 

Configure e-mail clients to read, send, and edit messages in plain text

Risk can be further reduced by configuring your e-mail client to read e-mail messages in plain text mode. This feature is only available in newer versions of Outlook and Outlook Express. Some incoming HTML email may be improperly formatted or lose functionality but active content will not be able to execute improving overall security. Risk can be further reduced by not using Microsoft Word to read and compose messages.

Reading messages in plaintext in Outlook Express version 6 service pack 1 or later

  1. Click the Tools menu
  2. Click Options.
  3. Click the Read tab
  4. Check the Read all messages in plain text check box under Reading Messages
  5. Click OK

Reading messages in plaintext in Outlook 2003

  1. On the Outlook Tools menu, click Options.
  2. On the Preferences tab in the Options dialog box, click the E-Mail Options button.
  3. In the E-Mail Options dialog box, select the checkbox to Read all standard mail in plain text.
  4. Unselect "Use Microsoft Word to edit e-mail messages" and "Use Microsoft Word to read Rich Text e-mail messages
  5. Click OK to close the E-Mail Options dialog box, and then click OK to close the Options dialog box.

Reading messages in plaintext in Outlook 2002 (Office XP) with Office XP service pack 1 or later

Unselect "Use Microsoft Word to edit e-mail messages" and "Use Microsoft Word to read Rich Text e-mail messages in the Tools->Options->Mail Format tab.

Outlook 2002 does not provide a user friendly way to force reading of messages in plain text. Service pack 1 adds the ability to configure Outlook 2002 (XP) to read messages in plain text but only by editing the registry. For people who know how to edit the registry, instructions can be found in Microsoft Knowledgebase article 307594.

 

Sending messages in plaintext in Outlook 2002 ( Office XP ):

IE

 

Optional Internet Explorer Security Measures

Internet Explorer is configured by default to implicitly trust certain types of software that may be malicious. Because of frequently discovered defects and the lag between when they're discovered and when they're fixed, a certain amount of risk exists any time untrusted web sites or email messages are viewed with Internet Explorer.

 

1. Limit the damage malicious software can cause. (RUNSAFE - Nullify Unneeded Risk)

Use a non-privileged account for daily use. This may keep malicious software from doing things like disabling anti-virus software and firewalls, modifying or deleting system files, and other tasks which require Administrator access. Details.

 

2. Be cautious of web browsing and clicking web links indiscriminately. (RUNSAFE - Nullify Unneeded Risk)

  • Be cautious about visiting pornography sites. Some of these sites have been seen taking advantage of defects to obtain visitors' email addresses, download dialers that initiate long distance calls to 900 numbers, and download unknown software onto visitors' computers which may further compromise their privacy and control over their computer.
  • Be cautious about visiting sites operated or owned by those with questionable values.
  • Be cautious about visiting sites operated or owned by those with questionable web maintenance skills.
  • Be cautious about clicking links in unexpected, unusual, or unnecessary email and instant messages. SPAM messages have included links to sites that exploit defects.

 

3. Where Internet Explorer functionality is not needed, use a different browser with a better security history of defects, exploits, and/or incidents. (RUNSAFE - Nullify Unneeded Risk)

 

4. Think long and hard before allowing any sort of software to be loaded on your computer as a result of a pop-up warning by your browser. Allow this only from trusted sites and only when necessary. Read the fine print. (RUNSAFE - Refuse to Run Unknown Programs)

 

5. Limit the damage untrusted web sites can cause. (RUNSAFE - Nullify Unneeded Risk)

This step is also recommended and explained by Microsoft in their Safer Browsing recommendations and by the United States Computer Emergency Response Team's Securing Your Browser document

Internet Explorer has four "security zones" to which we may assign web sites we visit. The four zones are:

  • Internet Zone - Web sites assigned to this zone are permitted by default to perform a wide variety of activities on our computers. Sites that we haven't listed in other zones are governed by the security settings in this zone.
  • Restricted Sites Zone - In this zone we may want to list web sites that we explicitly do not trust so that we may decrease the amount of access they have on our computer. Newer versions of Outlook and Outlook Express handle email messages in this zone.
  • Trusted Sites Zone - In this zone we may want to list web sites that we explicitly trust in order to give them additional capabilities.
  • Local Intranet Zone - This is a special zone that should never have additional sites added to it.

There are many types of activities a web page may attempt to initiate on our computer. In each zone, we can define what activities to allow a web site to perform, what activities to prohibit, and whether we want to be prompted before the browser allows an activity. For example, we can tell Internet Explorer that if a web site attempts to install an ActiveX control it should ask us if we want to permit it.

To give us a starting point, Microsoft provides four pre-defined "security settings". The settings are named Low, Medium-low, Medium, and High. The names are meant to represent the relative security provided by each setting.

Each setting consists of a list of privileges and restrictions for various activities a web site may attempt.   The user also has the option of changing individual activity privileges and restrictions thereby creating a custom setting.

As shipped, each zone is assigned a default Microsoft security setting. For example, the Internet Zone's default security setting is Medium. This means that any site we don't manually add to other zones, is allowed to perform activities as described in Microsoft's "Medium" security setting.

Risk can be decreased if we further restrict unknown sites and disable features such as scripting, java, and other complex functionality. Unfortunately, a lot of web sites expect this functionality in order to work properly. One way of handling this contradiction is to specifically list sites whom we trust in Internet Explorer's "Trusted Sites zone" thereby giving them the functionality they need, and then changing the security setting for Internet Explorer's "Internet Zone" to High security to better protect us from untrusted sites. Of course, this means that any site we don't specifically list as trusted will have reduced functionality and capabilities.

 

IE

 

 

Setting Up the Trusted Sites Zone:

Trusted sites, like Microsoft's Windows Update Site and the JMU Ecampus system, can be added to the Trusted Sites zone by following the procedures below.

 

  • 1. Select Internet Options from the Tools menu.

  • IE

  • 2. Click the Security tab.
  • 3. Select the Trusted Sites icon.

  • IE

  • 4. Click the Default Level button
  • 5. Move the slider on the left to Medium security.
  • 6. Click Apply.
  • 7. Click Sites button.

  • IE

  • 8. Uncheck Require server verification (https:) for all sites in this zone. (This increases one kind of risk somewhat but probably not as much as allowing active content from unknown web sites. Security is relative, not absolute.)

 

 

Setting Up the Internet Zone:

The Internet Zone's default "Medium Security" setting allows web servers to run scripts on our computers which may be too risky for people with access to sensitive data who visit untrusted web sites using a platform in which defects are discovered almost every other month .

  • 1. Select Internet Options from the Tools menu.
  • 2. Click the Security Tab.
  • 3. Select the Internet icon.

  • IE

  • 4. Click the Default Level button
  • 5. Move the slider on the left to High security.
  • 6. Click Apply.
  • 7. Somewhere around version 5 or 5.5, Microsoft changed their definition of "High" security. To make sure the Internet zone's security meets the more stringent, current definition, perform the following:
    • 7a. Click Custom Level
    • 7b. Scroll down and find the following two activities and make sure they are disabled:
      • Script ActiveX controls marked safe for scripting
      • Active Scripting

      • IE

    • 7c. Click OK

  • 8. If you find that you often visit sites that require functionality that this configuration doesn't allow but don't want to put those sites permanently in the Trusted Sites zone, you can tell Internet Explorer to prompt you when a site requests restricted functionality instead of outright prohibiting it. Click Custom Level and then in the scroll box, find the following features and change the configuration from disable to prompt. Configuring them to prompt will result in annoying dialog boxes such as  "Do you want to allow scripts to run" when visiting web sites that use the associated functionality. You should not answer "yes" to sites you don't trust...particularly if they are asking to download or install Active-x controls.
  •  
    • Active Scripting
    • Run Active-X controls and plug-ins
    • Script ActiveX controls marked safe for scripting
    • Download signed Active-X controls
    • File Download (This item can't set to prompt. It must be set to enable if you want to download files from untrusted sites.)

  • 9. Click Apply.

 

Setting Up the Restricted Sites Zone:

Just to be on the safe side, make sure the High security setting is applied to the Restricted zone.

  • 1. Select Internet Options from the Tools menu.
  • 2. Click the Security Tab.
  • 3. Select the Restricted sites icon.

  • IE

  • 4. Click the Default Level button
  • 5. Move the slider on the left to High security.
  • 6. Click Apply.
  • 7. Somewhere around version 5 or 5.5, Microsoft changed their definition of "High" security. To make sure the Restricted Sites zone security meets the more stringent, current definition, perform the following:
    • 7a. Click Custom Level
    • 7b. Scroll down and find the following two activities and make sure they are disabled:
      • Script ActiveX controls marked safe for scripting
      • Active Scripting

      • IE

    • 7c. Click OK

     

  • 8. Click OK.

 

Explanation of Security Measures

Since these measures impact functionality and ease of use, and are sometimes contradictory, a general understanding of the technology behind them will be necessary to implement them in a way that best suits your needs. This can be summed up as follows:

Any web browser's basic function is to display HTML web pages.

Most browsers also support the ability to run software provided to them by a web site. This software may consist of any of the following:

  • ActiveX controls and plug-ins.
    • These are executable programs that add to the functionality of the browser. They are often used to allow a browser to interpret and handle various types of documents and media formats such as PDF files, Macromedia Flash files, Apple QuickTime files, Microsoft Media Player files, Microsoft PowerPoint files, and many others. Many Microsoft ActiveX controls are present in a default installation and provide desktop-like functionality to web sites. Third parties can write custom ActiveX controls and plug-ins that perform any function desired.
    • It is important to understand that ActiveX controls and plug-ins run on the local machine and have all the access that the local user does subject to restrictions in the browser...and those restrictions are dependant upon the absence of defects in both the browser and the controls. Unfortunately, defects that allow circumventing these restrictions are often found. Sometimes, defects are found that even allow maliciously formatted media files (sound, video, graphics, other), to include malicious software that may perform unauthorized actions on the computer.
    • It is also important to understand that an ActiveX control that is "signed" is no guarantee of its functionality, trustworthiness, nature, or reliability. The signature just means somebody has acknowledged writing the software. You must determine whether or not to trust your computer, data, and accounts to that person's or organization's software.
  • Java applets
    • These are similar to ActiveX controls and plugins but run in a restricted environment provided by the Java Virtual Machine (JVM). This environment is supposed to prevent them from taking damaging action on the local machine. This protection depends upon the absence of defects in the JVM.
  • Scripts
    • Scripts are like a macro language for the browser enabling a web site to instruct the browser how to act. Scripts can call on the services of locally installed ActiveX controls, plug-ins, and applets to provide additional functionality. Theoretically, if no defects are present, scripts cannot do anything damaging to the local machine. But as with controls and applets, defects in browsers and other components often result in the protection being defeated. In addition, scripts can be used to perform "social engineering" attacks by popping up disguised windows, misrepresenting web links, altering form data, and other shenanigans.

All of these capabilities and components provide a rich environment for developing web applications, automating activities, and ease of use features. However, there are some aspects of the web environment that may lead us into trouble:

  • Defects are frequently discovered that allow malicious individuals or automated software to circumvent the protection measures that prevent web sites from taking unauthorized actions on our computers.
  • We have no control over what may be on a web site we visit.
    • People may create web sites that maliciously exploit defects.
    • People may create web sites that fool us into thinking they're doing one thing when they're actually doing something else. Or they may include undesirable details in fine print.
    • Third parties that have hacked an innocent web site may modify them to act maliciously.

To add to the complexity and risk, email clients often use browsers to display HTML email messages. Those messages then have much of the same same potential for maliciousness that web sites do. Unlike a web site to which we have to travel, email can be sent to us unsolicited. Malicious email comes to us instead of us having to go to a malicious web site.

We trust our browsers to prevent malicious activity. We trust web sites. Often, by default, most browsers also trust web sites and email messages. When the browser we use has frequent defects and we visit web sites that we, perhaps, should not trust, or are worried about receiving malicious email, we can decrease risk by reconfiguring the browser so that it is less trusting of web sites and email messages.

Note that all browsers support similar functionality that increases risk, and frequently have defects which can be countered by disabling this extra functionality. For example, look at all the Mozilla defects that can be countered by disabling javascript and java.

Details on how Outlook products handle mail and Active Content:

 The following web page contains details on how to determine what version of Internet Explorer is running: http://support.microsoft.com/kb/164539