Unsafe at Any Broadband Speed?

21 July 2004--It was an extraordinary moment in computer network security. On 2 July, following three weeks of warnings about the security of the most popular Web browser in the world, the U.S. Department of Homeland Security's Computer Emergency Readiness Team released a "vulnerability note" that said, in part, "There are a number of significant vulnerabilities in technologies relating to [Internet Explorer's] security model�.It is possible to reduce exposure to these vulnerabilities by using a different [Web] browser."

Web discussion boards lit up, and e-mail lists buzzed with the news. "Did CERT say ’don't use IE'?" was a typical subject line.

US-CERT, based in Washington, D.C., and Pittsburgh, Penn., is not generally in the business of telling people which Internet browser to use. "We don't recommend one brand over another--they all have problems," says Art Manion, an Internet security analyst for US-CERT and the author of the vulnerability alert. "But it's naive to say your choice of product has nothing to do with your security. Running IE without patches, without hardening, is taking a serious risk." Keeping up with the numerous security patches released by IE's maker, Microsoft Corp., in Redmond, Wash., though, is something even professionals can have trouble doing.

At issue are the security privileges enjoyed by one's browser when viewing Web pages. In a method of attack identified just last month, the computer operating system is fooled into giving the browser, and the Web pages it reads, the highest level of access. A rogue Web page, then, could put a malicious software program on one's computer. Normally, it's impossible for an outside entity, like a Web page, to initiate a process that writes code to one's hard drive. But by exploiting something called the cross-domain security model, that's exactly what the vulnerability does.

"Simply put, there are three relevant domains, or zones, involved when you use Internet Explorer: an Internet zone, a local Intranet zone, and a local zone," explains Rafel Ivgi, an Israeli computer security expert who was the first to report the problem, back in June.

"In ordinary Web browsing of external Web pages, the pages are opened in the Internet zone," says Ivgi. "This a safe zone, in that it doesn't allow writing. There's a second zone, the Intranet local zone. It's used for reading local pages, typically across internal local-area networks. It's also a safe zone--no writing."

The most important zone, Ivgi continues, is the local zone, and it's the key to the attack. It's a trusted zone--that is, it trusts the browser and other local software, and therefore allows writing. The key to the attack is a process called cross-zone scripting, computer code that breaks the zone barriers. In other words, it's a way of getting the browser to read, across the open Internet, Web pages, but in the local zone, where the page can write to the computer. "Once you have broken the zone, you have access to the computer," says Ivgi.

An attack would manipulate the local zone by using a particular function of Internet Explorer to create what is known as an iframe, a procedure that inserts external objects into an HTML document. The malicious Web page creates cross-site scripting by redirecting the iframe into the local zone, thereby breaking the zone restriction. Once the zone is broken, ActiveX controls are used to execute the foreign code on the computer. Thus one stopgap solution is to disable ActiveX, which is a software component used by one's existing programs to, among other things, manage the way new executable code is added to one's computer.

Half the blame goes to Microsoft, Ivgi says, but the other half goes to developers around the world who build applications that use ActiveX but don't spend enough time on security--in particular, on testing against these sorts of cross-domain exploits. Ivgi expects to find more and more vulnerable software in his new job at an Israeli network security firm, Finjan Software Ltd., in Netanya, Israel, a seaside city halfway between Tel-Aviv and Haifa. (Finjan's headquarters are in San Jose, Calif.) In June, when he discovered the vulnerability in Internet Explorer, Ivgi was an independent security consultant.

The easiest way to defend oneself is to disable ActiveX, Ivgi says, though that cuts one off from a variety of software features that use it to read HTML, the text encoding scheme that formats Web pages. One can also delete some other little-used protocols that come with Windows, such as shell and mhtml. Ivgi has written a small program called XPLizer that removes them all from one's computer.

Ivgi thinks switching Internet browsers is not a good solution, because, in his opinion, Internet Explorer is the best browser. Web surfers seem to agree. A majority of all browsing is done with IE, which has a Macintosh version as well as the Windows one. (Only the Windows version suffers this vulnerability.)

CERT's Art Manion says that one can't really take IE off a Windows machine anyway. "Too much other stuff depends on it--almost anything that renders HTML. So the Help system wouldn't work. Outlook and Outlook Express wouldn't read HTML properly, and there are other parts of Office as well. A lot of non-Microsoft applications also rely on the same engine to render HTML, such as other e-mail software."

"The tight integration of the browser and the operating system--it's a great idea--but it has considerable security implications," says Manion. One can, though, use a different browser for Web surfing. "What we're suggesting is that you consider what level of risk you're comfortable with," he says. "Your choice of Web browser is important, and you want to think about that."