By Matt Rosoff [bio]
Posted: Jul. 19, 2004

• Sidebar: Exploit Targeted Online Commerce, Banking

The following is the full text of an article published by Directions on Microsoft, an independent research firm focused exclusively on Microsoft strategy & technology. Each month we make one or more key articles available to non-subscribers.

According to the current Internet Explorer (IE) roadmap, customers will have to install Windows XP Service Pack (SP) 2—after upgrading to Windows XP, if necessary—to get the most secure Internet browsing experience available from Microsoft. There are currently no plans to deliver an IE service pack or IE version upgrade to provide older OSs with Windows XP SP2's complete complement of security enhancements. Customers using previous Windows versions will have to rely on hotfixes and patches to protect against vulnerabilities—some of which are serious enough that security experts have suggested considering non-Microsoft browsers.

In addition, Microsoft has no plans to release a new version of IE until the next version of Windows (code-named Longhorn), expected in 2006. This means that other commonly cited problems with the browser, such as incomplete standards support and feature stagnation, will not be addressed in the near future.

Problems with IE

Although IE development has slowed dramatically in recent years, many customers and commentators have suggested that the browser still has room for improvement. Outstanding issues with IE include security holes, lack of support for standards, and feature stagnation.

Security holes. IE was designed to support various technologies that cause code to be executed on the user's machine within the browser, such as scripting and ActiveX controls. However, these technologies also provide an avenue for attackers to push malicious code to users' PCs. (For details of one recent such attack, Download.Ject, see the sidebar "Exploit Targeted Online Commerce, Banking".)

Microsoft has released hotfixes and patches for specific exploits and suggested that end users and administrators make configuration changes to IE and Windows to make them more resistant to such attacks. However, some of the suggested fixes (such as making Registry changes) are complex and require intervention by IT departments or greater skill than most end users possess. In addition, IE's security model relies on the user to define trusted Web sites, but past exploits have affected some well-known and otherwise trustworthy sites.

As a result of these issues and some recent well-publicized exploits, the U.S. Computer Emergency Response Team (US-CERT), an Internet security agency funded by the United States government, has suggested (among other recommendations) that users consider alternate browsers. There are indications that users are taking this recommendation seriously—the Mozilla Foundation reports that daily downloads of Mozilla, an open-source Web browser based on the Netscape browser, have doubled since the CERT warning, topping out around 200,000 on the day of the warning.

Lack of standards support. IE does not support all of the latest World Wide Web Consortium (W3C) standards for displaying Web pages, such as the Level 2 or Level 3 Document Object Models. (For more information, see the sidebar "Browser Compatibility Proves Elusive".) This forces Web designers to design around IE's idiosyncrasies and inconsistencies across IE versions.

Feature stagnation. From a user interface perspective, IE has remained the same since 2001 and lacks features found in other browsers, such as tabbed interfaces and advanced bookmark management.

Three-Part Approach to Updating IE

Although Microsoft considers IE to be an integral part of the OS, from 1996 through 2000 the company released six stand-alone versions of the browser (IE 1.0 through 5.5) on a completely different schedule from Windows releases. In addition, while IE 6.0 was released at the same time as Windows XP, it is available for older versions of Windows.

Today, however, there is little business reason for Microsoft to continue releasing new versions of IE separate from the OS. IE dominates the browser market with about 95% market share (according to a Jan. 2004 survey by OneStat) and contributes no incremental revenue. (It's doubtful that anybody buys Windows to get IE—instead, customers now expect a Web browser to be included with any OS they buy.) In addition, Microsoft would prefer to sell "smart client" applications (particularly Office) to access and work with data over IP networks rather than encouraging thin-client (browser) access to server-based applications, which generate less revenue. Finally, because IE has become more tightly integrated with the OS over the years, any significant changes to IE now require major changes to the OS and are therefore not cost-effective for Microsoft unless done in conjunction with a scheduled OS update.

With these considerations in mind, Microsoft is taking a three-part approach to updating IE:

• Windows XP SP2 contains changes, both to the OS and to IE itself, that harden IE security
• Customers on older OSs will get hotfixes and patches that fix IE security vulnerabilities on a case-by-case basis
• Longhorn will include a new version of IE; this could be an opportunity for Microsoft to overhaul IE's security model, improve its standards support, and add new features, but the company is not yet discussing details.

XP SP2 Hardens IE Security

The next scheduled update to IE will address some of its security vulnerabilities. However, this update will be available only as an integral part of Windows XP SP2, expected in Aug. 2004.

According to IE Group Program Manager Tony Chor, the IE changes in XP SP2 are meant to address security from two angles:

Protect users against trick attacks. Many attacks rely on tricking the user into taking actions that download malicious code. The updated version of IE available with XP SP2 contains many improvements to help users avoid these pitfalls, such as the following:

• Pop-up windows are blocked by default, which not only reduces user annoyance but also prevents certain kinds of exploits—for instance, one recent exploit launched a pop-under window which then secretly downloaded an executable (disguised as an image file) to users' PCs
• Support has been removed for commands that automatically open hidden browser windows, or browser windows in which important interface elements (such as the title or address bar) are obscured; attackers sometimes use these tactics to hide IE's security-related alerts or to trick users into divulging personal information
• A new feature called Add-On Management will list all the browser add-ons (such as toolbars, Browser Help Objects, and ActiveX Controls) installed on a PC; this will make it easier for users to see if they've accidentally downloaded a malicious program (such as an add-on that automatically records Web sites visited and reports them to a third-party server) and will let users or administrators disable unknown or unwanted add-ons through an interface similar to Add/Remove Programs
• When users download executable code via IE, they will always receive information about the publisher (certified through the Authenticode code-signing program), allowing them to make a more informed decision about whether to run the code; executables from previously blocked publishers will not run.

Harden security zones. Since IE 4.0, the browser has employed a security model called "URL security zones," under which users or administrators can give Web domains different permissions. For instance, users or administrators can place URLs from Web sites they trust into the Trusted Sites Zone, thereby giving these Web pages permission to perform certain actions (such as downloading ActiveX controls) without prompting the user. Unknown sites, in contrast, are placed by default in the Internet Zone and have more restrictions. The Local Machine Zone has the fewest restrictions and is reserved for material on the user's hard drive, such as downloaded Web pages or HTML help files.

The version of IE in XP SP2 contains several fixes that harden the barriers between these security zones, particularly between the Local Machine Zone and other zones.

For example, today an attacker might convince someone to download an HTML file to his local machine. Later, when the user visits a Web page compromised by the same attacker, the Web page might contain a link that launches a script contained within the previously downloaded HTML file, thereby giving the attacker the ability to run code with the same execution privileges as the user.

XP SP2 contains two fixes that help prevent this type of exploit. First, scripts and ActiveX controls are by default prevented from running in the Local Machine Zone. (Developers might have to change some applications, particularly those that host local HTML files in IE, to ensure that they still work.)

Second, the security context for any link on a page can be no higher than the security context for that page. For example, if a link on an Internet-based Web page attempts to call an HTML page that's previously been downloaded onto a user's computer, a security warning will be displayed and the HTML page will not be opened without explicit user action.

Downlevel OSs: Hotfixes and Patches

Currently, Microsoft does not have concrete plans to deliver Windows XP SP2's security-related changes in the form of an IE service pack for any other OS. However, the company will release IE hotfixes and patches for downlevel OSs as necessary to fix critical security vulnerabilities.

According to Chor, the company is considering releasing a security-oriented service pack for IE 6 on Windows 2000 (which is still under Mainstream support). However, Chor admitted that making major security-related changes to IE in Windows 2000 would require fairly significant changes to the OS itself, taking development time away from Longhorn and sustained engineering (e.g., service packs, hotfixes) for the current versions of Windows. Therefore, Microsoft continues to evaluate the costs of doing such a service pack against other options, such as releasing updates in the form of patches and hotfixes.

Chor also said that Microsoft is unlikely to release further IE service packs for Windows 9x or NT 4.0, neither of which are in Mainstream support. (Extended support for Windows NT 4.0 will end in 2004.)

New Version in Longhorn

Chor confirmed that Longhorn will include a new version of IE. In theory, Microsoft could use this opportunity to overhaul IE's basic security model—for example, replacing widely exploited interactive technologies, particularly ActiveX controls, with .NET Framework-based code that could be more easily restricted to a "sandbox" so as not to affect other parts of the OS—as well as to improve standards support and add new features.

However, Microsoft is not ready to discuss IE's feature set in Longhorn and has probably not even decided what features to include. Given the company's move away from stand-alone updates, customers should expect to get this upcoming version of IE only with Longhorn and not expect a simultaneous update for IE on older OSs.

What Customers Should Do

Microsoft insists that its current plan for IE is only a "plan of record" and subject to change. This lack of clarity, combined with a complex support policy and the recent burst of well-publicized security vulnerabilities, has left many customers wondering what they should do.

Install the latest version of IE. Regardless of which OS they are using, Microsoft recommends that customers deploy the latest available version of IE (including IE service packs) for the following reasons:

• Each version is more secure than previous versions—in particular, IE 6 SP1 (currently available for Windows 98 and later OSs) is more secure than IE 6, IE 5.5, and IE 5, which are still common in many organizations
• According to Microsoft's support guidelines, the company offers full support for only the latest available IE version (including IE service packs) on any given OS; Microsoft might not release as many updates, including hotfixes and patches, to earlier versions of IE, even if the underlying OS is still supported.

Consider XP SP2. Given the highly publicized vulnerabilities in current versions of IE, and the fact that several recent IE exploits appear to have been designed with criminal intentions (to steal user passwords, for instance), customers already on Windows XP should consider IE security as a major reason to deploy SP2; those on older OSs should weigh better IE security when considering whether to upgrade to XP.

In beta testing so far, Windows XP SP2 has proven resistant to many published IE exploits, whereas Microsoft's suggested combination of hotfixes, patches, and other changes for older IE versions has not. For instance, shortly after Microsoft issued a configuration change to disable one ActiveX control that attackers were abusing to install malicious code on PCs, security researchers demonstrated how another ActiveX control could be used in the same fashion. However, neither exploit works on Windows XP SP2.

Although US-CERT has suggested using other browsers as one possible solution, this may not be feasible for enterprises that have applications or intranet sites built specifically to work with IE. Moreover, it's not clear whether other browsers are inherently more secure than IE or simply whether attackers target IE more frequently because of its large user base—for instance, one week after a spate of highly publicized IE vulnerabilities, the Mozilla Organization issued a critical security update for its own browser.

Customers should be aware that Windows XP SP2 makes many other changes, including some that could break existing applications, and therefore will require significant testing before deployment.

Stay the course? Because Microsoft has no formal policy regarding IE service packs for downlevel Windows versions, organizations with large Windows 2000 deployments may wish to wait and hope that widespread complaints will force Microsoft to release another IE service pack. However, organizations should not expect any such update until 2005 at the earliest.

In the meantime, these organizations should install the latest available version and service pack of IE (for the reasons stated earlier) and stay up to date with all of the latest security patches from Microsoft—including patches for other products, such as Outlook Express, as vulnerabilities in these products are sometimes exploited in combination with IE vulnerabilities.

Resources

For Microsoft's suggestions on how to protect against Download.Ject and similar exploits, see www.microsoft.com/security/incident/download_ject.mspx.

Security researchers LURHQ describe the Trojan that Download.Ject attempted to install at www.lurhq.com/berbew.html.

IE's lack of support for certain W3C standards, and some workarounds for these problems, are discussed in MSDN's Channel 9 forum at channel9.msdn.com/wiki/default.aspx/Channel9.InternetExplorerStandardsSupport.

The technical changes to IE in Windows XP SP2 are detailed at www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx.

For more background on Windows XP SP2, see "XP Service Pack Needs Significant Testing" on page 3 of the May 2004 Update and "XP Service Pack Highlights Security Dilemma" on page 3 of the Jan. 2004 Update. A TechNet article describing all the major changes is at www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx.

IE's URL security zones are explained at msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/overview/overview.asp.

Support information for IE can be found at support.microsoft.com/default.aspx?id=fh;[ln];lifeprodi.