Take control of Internet Explorer...
before spyware does
Piscitello, President, Core
Microsoft's Internet Explorer (IE) is still the most widely used Web
browser. The majority of Web-based spyware infestations also target IE.
While critics and experts can debate whether this is due to sloppy code
and inherent flaws in IE, or abuse of a well-intentioned program
customization called the Browser Helper Object (BHO),
you have more important concerns. For security's sake, any network
administrator must decide whether to deploy an alternative Web browser, or
to minimize the organization's exposure by locking down IE and deploying
Dump Internet Explorer?
Frustrated with spyware and a seemingly endless stream of security
patches, many users are choosing an alternative Web browser. Browsers such
as Mozilla/Firefox, DeepNet Explorer, and Opera natively support many
- Built-in search bars
- Popup killers
- Tabbed browsing
- Integrated RSS readers and e-mail clients.
These browsers don't support BHOs and are thus immune to browser
hurtful objects, the "spyware" BHOs that hijack home pages, favorites,
and search engines. Various antispyware software vendors claim to detect
and block an estimated tens of thousands of spyware variants responsible
for hijacking, URL tracking, and intrusive advertising. BHOs and rogue
toolbars that plug into IE account for approximately one thousand of these
pests and parasites.
Alternative browsers claim to be more secure than IE. Firefox bases
this claim on the success of the Mozilla project specifically, and open
source policy in general (see "Release
early, release often"). Opera was designed from the beginning with security in mind, and
doesn't support ActiveX controls. The DeepNet Explorer renders HTML just
like IE, but doesn't support BHOs. However, none has proven immune
to bugs, so as an administrator, you must weigh the strengths and
weaknesses of each contender as they affect your organization.
Consider other factors before you commit to converting your
organization to a new browser:
- Does your organization actually use legitimate BHOs or ActiveX
- Is your (Intranet) Web server environment IIS- and IE-centric? If
so, what steps must you take to confirm that the browser you choose is
compatible with your server?
- How will the change affect your patch management?
- How will the change affect user training, helpdesk and support? Do
you anticipate any internal political backlash?
The answers to these questions might force the conclusion, "Let's stick
with IE." If so, then your next step is to deploy it as securely as
Five steps to a more secure IE configuration
Draw from the accumulated experience of others who combat spyware, and
implement these measures to protect your IE users:
Maintain IE Patch Currency. As exploit paths and vulnerabilities
are identified in IE, patch as early as possible to eliminate them.
Investigate central patch management solutions. If you must leave patch
management in the hands of your users, make certain they understand the
consequences of neglecting this critical process. If your users are
responsible for patching, conduct regular audits to ensure they are
keeping up with patches.
Improve your (IE) Zone Defense. You can adjust settings for IE's
zone so that you maintain a secure and productive user
experience for your organization. But doing so is not as simple as
consumer anti-spyware pages (CyberCoyote.org,
suggest. If your business applications are developed by .NET partners who
do not sign components with Authenticode, or your users routinely visit
business partner sites that use ActiveX components, your IE security
configuration must allow access to these particular components. In such
situations, make use of IE's Trusted
Zones and include these sites as reputable and trustworthy.
Assess your organization's needs, and develop an IE security policy
that meets the security-usability requirements of your organization. If
you use Active Directory, use the Group Policy Object Editor to create an
"IE configuration" GPO. Configure your IE policy under User Configuration
=> Windows Settings => Internet Explorer Maintenance => Security;
then link the GPO to the appropriate organizational units.
Block Ad Server Domain Names. Several anti-spyware activists
maintain lists of known adware server sites and domains. If you block a
spyware agent from communicating with its ad servers once the agent lands
on your network (assuming it manages to elude your other countermeasures),
you negate the impact of that spyware. Add known spyware/adware servers to
Sites lists at your Firebox. Use a hosts file or DNS to resolve the
adware hostnames to local host (127.0.0.1); or, use a registry script like
to incorporate these into the IE Restricted Sites list. Here again, if you
use Active Directory, you can include this countermeasure in a GPO.
Hamstring hijackers. Take advantage of the software developed to
identify and block malicious BHOs. Be aware that some BHOs have legitimate
purposes. Examples of legitimate and useful BHOs are privacy preference
clients like AT&T
Privacy Bird P3P Client, Citibank's Virtual Account Software, Yahoo!
Companion, certain toolbars and Web accelerators. If you want to give your
users some flexibility in their browser look-and-feel, run BHOlist on
a sampling of the PCs in your organization. Identify any legitimate BHOs
and toolbars used by your organization, and compose an Approved BHO List.
Install anti-spyware software that provides browser hijack protection at
each client. Configure blocked exceptions for all approved BHOs on your
list. Free and donateware such as the tandem applications SpywareGuard
Ad-Aware, or SpyBot Search&Destroy are widely
acknowledged as legitimate, effective alternatives to commercial
anti-spyware software for the budget-impaired.
Try a different cup of Java. Recent flaws
exposed in Microsoft's Java Virtual Machine prompt some anti-spyware
experts to suggest using Sun's VM instead. Before you choose to uninstall Microsoft's Java
VM, be certain this decision meets the organization's long term
objectives. If, for example, you are going to migrate from Java/J2EE to a
.NET framework, and will eventually disable Java entirely, is this step
necessary? Do any business applications needed by your organization
require a specific version of JVM?
Internet Explorer has its share of problems, and you may conclude your
organization is better off with an alternative Web browser. But your
organization doesn't have to be easy prey for spyware. With some planning,
you can implement appropriate measures to minimize your IE-related spyware
vulnerability profile. Switching browsers or locking IE down are both
valid options. Doing nothing is not. ##
Risk: It's Time to "Get Smart"
Remediation: It's Not "Mission Impossible"
Dave's Spyware and
Internet Explorer Answer: "Have a Freaking Clue" (exclusive interview
with Tim Mullen from BlackHat 2004)
Copyrightę 2005, WatchGuard Technologies, Inc. All rights
reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks
or registered trademarks of WatchGuard Technologies, Inc. in the United
States and other countries.