Microsoft revamps browser security zones

Microsoft has detailed some significant changes in Internet Explorer 7's "security zones" that it claims will eliminate some of the browser's most notorious vulnerabilities.

Security zones are groupings of sites that give them different levels of access to the local system. The zoning system has been an achilles heel for Explorer in the past, with malicious sites able to gain access to the user's system by tricking the browser.

Microsoft's Vishu Gupta, Rob Franco and Venkat Kudulur, writing on the official IE Blog last week, said improvements such as URL parsing in Windows XP SP2 and Explorer 7 have been designed to limit such vulnerabilities. "If there is a flaw in IE's zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in," they wrote.

The changes to the zoning system are designed to reinforce these improvements by making the zones themselves less permissive, Microsoft said.

One of the most significant changes for enterprise users will be the elimination of the intranet zone. "We realized that the intranet zone (and its lower restrictions) is not relevant at all to the typical home user running IE," wrote Gupta, Franco and Kudulur.

In Explorer 7, Windows machines that aren't on corporate networks will treat apparent intranet sites as Internet. "This change effectively removes the attack surface of the intranet zone for home PC users."

If the machine has joined a domain, the browser should automatically detect intranet sites and run them under the usual, more permissive rules, Microsoft said. If the auto-detect mechanism doesn't work for whatever reason, admins will be able to set group policy for the intranet to ensure things work properly.

Users will also be able to implement intranet settings for particular sites, Microsoft said. "IE will show an information bar when visiting a probable intranet site," wrote Gupta, Franco and Kudulur. "If a user wants to re-enable their intranet zone, they'll be able to."

Internet zone and trusted sites

The other changes will be to the Internet zone and the trusted sites zone, Microsoft said. Settings will be locked down for the Internet zone -- it will run in Protected Mode on Windows Vista, and the ActiveX Opt-In feature will apply. This feature will give attackers one more barrier to get through before they will be able to execute malicious ActiveX controls, one of the more common ways of attacking Windows systems, Microsoft said.

The locked-down settings used in the Internet zone will be given a new designation: "Medium-High".

Microsoft said it has decided the trusted sites zone is probably too permissive to be safe. "We find that many users don't understand how powerful a site becomes when they make it a Trusted Site. For example, a Trusted Site in IE6 can automatically install signed ActiveX controls on the user's machine," wrote Gupta, Franco and Kundulur.

By default Explorer 7 will assign "trusted sites" a "Medium" security level, the level given to Internet-zone sites under Explorer 6, Microsoft said. Users will get the option of manually lowering the trusted-sites security settings back to the Explorer 6 level via Internet Options or through policy settings, Microsoft said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?