Protect Internet Explorer without SP2 — part two

Protect IE without SP2 — part two

By Brian Livingston

Microsoft’s recent release of Service Pack 2 (SP2) for Windows XP protects XP users against a variety of hacker attacks, particularly ones that affect Internet Explorer. SP2 prevents IE users from being subjected to pop-up windows and silent downloads of software from rogue Web sites, among other threats.

But what about people who run versions of Windows other than XP?

In the previous issue

Switching browsers can prevent some but not all problems

The serious security problems that lie buried deep within Internet Explorer are becoming more widely known. But most Windows users still do not understand the depth of the danger.

The respected security firm Secunia reports in its current advisory on IE 6 that 18 separate security holes — some of them rated “extremely critical” — remain unpatched by Microsoft.

An additional 71 issues with IE that Secunia has published alerts about do have patches available now. But security experts widely feel that additional holes will continue to be found. These flaws can be and sometimes have been exploited by hackers before “good guy” researchers find the weaknesses and describe them privately to Microsoft, which then begins developing a patch.

One security company, Finjan Software, even reports that it’s already found 10 new security flaws in XP SP2 alone. The nature of the claimed flaws, however, has not been publicly revealed, and other observers (including Microsoft) respond that Finjan is using the claims to help sell its security software.

All of this hubbub has led millions of former IE users to stop browsing the Web with Microsoft’s product. Instead, the new browser of choice is Mozilla Firefox, a free program for Windows and other operating systems, which released its 1.0 gold version last week after a long period of beta testing.

More than 1 million people per day were downloading the new release when it was first posted, according to the nonprofit Mozilla Foundation, which develops the software. But the pace has now slowed, making it a good time for you to join the fun, if you haven’t already. We’ll have a full review of Firefox 1.0 in an upcoming issue of the Windows Secrets Newsletter.

Beta versions of Firefox had their share of security weaknesses, as do most new software programs during their development stage. But Secunia, which documented 17 temporary security flaws in those beta versions, reports that none of the issues remain open in Firefox 1.0.

In many cases, unfortunately, you may find that you have to run Internet Explorer. Perhaps you’re subject to a company policy or certain sites that you depend on have foolishly made their Web technology work only in IE.

Merely shunning Internet Explorer and using Firefox instead when browsing the Web, in addition, doesn’t correct the security holes in Windows. Because Microsoft long ago integrated IE into the guts of the operating system, the flawed components are still present and can be taken advantage of by rogue Web sites, even if you never open an IE window.

That’s why you need to keep current with Microsoft’s latest patches — using Windows Update and Office Update for individual users or patch-management software for multiple PCs — and take the steps described below. This article covers three alternatives: one foolish suggestion, one serious alternative that costs a few dollars, and a third alternative that’s free.

What Microsoft suggests, which is absurd

On its Web site and in its publicity materials, the Microsoft Corp. recommends that Windows users change the security settings of the so-called Internet Zone in Internet Explorer to “High.” (To do this in IE, click Tools, Internet Options. Select the Security tab, then click the Custom Level button. In the “Reset To” box, select High, then click the Reset button and click OK to close all dialog boxes.)

Setting the Internet Zone to High affects all sites you visit using IE that you haven’t manually specified as belonging to a different “zone.” Switching to High imposes on the sites you visit all of the same restrictions as IE’s Restricted Sites Zone, which disables numerous features of the Web.

One problem with this advice is that many Web sites won’t work well (or display anything at all) when the Internet Zone is set to High. In a crowning irony, Microsoft’s own Windows Update site won’t download security updates under this setting.

In addition, several Web sites now instruct visitors to turn on dangerous Web features, such as “active scripting.” Sites that currently exhort users to turn on certain features in the Internet Zone include Investor’s Business Daily and NASA.gov.

These sites almost certainly aren’t doing anything that would hurt visitors. But they shouldn’t be telling their users to lower the security of all sites in their Internet Zone. Instead, they should tell visitors to add the sites to IE’s Trusted Sites Zone. In that way, sites such as theirs that use nonsecure Microsoft technologies, such as ActiveX, would continue to work in visitors’ browser windows without exposing those users to risks at other sites. (More details on the Trusted Sites Zone is given later in this article.)

The worst aspect of Microsoft’s advice to set IE’s Internet Zone to High is that this does nothing to close one of today’s worst security holes. That hole is Windows’ so-called Local Machine Zone.

The Local Machine Zone consists of Web content that more or less includes any HTML or other file found on a local hard drive. Almost any action that a logged-on user can take on a PC can also be performed by whatever script or Trojan horse a hacker can succeed in planting.

There are a seemingly unlimited number of ways that hacked Web sites and infected e-mail attachments can get access to the Local Machine Zone. This breach of security is often one of the first steps that a hacker takes to compromise other local resources and turn a PC into a “zombie,” controlled by the hacker from a remote location.

In the next section of this article, I’ll explain two ways to secure your Local Machine Zone, protecting your PC from attack. But let’s first look at why Microsoft isn’t protecting this zone by giving out updates for all Windows versions.

Microsoft officials have stated that the security improvements in Service Pack 2 for XP will not be made available for download to users of older versions of the operating system, such as Windows 2000 and Me.

This decision is inexplicable, since many of the security fixes could easily be re-packaged for users of these Windows versions, who arguably comprise more than half of all Windows users.

By withholding these fixes, Microsoft has aligned its interests with those of the worst “black-hat” hackers. The Redmond corporation is using people’s legitimate fears of infection as a blunt instrument — a Billy club — to sell more copies of its Windows XP software. This is truly despicable and unethical business behavior.

Protecting the Local Machine Zone

There are two primary ways to protect the Local Machine Zone, giving it stronger security settings that block silent access by hacker scripts.

The commercial software route
One method requires the purchase of a commercial software program, one version of which is currently available for $34.95. The other method is free but requires a tweak in the Windows Registry and a manual change in Internet Explorer’s settings.

One of the leading contenders to “lock down” the Local Machine Zone, both for home PC users as well as enterprise IT administrators, is QwikFix-Pro, a piece of software developed by PivX Inc.

Despite the quirky-sounding name, QwikFix-Pro is a serious program that corrects several dangerous weaknesses in Windows. This includes disabling dangerous URL protocols, Local System Account (LSA) anonymous settings, and the Windows Messenger Service (not instant messaging), according to the company’s PDF white paper.

Qwik-Fix Pro Home Edition can be downloaded for a free 30-day trial, after which the price is $34.95. Corporate versions are available for $500 per server or less in volume.

Protecting the Local Machine Zone manually
If you can’t or don’t want to use commercial software to tighten the security of the Local Machine Zone, you should at least lock it down manually, which costs nothing.

Although the Local Machine Zone is a security zone used by Internet Explorer, by default it is hidden from users. That means when you click Tools, Internet Options in IE and select the Security tab (as described earlier), the Local Machine Zone doesn’t show up as one of the zones you can configure.

Microsoft documents in its online Knowledge Base a Registry setting that makes the Local Machine Zone visible. This doesn’t affect its security, it simply makes it possible for you to alter the security settings of the zone.

Before altering the Registry, first make sure you back it up and know how to restore it if you make a mistake.

Then click Start, Run, type regedit and click OK. In the HKEY_CURRENT_USER folder, find the following Registry key:

SOFTWARE Microsoft Windows CurrentVersion Internet Settings Zones 0

In that key, the Flags value, which is a DWORD, controls whether or not the Local Machine Zone is visible in IE’s Security tab. Set the data value to 47 (in hexadecimal) to display the zone or 21 (in hexadecimal) to hide it.

Microsoft’s description of this procedure is in KB article 315933.

After you’ve made the change, you can then apply to the Local Machine Zone the same security settings that are recommended below for the Internet Zone. Be aware that this doesn’t give you the multiple protections provided by QwikFix-Pro and similar security software.

Protecting the Internet Zone

Many security experts recommend that you configure IE’s Internet Zone so dangerous technologies are not allowed to run. These recommendations don’t go as far as setting the zone to “High” but protect you against most security breaches that a hacked Web site could expose you to.

Many programs other than IE, such as Microsoft Outlook and Outlook Express, use IE’s rendering engine to write to the screen, etc. Changing the security settings of the Internet Zone also strengthens these applications, making it safer for you to read e-mail and use these programs in other ways. One set of recommendations is provided by InfiniSource, a Web resource center.

To make your Internet Zone more secure, pull down the Tools menu in IE, then click Internet Options and select the Security tab. (You can also access Internet Options as an applet in the Control Panel.) Select the Internet Zone, then click the Custom Level button. In the dialog box that appears, change the following settings to the values shown:

• ActiveX controls and plug-ins
  • Download signed ActiveX controls: Disable
  • Download unsigned ActiveX controls: Disable
  • Initialize and script ActiveX controls not marked as safe: Disable
  • Run ActiveX controls and plug-ins: Disable
  • Script ActiveX controls marked safe for scripting: Disable

• Downloads
  • Font Download: Disable

• Microsoft VM
  • Java permissions: Disable Java

• Miscellaneous
  • Allow META REFRESH: Disable
  • Display mixed content: Disable
  • Drag and drop or copy and paste files: Disable
  • Installation of desktop items: Disable
  • Launching programs and files in an IFRAME: Disable
  • Navigate sub-frames across different domains: Disable
  • Software channel permissions: High Safety
  • Userdata persistence: Disable

• Scripting
  • Active scripting: Disable
  • Allow paste operations via script: Disable
  • Scripting of Java applets: Disable

• User Authentication
  • Logon: Prompt for username and password

If you made the Local Machine Zone visible using the manual technique described in the previous section of this article, make the above changes to that zone as well. InfiniSource also recommends some other changes for Windows XP users who’ve installed SP2.

One benefit of changing the above settings manually, rather than simply setting the Internet Zone to High Security, is that you can easily change back any individual setting if it causes you a problem.

If a Web site or application complains about a certain setting, you can investigate it and determine whether or not lowering your security settings is justified. If you didn’t know about the settings shown above, you’d be tempted in the face of problems to reset the Internet Zone from High to Medium, which would put you back where you started.

Microsoft itself has posted a Knowledge Base article about changing some of the above settings manually in IE, going back to version 3.0. The article is primarily oriented toward troubleshooting, rather than security. The description is in KB article 154036.

Add legit sites to the Trusted Sites list so they’ll run

Changing the above-named settings very likely will disable some of the features of some of the Web sites you visit. Unfortunately, in the bad old “anything goes” days of the Internet — which hopefully someday will be “long gone” — these sites adopted nonsecure or proprietary technology to display banner ads, submenus, and the like. Shutting down this stuff is part of the price of making the Internet a more secure place.

If a site that you know is legitimate has a problem with your security settings, it’s easy to add the site to your Trusted Zone. The site will then benefit from the less-secure settings in that zone, which is by default set to Low Security.

You can add a site manually to the Trusted Zone by visiting it using IE, then clicking Tools, Internet Options. Select the Security tab, then select Trusted Zone and click the Sites button. Type http:// and the domain name into the input box and click the Add button to add the domain.

To include non-SSL-encrypted sites in the list, turn off the check box labeled “Require server verification (https:) for all sites in this zone.” Click the OK button to close all the dialog boxes.

There’s a much easier way to add a site to your Trusted Zone, though. You can put an item named “Add Site to Trusted Zone” on IE’s Tools menu and click it rather than having to go through Internet Options every time. To get this, download and install Power Tweaks Web Accessories from Microsoft’s Web site. This 129 KB download is described as being for IE 5, but it works just as well on IE 6.

Unfortunately, the utility also places on IE’s Tools menu another item named “Add Site To Restricted Zone.” You should never visit a site that you think is untrustworthy so you can click this menu item. Instead, always add such a site to the Restricted Zone manually, using the procedure described above, before visiting the site.

It’s unfortunate that Windows users have to go through all this just to get some peace of mind. Microsoft should simply distribute, free of charge, the fixes necessary to provide this minimal level of protection to all Windows users. Until that time, however, you should take steps to protect yourself.

To send us more information about IE security, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Dangerous unpatched hacks are 'in the wild'

The November edition of Microsoft’s monthly security patch day yielded only a single, non-critical patch for a security issue last week (see related story below). Don’t let your guard down, however. There are at least three other, far more dangerous security exploits that are currently making the rounds on the Internet and demanding your attention.

New MyDoom worms burrow into IE 6

The first is a new version of the so-called MyDoom worm that takes advantage of a security flaw in Internet Explorer (IE) to spread. Like previous versions of MyDoom, the new versions, dubbed MyDoom.AG (and MyDoom.AH, MyDoom.AI, and Bofra.C), spread via e-mail. But instead of using an attachment-based attack, where the worm is delivered with the email, the new version is triggered when you click a hyperlink in the e-mail message.

In other words, the code executes in your system via IE, not your e-mail application. Because antivirus applications are typically configured to look for this worm in e-mail attachments, MyDoom.AG can sometimes slip past AV defenses.

The new worm affects all modern Windows versions, including Windows 95, 98, Me, XP, NT, 2000, and Server 2003.

In an overview of the attack, News.com notes that this isn’t the first time malicious software has used an unpatched flaw in a Microsoft product to launch an electronic attack. Earlier this year, a malicious adware writer exploited two known but unpatched flaws in IE to distribute a toolbar that launched pop-up advertisements.

The security firm F-Secure writes in a security bulletin that MyDoom.AG also includes “an IRC-controlled backdoor that allows the creator to download and execute arbitrary programs on the compromised host.” It also gathers e-mail addresses from the Windows Address Book and files in the Temporary Files folder and in various other places on your hard disk and then sends those addresses a link to the worm.

The worm uses its own SMTP delivery engine to send the e-mails. It can also spread to other computers across a peer-to-peer network.

The Security News Portal has a list of possible e-mail subject lines and body texts that the worm uses.

Most leading AV packages have been updated since the release of this worm to detect and eradicate it. In order to protect yourself from this worm, you should keep your AV package up-to-date and avoid clicking on hyperlinks in e-mails that bear the spammy phrases described above.

In general, you should avoid opening any e-mail attachments you aren’t expecting. Most worm-related e-mails are spoofed to appear to come from senders you recognize, so don’t use that as verification of an e-mail’s safety.

If you need to manually remove the worm, see the instructions in the Security News Portal article described above.  

IFRAME vulnerability threatens IE 6

In addition to the unpatched exploit above, security researchers at Secunia warn of a new, unpatched, “extremely critical” flaw in Internet Explorer 6 in Windows 2000 and XP (pre-Service Pack 2).

This security hole could let malicious Web sites gain control of your system. The flaw is in IE’s handling of the HTML tags IFRAME, FRAME, and EMBED and can allow a hacker to plant software on a victim’s system.

Users with XP SP2 are immune from the flaw. The version of IE 6 that ships with SP2 includes new IE APIs (application programming interfaces) that repel the class of attack this exploit uses.

CNET reports that Microsoft is aware of the problem but does not yet have a patch available. The current “fixes” for this problem are more challenging than usual. You can either upgrade to XP SP2 or, if you don’t use XP, try a different Web browser. We recommend Mozilla Firefox, which Brian has reviewed elsewhere.

But US-CERT warns that merely avoiding IE is not enough. That’s because other applications that use IE’s ActiveX control — including Outlook, Outlook Express, AOL, and Lotus Notes, among others — are affected by this vulnerability as well. “There is no complete solution to this problem,” CERN writes.  

‘Click and Scroll’ problem hacks into IE 6 and XP SP2

The third unpatched security hole, which can affect even Windows XP after the addition of Service Pack 2, was described by Secunia in an Oct. 20 security advisory as “highly critical.” This is one step below the “extremely critical” rating of the problem described immediately above.

Microsoft issued a Knowledge Base article on Nov. 1 saying the Redmond company is “investigating reports of a security issue with Microsoft Explorer that is known as Click and Scroll.” The article said users could be affected if they merely visited a hacked Web site and clicked within the IE window. A silently downloaded program would then run the next time a user logged on to his or her computer.

The corporation recommended in the article that the setting for “Drag and drop or copy and paste files” be disabled in Internet Explorer’s Internet and Intranet Web zones to protect PCs. (This workaround would presumably be needed only until an official patch becomes available.)

Changing the security setting of the Internet Zone to High would also prevent the problem, Microsoft said. These changes would have negative side-effects, however, as described below.

Secunia’s advisory said the problem “has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.” Two related vulnerabilities would allow a Web site to plant infected HTML files on a user’s system via improper drag-and-drop events. Secunia said one of the vulnerabilities would “bypass the ‘Local Computer’ zone lockdown security feature in SP2.”

Disabling “Drag and drop or copy and paste files” in IE’s Internet Options would inhibit the exploit, but it would also prevent users from ordinary moving and copying of files in Windows Explorer as well as Internet Explorer. This is one of the unintended consequences of integrating the IE browser into Windows. Changing the Internet Zone to its High setting would disable many legitimate Web sites in the user’s browser.

For more information on the security hole and MS’s workarounds, see KB article 888534.

We expect Microsoft to issue a patch for all three of the above-described security holes in the future, but it’s impossible to say when.  

No click required for new phishing scam to rewrite Hosts file

In related news, MessageLabs warns of a new e-mail-based attack that can silently run a script when you view an infected message. Recently patched Windows systems, fortunately, may already be immune to the problem, a MessageLabs spokesman suggested. Read on for details.

The attack doesn’t require you to open an attachment or click a link. You literally just need to preview or open the e-mail in an older version of some e-mail clients.

When a vulnerable program views such an e-mail, the script rewrites your Hosts file, enabling the attacker to display bogus online banking logon pages that look identical to those of several different banks. If you enter your logon information for such a bank using a malicious page, the author of the attack captures your username and password.

MessageLabs has seen only a few dozen such messages as of this writing, and it’s likely that this kind of attack won’t immediately become widespread. But a fast-moving attack is still a concern.

MessageLabs posted on Nov. 15 a press release about the silent attack, but not a technical bulletin. The exploit uses an unpatched version of Windows Scripting Host, a built-in feature of most Windows operating systems in use today. A spokesman for MessageLabs did say that one of the Windows patches that Microsoft issued in the past four to five months succeeds in closing the security hole, but he wasn’t immediately able to identify the number of the patch.

Brian published details about the problem, including which versions of Windows and other software are vulnerable and how to protect them, in a recent Datamation column.  

Microsoft issues ISA Server 2000 security patch

MS04-039 (888258): In its regularly scheduled monthly release of security patches, Microsoft issued on Nov. 9 just a single patch. It’s rated “important” and is specific to ISA Server 2000 and Proxy Server 2.0, two of the company’s firewall and Web proxy server-based solutions.

Unfortunately for admins, Microsoft was forced to re-release the patch twice. The first fixup, on the same date as the original, corrected a problem with the German-language version of the patch. The second redo, which affects far more people, was released on Nov. 16 to correct a problem that stopped the patch from working correctly on ISA Server 2000 SP1 and Windows 2000 SP3.

Users who installed MS04-039 on either of those two products should download the Nov. 16 version of the patch and install it again. Users of ISA Server 2000 SP2 and Windows 2000 SP4 don’t need to redeploy the patch if it installed correctly in the first place, according to Susan Bradley, a Microsoft MVP who’s known as the SBS Diva. Bradley explains the background of these embarrassing re-releases in her Nov. 16 blog entry.

The problem is described in Microsoft Security Bulletin MS04-039. The article shows the re-release history of the patch at the very end of the document.

Secrets of XP Service Pack 2

By Paul Thurrott

Many reviewers have touted the better-known features of Windows XP Service Pack 2 (SP2). But Microsoft’s latest OS update also supports a wide variety of hidden changes as well. In this issue of Windows Secrets, we examine some of these changes.  

Enable better memory protection with DEP

The latest microprocessors from AMD and Intel support a hardware-based technique for preventing the common “buffer overrun” errors that lie at the heart of many malware attacks. Microsoft added support for this technology, called Data Execution Prevention (DEP), to XP SP2.

Basically, what DEP does is prevent executable code from being stored in memory that is reserved for non-executable code (typically data). However, it’s implemented differently on different hardware platforms and in different versions of XP. Most important, perhaps, is that you may want to change the behavior of this feature to make your system more secure.

On most PCs — that is, 32-bit versions of Windows XP SP2 running on 32-bit “x86” PCs — DEP is enabled in software only, because the underlying hardware doesn’t support the hardware-based version. This system is less effective, but it’s better than nothing. More problematic, however, is that on such systems, DEP is enabled only for the operating system code. All other applications that run on your system are free to trample memory as they have in the past, leading to potential crashes and system freezes.

On more recent PCs — those that utilize a 64-bit x86-based processor (AMD Athlon 64 and Opteron, or newer Intel EM64T-based Xeon processors) — DEP works a little differently. If you’re running XP SP2 on such a system, or you’re running the beta x64 version of Windows XP (the final version will ship in Spring 2005), the system automatically takes advantage of the hardware DEP functionality to provide a more secure environment. While the 32-bit version of XP SP2 protects only OS components, the x64 version of Windows XP protects both the OS and third party applications by default.

Regardless of which platform you’re running — x86 or x64 — you may want to enable DEP for third party applications as well. This will provide a more stable and secure system overall. You may, however, see a number of warning dialogs as poorly-written applications inadvertently stomp on reserved areas of memory. Indeed, Microsoft tells us that it left DEP off for end user applications specifically because so many of them triggered DEP warnings.

To enable DEP for third party applications, right-click on My Computer and choose Properties. Navigate to the Advanced tab and click the Settings button in the section labeled Performance. Select the Data Execution Prevention tab.

The default option, which is selected, is “Turn on DEP for essential Windows programs and services only.” However, you can change it to “Turn on DEP for all programs and services except those I select.”

When you do so, you may see a number of warnings. If those warnings are caused by known applications that you trust, you can add them to DEP’s exception list at the time of the warning. The exception list is also accessible via this same UI. Simply click the Add button to add a program to the exception list manually.

For more information about DEP, Microsoft discusses this technology in the Memory Protection Technologies section of its “Changes to Functionality in Windows XP Service Pack 2” documentation and in a thorough article, KB 875352. I also discuss DEP in depth in an article for Windows IT Pro Magazine. More info  

Get the Recovery Console back after installing SP2

While Brian and I do recommend that most people who use Windows XP upgrade to SP2, there is one little-known gotcha that may come back to haunt those who install it. When you upgrade to SP2, the XP Recovery Console, a command-line recovery environment which can be accessed by booting the PC from your original XP SP2 CD-ROM, will no longer work. Instead, you’re provided with an error message noting that the Recovery Console is incompatible with your version of Windows.

To fix this problem, you’ll have to create what’s known as a “slipstreamed” Windows XP SP2. That’s a bootable CD that includes the contents of your original XP CD-ROM combined with SP2.

Unfortunately, your ability to make such a CD will be limited by the type of Windows XP CD you have. Retail and volume license key (VLK) CDs will always work, but many so-called recovery CDs — typically supplied by big PC makers — often cannot be slipstreamed for some reason.

For instructions on how to make the CD, there’s an extensive article about slipstreaming SP2 on the SuperSite for Windows. For more information about the Recovery Console itself, please see Microsoft Knowledge Base article 307654.  

Recover the disk space you lost by adding SP2

Simply installing Windows XP SP2 requires a hefty amount of disk space, and only some of that is given back after installation is complete.

That’s because SP2 backs up files from your original install by default, just in case you decide to uninstall SP2. If you’re sure that you won’t want to uninstall SP2 — a process that will become impossible over time anyway, as you add more applications to the system — you can recover much of the lost disk space.

To do so, navigate to C:Windows$NTServicePackUninstall and click Tools, Folder Options to disable the hiding of hidden and protected files and folders. Then delete everything in that folder.

Finally, start the Add or Remove Programs applet in the Control Panel and select “Windows XP Service Pack 2.” SP2 will detect that the uninstall files have been deleted and remove itself from the list of programs in the applet.

Obviously, if you intend to ever remove SP2 from your computer, deleting the backup files isn’t a viable option. Check out Knowledge Base article 875350 for information about removing SP2.

Reduce the buying power of your money

Just for fun, a company called Storeridge Engineering uses powerful electrical bursts to actually shrink coins. This involves putting the currency into a metal coil and then blasting it with more than 100,000 amps.

The surge causes the coil to explode violently, leaving a coin that’s been compacted at the molecular level. A Kennedy half dollar, illustrated at left in “before” and “after” versions, loses about half its size and gains mysteriously beautiful radial lines. There are even more hilarious results with bimetal coins and coins with a hole in the center, such as Japanese yen. The site has a great explanation and much larger pictures of all this frivolity. More info