Security Improvements in Two Leading Web Browsers

Preface

Not long ago, we took a look at two major Internet browsers and tried to compare their security stance face-to-face. Internet Explorer 7 was in early beta back then; Firefox was not as sophisticated as it has become with the recent release of version 2.0. Although not much time has passed, in terms of software development one year means a lot. In the November edition of Security Insight we evaluate the security advances made by the duo in terms of providing a safer Internet experience.

Both browsers have also made major improvements in simplicity, usability and expandability, but these will not be mentioned here for the sake of enumerating only security achievements.

General thought

With the progression of the Internet and introduction of new fun ideas and platforms such as YouTube or Virtual Earth 3D—which are dependent upon a browser to retrieve remote content—coupled with increasing connection speeds and the blossoming of Internet-enabled services such as online banking, the need for a secure Internet browser has greatly increased. As browsers perform a two-way link between your computer and the Internet (for example, when you buy a book from Amazon, your account information is sent to the remote site for verification and you receive checkout information with your browser in return), it is important that the connection is secure and the browser, an intermediary between you and the Internet, is fully reliable.

Moreover, the danger of possible infestation with a Trojan horse or spyware just by innocently browsing the Internet and landing at the wrong website dictates that a modern browser is shielded from the risk of drive-by malware installation.

New security features in IE

Internet Explorer 7 has been touted as a revolutionary browser in security. Its predecessor had a history of security accidents and it’s no surprise that the creators of IE 7 have set out to significantly strengthen the browser security-wise. Without further ado, let’s get straight to the subject — new security enhancements in IE:

Improved URL handling

In prior versions, URL parsing (processing of URLs referenced by an HTML page) was handled in multiple areas, causing conflicts and buffer overflow problems. These problems occur when a client’s web browser application attempts to process malformed URLs containing odd or excessive characters. The browser is then inundated with invalid entries and forced to execute malicious code implanted within the URL by immoral site owners. In the new version of IE, the internal code for parsing is completely rewritten, and all parsing routines are made by one handler to ensure the URL analyzer recognizes certain attack patterns and can accommodate for the globalization of URLs, international character sets and domain names.

Simply put, the processing of URLs has been overhauled to safeguard users from the many buffer overflow-related exploits dogging previous versions of IE. This is of course an improvement that cannot be easily measured by a user with ordinary computer security skills. We have to trust Microsoft’s promise in that regard and see how strongly this implementation will work against nasty malware scourges we’ve seen in the past and expect in the future.

Cross-domain barriers

Due to the flaws in the handling of cross-domain scripting that existed in earlier IE, malicious websites could interact with other windows on a PC or access or substitute other external content with modified versions. That gave rise to hackers delivering the content of benign websites within the context of a maliciously created web page and thus fooling users into disclosing their personal detail there. The exploitation of the flaws also enabled attackers to intercept and thus control dialog boxes displayed by other windows and decrease the level of protection for other installed software.

Now that’s no longer possible with IE, which prevents scripts contained on one web page from leaving that page’s confines and ensures that script code belonging to one particular domain doesn’t initiate or interfere with content belonging to other domains. This also prevents the download or execution of malicious content through cross-domain scripting flaws.

International domain name (IDN) support & spoofing alert

IE 7 now supports international characters in domain names, so that people can register and access sites whose names/addresses are written in non-Latin characters such as “vinadelmar.cl”. IE now automatically converts such entries to the conventional ASCII character set, allowing people to create names in their native languages.

Hackers have long exploited the browsers’ inability to recognize an attempt to spoof a site’s name with an altered address, so that the name www.citigroup.com would become, for example, www.CITIGR0UP.com (letter “O” replaced by null), which is hardly detectable to the naked eye. Unwary folks could fall victim to such ploys and unintentionally turn over their private data to fraudsters who try to make the name and look of the fake site seem genuine.
With the arrival of IDN, the task for malicious site operators becomes even simpler as they can easily create a site mimicking a well-known organization and register its name with a slight difference, replacing portions of an address with characters borrowed from other alphabets (e.g., www.chase.com, where the letter “à” is replaced with a symbol taken from, for example, the Cyrillic character set). The net result is that the name would look exactly the same in writing, but will be interpreted by the browser totally differently.

To prevent this from occurring, IE senses when multiple character sets are contained within a single domain name label (such as www. agnitum.com), and alerts the user. It also displays a notification when a language not contained in the list of preferred languages for IE is entered in the address bar.

Optional ActiveX restrictions

A user will be prompted when previously unused types of ActiveX controls attempt to initialize in the web browser.

The use of ActiveX elements is at least dubious as malware writers can create, place and trick users into executing destructive ActiveX code hosted on nefarious sites. It’s great that Microsoft made positive strides in curbing bogus ActiveX proliferation, but some experts believe this is not enough, citing that ActiveX should be withdrawn altogether.

Another distressing point with ActiveX is that by default, IE 7 permits ActiveX controls and plug-ins to run on web pages, a setting that makes surfing quite a daunting experience as any site could execute these elements unrestrictedly.

Fix my settings

Provides an option to restore altered IE security settings back to their default recommended level. In case a user must decrease the security level to meet the temporary requirements of some sites that otherwise will not render properly, the browser gives a visible notification beside the address bar, offering to automatically revert modified settings to their safe configuration.

We had some problems with this feature, as we intentionally lowered security settings to the minimum level and surfed some underground websites under those settings — no alert followed. Only after we switched settings back to their default “medium” level were we warned of the lax security profile (see screenshot below). This could be attributed to the “response lag” and that will be fixed by MS sometime in the future.

Phishing filter

Microsoft has equipped its offspring with phishing protection that warns a user of a potentially fraudulent website when the program detects matching patterns in the website’s address. Microsoft maintains a database of known phishing sites it updates hourly with the assistance of its security partners, and feeds that information to IE so that the program can deter access to such sites. The phishing filter worked well in our case, barring access to roughly half of the phishing sites clicked.

Security Status Bar

A system of colored alerts that notify a user about security or privacy problems on a website. Notifications are displayed on the right of the address bar, providing easily accessible and advanced information about the security status of a visited web page.

This field can display various information depending on a situation; it could be security certificate data (a padlock icon would appear that you can click on to obtain extended information), or if the site has been recognized as fraudulent or suspicious, its color changes to red or yellow respectively.

Always visible Address Bar

Ensures a web page’s address is always displayed by the browser, whether the page is a pop-up window or a full-fledged Internet page. This information helps users understand the exact location and association properties of the page.

However, this process doesn’t always work: A pop-up page originating from a hackers’ website evaded the built-in popup-blocker:

Although part of the address is still visible, had the title been changed on the above picture, it would be next to impossible to discern the page’s exact location. IE has some ground for improvement here.

Add-ons & add-ons disabled mode

IE provides an opportunity to install various add-ons and use them in the browser. Such small programs can enhance the browser’s functionality and provide additional usability improvements. Because such add-ons are small programs, they are not invincible to flaws in the code, and potentially could harm the browser itself. To make the browser more resistant to possible add-ons failures, the add-ons disabled mode has been introduced, which prevents IE from loading installed add-ons and instead runs it in “clean” isolated mode.

Clean browsing history

An option to instantly remove specific categories of browsing history, or the entire browsing history altogether. Useful when you need to hide details of a website you visited in the past, or just in case you want to remove all residual clutter.

Vista-specific features

In addition to “pure” program features, IE made some improvements designed to work in conjunction with the upcoming Windows Vista. Specifically, two more security fortifications will be available: IE restricted mode (to limit IE and file system interaction) and parental controls.

New security features in Mozilla Firefox

Firefox lately has been upgraded to v.2.0 and although it didn’t receive many new security features, the program is generally believed to be more secure than IE. How good the REAL protection will be for the two renovated browsers only the future will show as they are put to real-life tests. Here we will merely enumerate new or improved Firefox security options.

Phishing protection

The anti-phishing incorporated into Firefox is almost the same as in IE. The working principle is similar: if the address matches the database for reported phishing sites, Firefox displays a warning and tries to steer a user away from the suspected web forgery page:

Unlike IE, the Firefox browser will display the content of the blocked web page in the background, in a tinted representation.

Automated update

Unlike IE, Firefox automatically updates to the latest version, reducing the duration of any discovered vulnerability staying unpatched. Firefox engineers deserve praise for that effort. Interestingly, Firefox can not only download full next-version updates, but also the incremental updates of any of Firefox’s vulnerable components.

Running of external code & add-ons opt-in

Firefox installs add-ons and downloads files from the Internet with explicit user consent only. Anything the browser is trying to run will be accompanied with a prompt. Firefox doesn’t support ActiveX scripting, and is not vulnerable to ActiveX woes.

Instantly clear private data

IE copied Firefox’s earlier ability to quickly clean browsing history and other related content. Everything’s plain and simple in Firefox: you press a button and selected information is wiped, helping you make surfing more personal and private.

Open-source, collaborative code

Firefox is an open-source free browser, which is updated by the Mozilla Foundation more often than IE is by Microsoft. Additionally, any person who desires to review, edit or improve the underlying code is welcomed to do so. It’s been said that the open-source community has unlimited horizons for improvement thanks to the program’s open standards. All that speaks in favor of Firefox.

Conclusion

Microsoft has made a drastic move in improving its browser over the obsolete predecessor. The richness of new security features is very promising and should appeal to advanced users. But the main driving force behind the IE overhaul is to protect ordinary users from the upsurge in malware and fraudulent activity of hackers.

Firefox has been even more reinforced, and seems like an almost perfect browser from a security standpoint.

Only time and feedback will show how these contenders really perform in protecting users against Internet-borne risks, and it’s equally important to maintain other security precautions such as to never trust unknown sites or people on the Web, check files received with an updated anti-virus program and use a firewall to protect your surfing.