Improvements Previously Introduced in Internet Explorer 7 CHAPTER 20 903 HoW it WoRKS Buffer Overflow Attacks A buffer overflow (also known as a buffer overrun) occurs when an application attempts to store too much data in a buffer, and memory not allocated to the buffer is overwritten. A particularly crafty attacker can even provide data that instructs the operating system to run the attacker’s malicious code with the applica- tion’s privileges. One of the most common types of buffer overflows is the stack overflow. To under- stand how this attack is used, you must first understand how applications normally store variables and other information on the stack. Figure 20-11 shows a simpli- fied example of how a C console application might store the contents of a variable on the stack. In this example, the string “Hello” is passed to the application and is stored in the variable argv[1]. In the context of a Web browser, the input would be a URL instead of the word “Hello.” C:\test Hello main (int argc, char* argv[]) { sub(argv[1]); } void sub(const char* input) Populate return address { char buf[10]; strcpy(buf, input); Populate input } Populate buf Variable buf Hello Variable input Hello Stack main() return address 0x00420331 FIGURE 20-11 A simple illustration of normal stack operations Notice that the first command-line parameter passed to the application is ultimately copied into a 10-character array named buf. While the program runs, it stores in- formation temporarily on the stack, including the return address where processing should continue after the subroutine has completed and the variable is passed to the subroutine. The application works fine when fewer than 10 characters are passed to it. However, passing more than 10 characters will result in a buffer overflow. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 20 Managing Windows Internet Explorer 904 Figure 20-12 shows that same application being deliberately attacked by providing input longer than 10 characters. When the line strcpy(buf, input); is run, the applica- tion attempts to store the string “hello-aaaaaaaa0066ACB1” into the 10-character array named buf. Because the input is too long, the input overwrites the contents of other information on the stack, including the stored address that the program will use to return control to main(). After the subroutine finishes running, the processor returns to the address stored in the stack. Because it has been modified, execution begins at memory address 0x0066ACB1, where the attacker has presumably stored malicious code. This code will run with the same privilege as the original applica- tion. After all, the operating system thinks the application called the code. C:\test hello-aaaaaaaa0066ACB1 main (int argc, char* argv[]) { sub(argv[1]); } void sub(const char* input) Populate return address { char buf[10]; strcpy(buf, input); Populate input } Overflow buf, overwrite input, and return address Variable bufVariable input Stack main() return address Hello-aaaa aaaaa 0x0066ACB1 FIGURE 20-12 A simplified buffer overflow attack that redirects execution Address Bar Visibility Attackers commonly rely on misleading users into thinking they are looking at information from a known and trusted source. One way attackers have done this in the past is to hide the true URL information and domain name from users by providing specially crafted URLs that appear to be from different Web sites. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Improvements Previously Introduced in Internet Explorer 7 CHAPTER 20 905 To help limit this type of attack, all Internet Explorer 7 and later browser windows now require an address bar. Attackers often have abused valid pop-up window actions to display windows with misleading graphics and data as a way to convince users to download or install their malware. Requiring an address bar in each window ensures that users always know more about the true source of the information they are seeing. Cross-Domain Scripting Attack Protection Cross-domain scripting attacks involve a script from one Internet domain manipulating con- tent from another domain. For example, a user might visit a malicious page that opens a new window containing a legitimate page (such as a banking Web site) and prompts the user to enter account information, which is then extracted by the attacker. Internet Explorer 7 helps to deter this malicious behavior by appending the domain name from which each script originates and by limiting that script’s ability to interact only with windows and content from that same domain. These cross-domain scripting barriers help ensure that user information remains in the hands of only those to whom the user intention- ally provides it. This new control will further protect against malware by limiting the potential for a malicious Web site to manipulate flaws in other Web sites and initiate the download of some undesired content to a user’s computer. Controlling Browser Add-ons Browser add-ons can add important capabilities to Web browsers. Unreliable add-ons can also reduce browser stability, however. Even worse, malicious add-ons can compromise pri- vate information. Internet Explorer 7 provides several enhancements to give you control over the add-ons run by your users. The sections that follow describe these enhancements. INTERNET EXPLORER ADD-ONS DISABLED MODE Internet Explorer 7 includes the No Add-ons mode, which allows Internet Explorer to run temporarily without any toolbars, ActiveX controls, or other add-ons. Functionality in this mode reproduces that of manually disabling all add-ons in the Add-on Manager, and it is very useful if you are troubleshooting a problem that might be related to an add-on. To disable add-ons using the Add-ons Disabled mode, follow these steps: 1. Open the Start menu and point to All Programs. 2. Point to Accessories, click System Tools, and then click Internet Explorer (No Add-ons). 3. Note the Information bar display in your browser indicating that add-ons are disabled, as shown in Figure 20-13. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 20 Managing Windows Internet Explorer 906 FIGURE 20-13 You can disable add-ons to troubleshoot Internet Explorer problems. Running Internet Explorer from the standard Start menu shortcut will return the function- ality to its prior state. ADD-ON MANAGER IMPROVEMENTS The Add-on Manager provides a simple interface that lists installed add-ons, add-ons that are loaded when Internet Explorer starts, and all add-ons that Internet Explorer has ever used. By reviewing these lists, you can determine which add-ons are enabled or disabled and disable or enable each item by simply clicking the corresponding item. To disable specific add-ons, follow these steps: 1. In your browser, open the Tools menu, select Manage Add-ons, and then click Enable Or Disable Add-ons. 2. Click the Show list and select the set of add-ons that you want to manage. 3. Select the add-on that you want to disable, as shown in Figure 20-14, and then click Disable. 4. Click OK to close the Manage Add-ons dialog box. In troubleshooting scenarios, disable add-ons one by one until the problem stops occurring. CONTROLLING ADD-ONS USING GROUP POLICY As with earlier versions of Internet Explorer, you can use the Group Policy settings in User Configuration\Administrative Templates\Windows Components\Internet Explorer \Security Features\Add-on Management to enable or disable specific add-ons throughout your organization. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Improvements Previously Introduced in Internet Explorer 7 CHAPTER 20 907 FIGURE 20-14 The Manage Add-ons dialog box makes it easy to disable problematic add-ons. Protecting Against Data Theft Most users are unaware of how much personal, traceable data is available with every click of the mouse while they browse the Web. The extent of this information continues to grow as browser developers and Web site operators evolve their technologies to enable more powerful and convenient user features. Similarly, most online users are likely to have trouble discerning a valid Web site from a fake or malicious copy. As described in the following sec- tions, Internet Explorer provides several features to help give users the information they need to determine whether a site is legitimate. Security Status Bar Although many users have become quite familiar with Secure Sockets Layer (SSL) and its as- sociated security benefits, a large proportion of Internet users remain overly trusting that any Web site asking for their confidential information is protected. Internet Explorer 7 addresses this issue by providing clear and prominent visual cues to the safety and trustworthiness of a Web site. Previous versions of Internet Explorer place a gold padlock icon in the lower-right corner of the browser window to designate the trust and security level of the connected Web site. Given the importance and inherent trust value associated with the gold padlock, Internet Explorer 7 and later versions display a Security Status bar at the top of the browser window to highlight such warnings. By clicking this lock, users can quickly view the Web site identifica- tion information, as shown in Figure 20-15. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 20 Managing Windows Internet Explorer 908 FIGURE 20-15 The gold lock that signifies the use of SSL is now more prominent. In addition, Internet Explorer displays a warning page before displaying a site with an invalid certificate, as shown in Figure 20-16. FIGURE 20-16 Internet Explorer warns users about invalid certificates. Finally, if a user continues on to visit a site with an invalid certificate, the address bar, shown in Figure 20-17, now appears on a red background. FIGURE 20-17 The red background leaves no doubt that the site’s SSL certificate has a problem. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Improvements Previously Introduced in Internet Explorer 7 CHAPTER 20 909 Phishing Phishing—a technique used by many malicious Web site operators to gather personal infor- mation—is the practice of masquerading online as a legitimate business to acquire private information, such as social security numbers or credit card numbers. These fake Web sites, designed to look like the legitimate sites, are referred to as spoofed Web sites. The number of phishing Web sites is constantly growing, and the Anti-Phishing Working Group received reports of more than 10,000 different phishing sites in August 2006 that were attempting to hijack 148 different Web sites. note For more information about the Anti-Phishing Working Group, visit http://www.antiphishing.org/. Unlike direct attacks, in which attackers break into a system to obtain account information, a phishing attack does not require technical sophistication but instead relies on users will- ingly divulging information, such as financial account passwords or social security numbers. These socially engineered attacks are among the most difficult to defend against because they require user education and understanding rather than merely issuing an update for an application. Even experienced professionals can be fooled by the quality and details of some phishing Web sites as attackers become more experienced and learn to react more quickly to avoid detection. HOW THE SMARTSCREEN FILTER WORKS Phishing and other malicious activities thrive on lack of communication and limited sharing of information. To effectively provide anti-phishing warning systems and protection, the new SmartScreen filter in Internet Explorer 8 consolidates the latest industry information about the ever-growing number of fraudulent Web sites spawned every day in an online service that is updated several times an hour. SmartScreen feeds this information back to warn and help protect Internet Explorer 8 customers proactively. SmartScreen is designed around the principle that an effective early-warning system must ensure that information is derived dynamically and updated frequently. This system combines client-side scanning for suspicious Web site characteristics with an opt-in Phishing Filter that uses three checks to help protect users from phishing: n Compares addresses of Web sites a user attempts to visit with a list of reported legiti- mate sites stored on the user’s computer n Analyzes sites that users want to visit by checking those sites for characteristics com- mon to phishing sites n Sends Web site addresses to a Microsoft online service for comparison to a frequently updated list of reported phishing sites The service checks a requested URL against a list of known, trusted Web sites. If a Web site is a suspected phishing site, Internet Explorer 8 displays a yellow button labeled Suspicious Web- site in the address bar. The user can then click the button to view a more detailed warning. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 20 Managing Windows Internet Explorer 910 If a Web site is a known phishing site, Internet Explorer 8 displays a warning with a red status bar. If the user chooses to ignore the warnings and continue to the Web site, the status bar remains red and prominently displays the Phishing Website message in the address bar, as shown in Figure 20-18. FIGURE 20-18 Internet Explorer can detect phishing Web sites and warn users before they visit them. Internet Explorer first checks a Web site against a legitimate list (also known as an allow list) of sites stored on your local computer. This legitimate list is generated by Microsoft based on Web sites that have been reported as legitimate. If the Web site is on the legitimate list, the Web site is considered safe, and no further checking is done. If the site is not on the legitimate list or if the site appears suspicious based on heuristics, Internet Explorer can use two techniques to determine whether a Web site might be a phishing Web site: n Local analysis Internet Explorer examines the Web page for patterns and phrases that indicate it might be a malicious site. Local analysis provides some level of protec- tion against new phishing sites that are not yet listed in the online list. Additionally, local analysis can help protect users who have disabled online lookup. n Online lookup Internet Explorer sends the URL to Microsoft, where it is checked against a list of known phishing sites. This list is updated regularly. When you use SmartScreen to check Web sites automatically or manually (by selecting SmartScreen Filter from the Tools menu and then clicking Check This Website), the address of the Web site you are visiting is sent to Microsoft (specifically, to https://urs.microsoft.com, us- ing TCP port 443), together with some standard information from your computer such as IP address, browser type, and SmartScreen version number. To help protect your privacy, the information sent to Microsoft is encrypted using SSL and is limited to the domain and path of the Web site. Other information that might be associated with the address, such as search terms, data you enter in forms, or cookies, will not be sent. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Improvements Previously Introduced in Internet Explorer 7 CHAPTER 20 911 note Looking up a Web site in the online Phishing Filter can require transferring 8 KB of data or more. Most of the 8 KB is required to set up the encrypted HTTPS connection. The Phishing Filter will send a request only once for each domain you visit within a specific period of time. However, a single Web page can have objects stored in multiple servers, resulting in multiple requests. Requests for different Web pages require separate HTTPS sessions. For example, if you visit the Bing search Web site at http://www.bing.com and enter MySecret as the search term, instead of sending the full address http://www.bing.com /search?q=MySecret&FORM=QBLH, SmartScreen removes the search term and only sends http://www.bing.com/search. Address strings might unintentionally contain personal informa- tion, but this information is not used to identify you or contact you. If users are concerned that an address string might contain personal or confidential information, users should not report the site. For more information, read the Internet Explorer 8 privacy statement at http://www.microsoft.com/windows/internet-explorer/privacy.aspx. diReCt FRoM tHe SoURCe Real-Time Checking for Phishing Sites Rob Franco, Lead Program Manager Federated Identity Group R eaders asked why we decided to use real-time lookups against the anti-phishing server as opposed to an intermittent download list of sites in the way that an antispyware product might. We included real-time checking for phishing sites be- cause it offers better protection than using only static lists and avoids overloading networks. SmartScreen does have an intermittently downloaded list of “known-safe” sites, but we know phishing attacks can strike quickly and move to new addresses, often within a 24- to 48-hour time period, which is faster than we can practically push out updates to a list of “known-phishing” sites. Even if SmartScreen downloaded a list of phishing sites 24 times a day, you might not be protected against a confirmed, known phishing site for an hour at a time, at any time of day. Because SmartScreen checks unknown sites in real time, you always have the latest intelligence. Requiring users to constantly download a local list can also cause net- work scale problems. We think the number of computers that can be used to launch phishing attacks is much higher than the number of spyware signatures that users deal with today. In a scenario in which phishing threats move rapidly, downloading a list of newly reported phishing sites every hour could significantly clog Internet traffic. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 20 Managing Windows Internet Explorer 912 Anonymous statistics about your usage will also be sent to Microsoft, such as the time and total number of Web sites browsed since an address was sent to Microsoft for analysis. This information, along with the information described earlier, will be used to analyze the performance and improve the quality of the SmartScreen service. Microsoft will not use the information it receives to personally identify you. Some URLs that are sent may be saved to be included in the legitimate list and then provided as client updates. When saving this infor- mation, additional information—including the SmartScreen and operating system version and your browser language—will be saved. Although the online list of phishing sites is regularly updated, users might find a phishing site that is not yet on the list. Users can help Microsoft identify a potentially malicious site by reporting it. Within Internet Explorer 8, select SmartScreen Filter from the Tools menu and then click Report Unsafe Website. Users are then taken to a simple form they can submit to inform Microsoft of the site. HOW TO CONFIGURE SMARTSCREEN OPTIONS To enable or disable SmartScreen, follow these steps: 1. In your browser, open the Tools menu and select Internet Options. 2. In the Internet Options dialog box, click the Advanced tab, scroll down to the Security group in the Settings list, and then select or clear the Enable SmartScreen Filter check box. You can use the following Group Policy settings to configure whether users need to con- figure the SmartScreen filter: n Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Turn Off Managing SmartScreen Filter n User Configuration\Administrative Templates\Windows Components\Internet Explorer \Turn Off Managing SmartScreen Filter If you enable the setting, you can choose to enable or disable SmartScreen. Additionally, in the same group, you can enable the Prevent Bypassing SmartScreen Filter Warnings policy. diReCt FRoM tHe SoURCe Anti-Phishing Accuracy Study Tony Chor, Group Program Manager Internet Explorer Product Team A s we worked on the new Phishing Filter in Internet Explorer 7, we knew the key measure would be how effective it is in protecting customers. In addition to our internal tests, we wanted to find some external measure of our progress to date as well as point to ways we could improve. We didn’t know of a publicly available study covering the area, only some internal and media product reviews. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... maintaining desktop health in the Windows 7 operating system, including Performance Monitor, Resource Monitor, Reliability Monitor, Windows Performance Tools (WPT) Kit, Event Viewer, the Windows System Assessment Tool, the Performance Information and Tools Control Panel item, Windows Error Reporting (WER), and Task Scheduler Beginning with Windows 7, you can also use Windows PowerShell to collect performance... hapter 2 1 Maintaining Desktop Health n Performance Monitoring  935 n Resource Monitor  955 n Reliability Monitor  961 n Windows Performance Tools Kit  963 n Event Monitoring  964 n Using Task Scheduler  983 n Understanding the Windows System Assessment Tool  1009 n Understanding Windows Error Reporting  10 17 n Summary  1033 n Additional Resources  1033 M onitoring and maintaining desktop health is a key... Explorer 7 Standards Mode and Turn On Internet Explorer 7 Standards Mode For Local Intranet 3 3 Use these two policies to enable Internet Explorer 7 Standards Mode on either the Internet or your intranet Standards Mode configures Internet Explorer 8 to identify itself as Internet Explorer 7 to Web servers, and the policies cause Internet Explorer to render Web pages similar to pages in Internet Explorer 7. .. 21-1, is typically used for baselining system behavior, monitoring resource utilization, and troubleshooting performance issues involving the operating system and applications The Windows 7 version of Performance Monitor is essentially the same as that found in the Windows Vista operating system, which improved upon earlier versions of Windows by providing better visualizations, easier navigation, and... to use Web services to cross-reference information quickly on a Web page Additional Resources These resources contain additional information and tools related to this chapter Related Information n 930 Internet Explorer 8 home page at http://www.microsoft.com /windows /internet-explorer/default.aspx Chapter 20  Managing Windows Internet Explorer Please purchase PDF Split-Merge on www.verypdf.com to remove... Internet Explorer 7 (which also apply to Internet Explorer 8), as well as those that apply only to Internet Explorer 8 Group Policy Settings for Internet Explorer 7 and Internet Explorer 8 Table 20-2 shows some examples of the more useful settings that apply to both Internet Explorer 7 and Internet Explorer 8 Settings marked as CC can be found at Computer Configuration\Administrative Templates \Windows Components\Internet... 20  Managing Windows Internet Explorer Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark With the policy settings located in Administrative Templates \Windows Components \Internet Explorer\Browser Menus (within both User Configuration and Computer Configuration), you can disable specific menu items With the policy settings located in Administrative Templates \Windows Components... http://msdn.microsoft.com/en-us /library/cc288 472 .aspx n “Internet Explorer Administration Kit (IEAK) Information and Downloads” at http://technet.microsoft.com/en-us/ie/bb2195 17. aspx n Internet Explorer Team Blog at http://blogs.msdn.com/ie/ n “How to Create Custom adm or admx Files to Add Search Providers to the Toolbar Search Box in Internet Explorer 7 at http://support.microsoft.com/kb/918238 n... clear the Require Server Verification (HTTPS:) For All Sites In This Zone check box 7 Click Add to add the current Web site to the list of Trusted Sites Then click Close Improvements Previously Introduced in Internet Explorer 7 Chapter 20 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 9 17 8 Click OK to close the Internet Options dialog box Then close Internet Explorer,... to only Windows Vista or later computers, you can create a Configuration-Only Package Select CD-ROM or File if you need to deploy Internet Explorer 8 to earlier versions of Windows also Using the Internet Explorer Administration Kit  Chapter 20 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 925 n Additional Settings  The Control Management settings do not apply to Windows . Introduced in Internet Explorer 7 CHAPTER 20 905 To help limit this type of attack, all Internet Explorer 7 and later browser windows now require an address. this watermark. Improvements Previously Introduced in Internet Explorer 7 CHAPTER 20 9 07 FIGURE 20-14 The Manage Add-ons dialog box makes it easy to disable