by Rik Farrow
In the world of Internet security, some events really stand out. The Internet worm (November 1988), the attack on Tsutomo Shimomura (Christmas day 1994), the publishing of Aleph One's tutorial on buffer overflow attacks (1996) all marked what I consider key turning points in the history of Internet security. But, what I have left out are some more recent events: ILOVEYOU, Melissa, and Nimbda. These security events caused damage and loss of productivity that far exceeded the financial cost of the terrorist attacks of 9-11. And they all relied of the same ease of use features that has made Microsoft's Internet software so popular.
While it is possible to tighten the security of Internet Explorer, and prevent much of the damage that occurs today, doing so is complicated--if you care to leave intact any of the features that makes using IE engaging. But IE, working together with Outlook, has turned the world of Internet security on its head.
THE GOOD OLD DAYS
Once upon a time, a system connected to the Internet as a client would be totally immune from attacks from the Internet. Client software, by definition, does not provide services. With no services listening to the Internet, there is nothing to attack-- no ports are open. True, an attacker could flood the connection that leads to the client system, but that attack's only affect would be to prevent the client from participating in the network.
When client-only systems were the norm, you didn't need personal firewalls. Your system had no services that could be attacked. People used command line tools for reading email, fetching files, and remotely logging in. The introduction of Web browsers changed everything by not only making the Internet easier to use, but also infinitely more dangerous for client, as opposed to server, systems.
At this point in time, Bill Gates had not yet decided that the Internet was important. Many companies sold Web browsers, and none of the Web browsers had the feature set, or the vulnerabilities, found in today's Internet Explorer. Not that using a browser was totally foolproof. In 1996, a trickster in Sweden suggested reconfiguring a browser for UNIX systems so that when the browser read a file with the filename extension of .sh, the UNIX command shell would interpret that file. For those naive enough to be taken in by this suggestion, the trickster had an "interesting" file to download--one that deleted all the user's files.
Internet Explorer comes with the ability to execute scripts received from remote sources built in. Because Outlook, Outlook Express and news readers come linked to IE's HTML rendering engine, they can also execute scripts. The ability to execute scripts makes IE dangerous, just as dangerous as hooking up command.com or cmd.exe as a network service and inviting an attacker to do his or her worst. You have no protection from miscreants set on doing you harm when your software gives them the means to do so.
You can defend yourself, of course. Microsoft's TechNet has a great article about the security settings of IE. You have 106 security settings, in each of four different zones, to play with. The complexity apparent here is only part of the problem. You can read the TechNet article (see Resources), or a CERT vulnerability note that quickly gets to the heart of the matter. You need to disable Active scripting, plugins, and ActiveX to make IE, Outlook, Outlook Express, and news secure.
IE uses Active scripting to execute JScript (JavaScript) and VBScript, and disabling Active scripting means that Web sites that include scripting won't work. For example, you will not be able to use Travelocity to search for airline tickets, or use most of the Microsoft sites, which rely heavily on scripting for their features. It also means that when you open an email that contains scripting, that scripting will not execute--possibly saving your system from infection by a virus, installation of a trojan, and other mischief.
Disabling Active scripting seems to be a high price to pay for security, and in my experience, it is not one that most people are willing to pay. Suffering the consequences costs as much as $1.6 trillion dollars every year in terms of lost productivity (see Berkeley policy Resource, which quotes a Price, Waterhouse, and Coopers paper).
Microsoft does give you options. You can set your Internet and Restricted Zone security settings to High, and disable almost everything that might be dangerous (there are still dangerous bugs to deal with). Outlook and Outlook Express consider all email from outside of your Intranet to be in the Restricted Sites zone, and keeping your security level high here will prevent lots of bad things from happening.
This all-or-nothing approach (trust your Intranet but not the Internet) is still less than perfect. One of the ways that Nimbda spread worked because of a bug in the way IE handled MIME attachments (see September 1999 http://www.spirit.com/Network/net0799.txt" column). An attacker can specify a MIME type that will be automatically opened by IE, such as a sound file, then include data that is not a sound file, but an executable file, and Windows will duly execute that file. Not only did Nimda become the fastest spreading virus of 2001 in large part because of this trick, but as soon as one system on the inside became infect, it launched attacks on other systems within the Intranet--the same Intranet zone that gets trusted by IE (see CA-2001-06). As of July, 2002, the continued spread of the KLEZ.M worm, that uses this bug, shows that many installations of IE have still not been patched.
You can use a safer mechanism for Web browsing because you can add sites to the Trusted Zone. If you disable scripting in the Internet Zone (and perhaps all zones except the Trusted Zone), you now have the option of creating a list of those sites or domains that you trust not to send you malicious code. So, you can include Travelocity.com, and still search for cheap flights while not exposing yourself to attacks from other sites just by adding http://*.travelocity.com and https://*.travelocity.com to your Trusted Sites list. Oh, you might as well add the various Microsoft domains to this list as well, if you ever plan to visit MSNBC.com for example.
I hope that by now you have fired up IE, gone to the Tools pulldown, selected Internet Options, and clicked open the Security tab. You can then choose any of the four zones, and the Internet Zone is a great place to start. You want to make certain that Active scripting is disabled, as is the ability to run ActiveX controls and plug-ins. Wait, you say, can't I keep plug-ins enabled?
It turns out that plugs-in, like Macromedia's Flash and Adobe's Acroread, are actually ActiveX controls, so it is not possible to have enabled plug-ins and not ActiveX. ActiveX controls are software libraries, similar to the DLLs (Dynamic Link Libraries) installed by the dozen on any Window system. ActiveX represents the technology that allows Windows developers to create programs that can be downloaded over the network and instantly linked into executing applications. You can even receive an ActiveX control that adds new features to IE by simply visiting a Web site.
ActiveX controls have the exact same access to Windows that the person using the Web browser does. If an ActiveX control executes delete tree, all the files the user can delete will be deleted. But deleting files is messy, and hardly subtle. A much more common approach taken by malicious software in general is to download and install trojans, like SubSeven or BackOrifice, or viruses.
ActiveX controls come with Windows systems. The login gui for Windows NT, 2000, and XP is an ActiveX control, so don't start deleting files with the .ocx extension if you wish to continue working with Windows. Microsoft created a feature called Authenticode so that ActiveX controls can be digitally signed. The logic behind this is that if you trust the source, then you should trust ActiveX controls signed by that source. The trouble with that assumption is that even a source you trust, perhaps Microsoft, has delivered buggy software in the past. Authenticode just gives you someone to blame when things go wrong, and does not actually provide you with any security.
eEye, the discoverer's of the bug used by Code Red, uncovered a buffer overflow in Macromedia's Flash plug-in on May 2, 2002 (and you should have replaced your Flash plugin by now). The buffer overflow gives a would-be attacker the ability to execute arbitrary code while you are waiting for the Flash to begin (it fails, because the attacker has highjacked the Flash plugin). Even if the Flash plug-in were signed, it would still carry out its attack successfully. You can't even turn around and sue for damages, as most End User License Agreements (EULA) deny any liability for any damages their software might cause you.
In essence, you are responsible for installing the dangerous software on your computer, not the software vendor.
Most people use IE. Although there are alternative browsers, such as Opera (opera.com) and Mozilla or Firefox (www.mozilla.org) most people like the speed of IE and its ability to properly render most Web sites (being the most commonly used browser guarantees that). And the speed of IE is related to how tightly it is coupled with Windows--something not possible for third party vendors to do.
One clever way to avoid 99.999% of the attacks that come through IE and its sidekick Outlook is to use MacOS instead of Windows. You get to use the preferred browser, Office, and yet not get hit by the virus-of-the-day because most attack code is geared specifically to features only available as part of Windows, and won't function on MacOS, or on the processors used by Apple. Using Firefox on Windows, instead of IE, also prevents most of the attacks encountered by using IE.
You will still be vulnerable to bugs that occur in IE, unfortunately. Georgi Guninski, a Bulgarian security consultant that actually does code review for a living, has found dozens of ways to violate the security models included in IE, and Microsoft has fixed most (but not all) of these problems.
In February 2002, a Grey Magic security advisory reported a bug that permitted executing code even when Active scripting and ActiveX have been disabled. The bug only permits executing commands that will work with no arguments, but that does include the shutdown.exe command that gets included by default in XP installs, and in the Resource Kits for NT and Win2K.
Microsoft could actually make IE safer to use, but only by changing their design philosophy. If IE and other tools for working with content from the Internet ran in an environment that was not the same as the logged in user, it would be possible to contain the damage caused by attackers. UNIX operating systems include methods for running software as another user, and in a different environment (chroot or jail), that is just not present in Windows. In XP, you can log in multiple times, so it is possible to create an email and Web browsing account and switch to that environment without too much trouble. Never read email using an account with Administrator privileges.
At the very least, tighten up your security. The TechNet article explains how registry keys can be used to adjust IE security, and how to distribute those keys throughout your organization. Disable Active scripting, ActiveX, and plug-ins, and then see if you still are happy with IE. You will at least be more secure.
Microsoft TechNet article about IE security, and how to configure it: http://www.microsoft.com/technet/security/bestprac/mblcode.asp
A CERT vulnerability note that is more to the point: http://www.kb.cert.org/vuls/id/25249
Policy paper at Berkeley quoting Price, Waterhouse, and Coopers with $1.6 trillion in yearly losses due to viruses: http://ls.berkeley.edu/lscr/policy/emailclient.htm
Georgi Guninski's list of Web browser bugs: http://www.guninski.com/browsers.html
Grey Magic security advisory about executing applications when Active
Scripting and ActiveX are disabled:
http://sec.greymagic.com/adv/gm001-ie/
eEye Security advisory about Macromedia Flash plug-in buffer overflow: http://www.eeye.com/html/Research/Advisories/AD20020502.html
A White Paper by Rick Forno about the danger Microsoft poses to National Security: http://www.infowarrior.org/articles/msdanger.pdf