In the previous episode we saw the features of Internet Explorer that helps a
lot in the day to day browsing. We saw how the pop-up blocker, Information bar,
Add-ons Manager reduce the pain of unwanted intrusion by third parties. Today
we will see some more features that have been implemented in Windows XP SP2. But
these are not directly seen by the user and hence we will refer to them as
internal features because the user might not notice the difference if he
doesn't pay enough attention.
|
The features that we will discuss today are :-
|
File Downloading.
Publishers.
Zone Defense.
Outlook Express - Attachment Manager and HTML Content Blocking.
|
File Downloading
|
Another way of intrusion on a user's computer without the user's knowledge was
through the downloading of files. When the user clicked on a link to download
the file, the site would redirect him to another site to begin the download and
before the user could realize what happened, the download would begin with
additional software that wasn't requested. This led to the installation of spy
ware and other software that was harmful to the user's computer.
|
Windows XP SP2 has made additional changes to this behaviour. Since the files
that can be downloaded are of different types and serve different purposes, for
example, a game, a picture, or even a program. For this reason, Internet
Explorer has stepped up its scrutiny of any file you begin to download, open,
or save from the Web. Internet Explorer checks to see whether the file is the
type of file it says it is and provides strong warnings if there are
irregularities in how the file describes itself or if there seems to be a
potential for harm based on the particular type of file Internet Explorer also
offers more concise information to help you understand the implications of
opening or saving a file. Internet Explorer users will immediately notice
several changes to the dialog box when they download files. The following
examples indicate the behaviour that Internet Explorer's security mechanism
warns during downloading files.
|
1. Internet Explorer displays the type of file that is being attempted to be
download. In Windows XP SP2, the user will also see the size of the file as
well as the type of file it is. Downloaded executable files are checked for
publisher information. The publisher check provides information that can be
used to check whether the files are from suspicious or unidentified publishers
and provides a systematic way to prevent executable files from compromising the
security of the computer.
|
2. Internet Explorer displays the source of the download so that the user can
know where the software comes from. A new security information area at the
bottom of the dialog box that provides information depending on whether the
downloaded file is of higher or lower risk.
|
3. Internet Explorer offers guidance about the type of file that is being
downloaded. A new file handler icon displays the default application that will
be associated with the download.
|
4. If the user isn't still sure what to do with the downloaded file, Internet
Explorer provides the “How can I decide what software to run?” link to make a
more informed decision about what to do.
|
Figure 1. Attachment dialog box enhanced
with additional details.
|
Publishers
|
Windows XP SP2 has undergone several enhancements to block downloads from
specific Publishers. Some publishers will go to great lengths to have users
install their programs. Some users have experienced a situation in which they
were unable to get rid of the repeatedly prompting to install a program that
you didn't want or didn't trust and in some cases the user even installed the
program by mistake when trying to get the prompts to go away.
|
Now, Internet Explorer helps you to avoid this situation. With a simple click
of the mouse, you have the option of automatically preventing certain programs
from being installed or run on your computer. This includes an option to block
all software from a specific publisher. Internet Explorer also provides the
facility to handle downloads from a specific publisher with the Add-on Manager.
|
As discussed in an earlier chapter we explored the Add-on Manager which allows
the user to block certain Active X controls.
|
Stronger Zone Defense
|
As a security measure, Internet Explorer corrals all Web sites on the Internet
into a single zone-the Internet zone-and applies a certain level of security
protection which helps you to browse more securely. Internet Explorer will
prompt you before you download content that it identifies as potentially
unsafe.
|
Internet Explorer also specifies four other zones, including Trusted and
Restricted zones, to which you can assign Web sites either that you trust
completely, such as Windows Update, or that arouse your suspicion. It also
assigns your hard disk to the Local Machine zone (although this zone is not
displayed in the settings for Internet Explorer).
|
When you open a Web page, Internet Explorer restricts the actions a page can
take based on the zone of the Web page-Internet, Restricted, and so on. For
example, Web pages that are located in the Internet zone, might not be able to
perform some operations, such as accessing information from the local hard
drive.
|
In previous versions of Internet Explorer, your hard drive (or Local Machine
zone) was considered to be secure, and content in this zone was allowed to run
with relatively few security restrictions. However, attackers often tried to
take advantage of these low restrictions to compromise computers.
|
In Windows XP SP2 this changes. Internet Explorer applies strong security
settings to the Local Machine zone to help protect against some common types of
attacks, such as the running of a harmful download or a malicious script.
|
Local Machine Zone Lockdown
|
Prior to Windows XP Service Pack 2, the content on the local file system, was
considered to be secure and was assigned to the Local Machine security zone.
This security zone normally allows content to run in Internet Explorer with
relatively few restrictions. However, attackers often try to take advantage of
the Local Machine zone to elevate privilege and compromise a computer.
|
Many of the exploits that involve the Local Machine zone will be mitigated by
other changes to Internet Explorer in Windows XP SP2. However, attackers may
still be able to figure out ways to exploit the Local Machine zone. Windows XP
SP2 further protects the user by locking down the Local Machine zone in
Internet Explorer by default. Local HTML hosted in other applications will run
under the less restrictive, previous default settings of the Local Machine zone
unless that application makes use of Local Machine Zone Lockdown.
|
With Windows XP Service Pack 2, Local Machine Zone Lockdown will be even more
restrictive than the Internet zone. Any time that content attempts one of these
actions, the Information Bar will appear in Internet Explorer with the
following text:
|
"To help protect your security, Internet Explorer has restricted this file from
showing active content that could access your computer. Click here for
options..."
|
The user can click the Information Bar to remove the lockdown from the
restricted content. This kind of security enables the user to know when an
interactive CD is trying to execute an ActiveX script.
|
Outlook Express - Attachment Manager
|
Another important security feature implemented with SP2 is the e-mail
applications. Since downloads also occur with email attachments, it is also
important to provide a secure environment in the same way that was provided for
the downloading of files in Internet Explorer. SP2 provides Outlook Express
with the Attachment Manager.
|
Attachment Manager is a new set of application programming interfaces (APIs)
that is used to check e-mail attachments. The use of Attachment Manager allows
applications to eliminate custom code that performs similar safety checks and
instead rely on this centrally managed API set. In addition, Attachment Manager
provides a consistent user experience across all applications that check the
security of an attachment. When Outlook Express opens an e-mail that has an
attachment, it now calls Attachment Manager to determine whether the attachment
is safe. Based on the type of attachment, Outlook Express takes different
actions:
|
1. Safe attachments (for example a JPEG or GIF file) are completely available
to the user. Safe images are displayed, and safe attached plaintext files are
shown as available attachments.
|
2. Unsafe attachments (for example, binary executables) are blocked. The user
cannot open them at all but does see a notice of the blockage.
|
Suspicious attachments trigger a warning prompt when the user attempts to drag,
save, open, or print the file. If the user accepts the option to drag, save,
open, or print the file, the file is handled in a way that is guaranteed to
trigger any active antivirus program.
|
Windows Messenger uses similar logic and identical dialogs for handling file
attachments. A major difference between Outlook Express and Windows Messenger
is that e-mail attachments are normally downloaded without any intervention by
the user. The instant messaging attachments normally require the recipient's
permission before they can be received.
|
HTML Content blocking in Outlook Express
|
Businesses and individuals that use spam as a marketing technique typically
include external content (such as references to images that reside on their Web
servers) inside the HTML e-mail message. When the user opens the e-mail that
contains the image, previous versions of Outlook Express would automatically
contact the Web server to download and display the images. This process would
allow the Web server to record a “hit” that would be used to identify the
recipient. Specifically, this verified that a spam e-mail message was received
by a recipient in the spam originator's mailing list. With SP2, the “Don't
Download External HTML Content” feature of Outlook Express allows the user to
do the following:
|
Block external images and other external content in Outlook Express when
viewing e-mail in HTML mode. This download behavior is configurable and is
enabled by default when you install Windows XP Service Pack 2. When active, the
option can load the blocked external content for an e-mail message with a
single click. The feature preserves the user's privacy and prevents future
attacks.
|
Minimize the likelihood that downloaded e-mail with external Internet content
will automatically attempt to start a dial-up connection when read offline.
Prior to implementing this feature, if a user downloaded e-mail messages and
then disconnected from the Internet, and if the user subsequently attempted to
view an HTML message that included pictures or other external Internet content,
the user's modem would automatically attempt to dial out to download the
external content.
|
As an additional measure, when the user sets Outlook Express to read all
messages in plaintext, Outlook Express uses the rich edit control instead of
the HTML browser control (mshtml) from Internet Explorer. This choice offers a
reduced surface to attackers.
|
We covered a lot
today and saw how Service Pack 2 safeguards the operating system internally
from external threats. We also saw how Outlook Express included security for
attachments and HTML rendering. In the next section we will see how the
networking environment has been enhanced with Service Pack 2 to safeguard from
the hostile perils of the network whether internal or external.
|
To be continued...
|