INTERNET EXPLORER
Internet Explorer security: is there any hope? Dr E. Eugene Schultz, University of California/Berkeley Lab Microsoft's internet browser, Internet Explorer, may be the most popular browser on the market, but its vulnerability to attack, and Microsoft's seeming inability to make it secure, is making people switch. The Worldwide Web (WWW) has transformed the internet, dramatically increasing its appeal and usefulness to individuals and organizations. At first the Web had few security problems, but vulnerabilities in Web servers, particularly in Microsoft's Internet Information Server (IIS), have been exposed. The default level of security in Web servers such as Apache and IIS has improved considerably, and the rate at which new vulnerabilities in these and other Web servers have been identified also appears to have slowed down considerably over the last few years. Yet the Web is still very much a dangerous place. This is now due to a large degree on a myriad of vulnerabilities in Web browsers, particularly in Microsoft's Internet Explorer (IE). The average number of announced vulnerabilities in IE per month is virtually unparalleled, nearly three per month in IE6 over the last two years, according to Secunia (SECU04). Most troubling is that of the announced IE vulnerabilities, 14% have been rated as extremely critical and 34% have been rated highly critical. Although IE is currently the most widely used Web browser, there has been a regular stream of bulletins from Microsoft and others that describe yet more IE security vulnerabilities and media accounts of real-life incidents in which IE vulnerabilities have been exploited (EVER04). These reports have hurt IE's popularity considerably. Attacks on systems that exploit IE vulnerabilities are commonplace and 6
Network Security
E. Eugene Schultz
degree. This browser offers a wide range of features designed to control users' levels of security and privacy. IE users can, for example, set desired levels of security in various zones Internet, local intranet, trusted sites, and restricted sites (see Figure 1). This helps (at least in theory) to restrict the way code from unknown websites executes on the machine on which this browser runs. IE is, for example, designed to keep JavaScript from websites within the Internet zone from running in the context of the local machine. The permissions of files running from the local hard drive are also considerably less restrictive than the permissions of code that has been downloaded from an untrusted zone. IE, for instance, tries to keep executables downloaded from sites within the Internet zone from accessing data within the local machine. IE also displays prompts before potentially unsafe content can be downloaded; by default it prevents unsigned ActiveX controls from being downloaded. Furthermore, IE has many advanced settings that control functions such as checking whether certificates have been revoked, verifying signatures for executables, and enabling Secure Sockets Layer
growing rapidly. Certain vulnerabilities allow spammers to pop up Windows on users' computers. This includes Spyware such as the hard-to-kill DSO Exploit, which exploits security settings for the My Computer zone to allow downloading of unsigned ActiveX controls. DSO Exploit makes it easy for outsiders to pop up windows on remote users' displays at will and then present content ranging from advertisements to pornographic material. Other vulnerabilities, some of which will be discussed shortly, allow attackers to gain complete control of systems that run IE. Although IE vulnerabilities are by no means exclusive to IE running on Windows operating systems, the vast majority of IE vulnerabilities are in Windows-based versions of IE. Concerned by the number of serious vulnerabilities in IE, the CERT/CC has recommended against using IE altogether (REGI04). Some organizations have followed suit by banning the use of IE by their employees. Paradoxically, IE appears to have been created with Figure 1 - IE Web Security Zone Options security in mind, at least to some
January 2005
INTERNET EXPLORER (SSL) and other types of encryption (see Figure 2).
Major IE vulnerabilities Despite superficial appearances, IE (Note 1) is extremely flawed from a security perspective. This is shown in part by the sheer number of vulnerabilities in IE that have been identified to date. Many of these vulnerabilities can lead to particularly undesirable consequences. Several of these are discussed next.
Cross domain/zone vulnerabilities IE deploys a cross-domain security model that differentiates between browser frames from different sources. This is designed to prevent code in one domain from accessing data in a different domain. The Internet Security Manager Object (ISMO) determines the particular zone and/or domain to which a URL belongs and the actions permitted in that zone. According to this model, domains can be in different IE zones; Local Machine Zone (LMZ) is the most trusted (and privileged) zone. Cross-domain vulnerabilities permit code from one domain or zone to run in
the security context of a different one. Some of the security-related problems in IE's implementation of its cross-domain security model include: • Failure to validate the source of redirected frames, which allows malicious code to redirect frames in trusted zones to frames that are outside these zones. This causes the latter to be dealt with as if they were within trusted zones. • Ability of unauthorized individuals to determine the domain or zone of frames. • Ability to execute scripts in unusual contexts; scripts can be even embedded and then run in objects such as cookies. Cross domain into LMZ means any attacker can take any action that the user on the machine with a vulnerable IE browser can take. The worst case is when a user has logged on with Administrator privileges, because an attacker who exploits cross domain or zone vulnerabilities has the same level of privileges as the user. This gives complete control of the system to an unauthorized person. Worse, code to exploit cross domain and zone vulnerabilities is widely available on the internet.
MIME-type determination flaws
Figure 2 - IE Advanced Security Options
January 2005
MIME stands for Multipurpose Internet Mail Extensions. MIMEtype determination describes how a file is handled. Options include viewing an image or using MHTML (Note 2) or Multipart HTML to parse HTML, initiate a download, or run an external program.
IE normally reads up to 256 bytes into a file and then tries to match the file content against a list of defined file types. If the match is unsuccessful, a server-provided content-type header or file extension may be used instead. If the content-type header or file extension also fails, examination of file content and/or the name extension may also be used. HTTP (Hypertext Transfer Protocol) is a request-response protocol. When a client sends a request to a server, the request specifies the request method, URI (Uniform Resource Identifier, aka URL), and protocol version. It also contains a MIME-like message with request modifiers, client information, and possible body content. The server responds with a status line that includes the message's protocol version and a success or error code, which is followed by a MIME-like message with server information, high-level entity information, and potential entity body content. If and only if the media type is not indicated by a Content Type field, the recipient may try to guess the media type by inspecting its content and/or the name extension. MIME type determination vulnerabilities are exploited when a user connects to a Web page such as http://www.somesite.com/image.jpg and image.jpg is not an image, but is instead HTML (Hypertext Markup Language) that contains a malicious executable. The IE browser reads the file, recognizes that it is HTML, parses it with MHTML, and then runs the executable. This could potentially allow a perpetrator to take any action on a user's system.
GUI (Graphical User Interface) control problems IE allows events created using a mouse to call methods that manipulate window objects (e.g. as in drag and drop operations). A bug in IE allows an attacker to use method caching to gain control over the manipulation of window objects via many functions, one of which is window.moveBy.
Network Security
7
INTERNET EXPLORER In another GUI control bug, an attacker can use mouse-initiated events to invoke a script function that calls methods to gain access to the user's Favourites directory by referencing an ActiveX object named ShellNameSpace.
elements was identified recently. A buffer overflow condition or denial of service (specifically, an IE crash) can happen when IE processes a malicious HTML document with excessively long strings in the SRC and NAME attributes of the previously mentioned elements.
Scripting handling-related vulnerabilities Several types of serious scripting-related vulnerabilities have also been discovered. One such vulnerability concerns how ActiveX controls are labelled and handled. Only a control that is labelled safe for scripting should be able to be called from IE, but safe for scripting constraints are not always enforced correctly. Two ActiveX controls, Eyedog (a control used in connection with Windows diagnostic software) and scriptlet.typelib (a control that enables developers to create Type libraries for Windows scripting components) are both labelled safe for scripting, and can therefore be called from IE. But Eyedog can allow unprivileged users or programs to glean information about the Registry and characteristics of the system in which it runs. It is also vulnerable to a buffer overflow condition that can result in execution of rogue code. scriptlet.typelib allows unprivileged users or programs to create and change files in the system on which IE runs. In addition, the Microsoft virtual machine (Microsoft VM) has a security exposure that may allow script code in a Web page or HTML email message to reach and execute ActiveX controls. This is despite that fact that these controls should not be available under these conditions. A perpetrator could set up a malicious Web page in this manner to exploit this bug, thereby potentially gaining full control of a system on which IE is used to visit the malicious page.
HTML elements buffer overflow vulnerability A highly critical vulnerability in the way IE handles some attributes in the
