before spyware does
By David Piscitello, President, Core Competence, Inc. (From WatchGuard LiveSecurity Updates)
Microsoft's Internet Explorer (IE) is still the most widely used Web browser. The majority of Web-based spyware infestations also target IE. While critics and experts can debate whether this is due to sloppy code and inherent flaws in IE, or abuse of a well-intentioned program customization called the Browser Helper Object (BHO), you have more important concerns. For security's sake, any network administrator must decide whether to deploy an alternative Web browser, or to minimize the organization's exposure by locking down IE and deploying spyware countermeasures.
Dump Internet Explorer?Frustrated with spyware and a seemingly endless stream of security patches, many users are choosing an alternative Web browser. Browsers such as Mozilla/Firefox, DeepNet Explorer, and Opera natively support many attractive features:
- SSL-capability
- Built-in search bars
- Popup killers
- Tabbed browsing
- Integrated RSS readers and e-mail clients.
These browsers don't support BHOs and are thus immune to browser hurtful objects, the "spyware" BHOs that hijack home pages, favorites, and search engines. Various antispyware software vendors claim to detect and block an estimated tens of thousands of spyware variants responsible for hijacking, URL tracking, and intrusive advertising. BHOs and rogue toolbars that plug into IE account for approximately one thousand of these pests and parasites.
Alternative browsers claim to be more secure than IE. Firefox bases this claim on the success of the Mozilla project specifically, and open source policy in general (see "Release early, release often"). Opera was designed from the beginning with security in mind, and doesn't support ActiveX controls. The DeepNet Explorer renders HTML just like IE, but doesn't support BHOs. However, none has proven immune to bugs, so as an administrator, you must weigh the strengths and weaknesses of each contender as they affect your organization.
Consider other factors before you commit to converting your organization to a new browser:
- Does your organization actually use legitimate BHOs or ActiveX controls?
- Is your (Intranet) Web server environment IIS- and IE-centric? If so, what steps must you take to confirm that the browser you choose is compatible with your server?
- How will the change affect your patch management?
- How will the change affect user training, helpdesk and support? Do you anticipate any internal political backlash?
The answers to these questions might force the conclusion, "Let's stick with IE." If so, then your next step is to deploy it as securely as possible.
Five steps to a more secure IE configurationDraw from the accumulated experience of others who combat spyware, and implement these measures to protect your IE users:
Maintain IE Patch Currency. As exploit paths and vulnerabilities are identified in IE, patch as early as possible to eliminate them. Investigate central patch management solutions. If you must leave patch management in the hands of your users, make certain they understand the consequences of neglecting this critical process. If your users are responsible for patching, conduct regular audits to ensure they are keeping up with patches.
Improve your (IE) Zone Defense. You can adjust settings for IE's security zone so that you maintain a secure and productive user experience for your organization. But doing so is not as simple as consumer anti-spyware pages (CyberCoyote.org, SpywareInfo.com) suggest. If your business applications are developed by .NET partners who do not sign components with Authenticode, or your users routinely visit business partner sites that use ActiveX components, your IE security configuration must allow access to these particular components. In such situations, make use of IE's Trusted Zones and include these sites as reputable and trustworthy.
Assess your organization's needs, and develop an IE security policy that meets the security-usability requirements of your organization. If you use Active Directory, use the Group Policy Object Editor to create an "IE configuration" GPO. Configure your IE policy under User Configuration => Windows Settings => Internet Explorer Maintenance => Security; then link the GPO to the appropriate organizational units.
Block Ad Server Domain Names. Several anti-spyware activists maintain lists of known adware server sites and domains. If you block a spyware agent from communicating with its ad servers once the agent lands on your network (assuming it manages to elude your other countermeasures), you negate the impact of that spyware. Add known spyware/adware servers to the Blocked Sites lists at your Firebox. Use a hosts file or DNS to resolve the adware hostnames to local host (127.0.0.1); or, use a registry script like IE-SPYAD to incorporate these into the IE Restricted Sites list. Here again, if you use Active Directory, you can include this countermeasure in a GPO.
Hamstring hijackers. Take advantage of the software developed to identify and block malicious BHOs. Be aware that some BHOs have legitimate purposes. Examples of legitimate and useful BHOs are privacy preference clients like AT&T Privacy Bird P3P Client, Citibank's Virtual Account Software, Yahoo! Companion, certain toolbars and Web accelerators. If you want to give your users some flexibility in their browser look-and-feel, run BHOlist on a sampling of the PCs in your organization. Identify any legitimate BHOs and toolbars used by your organization, and compose an Approved BHO List. Install anti-spyware software that provides browser hijack protection at each client. Configure blocked exceptions for all approved BHOs on your list. Free and donateware such as the tandem applications SpywareGuard and SpywareBlaster, Ad-Aware, or SpyBot Search&Destroy are widely acknowledged as legitimate, effective alternatives to commercial anti-spyware software for the budget-impaired.
Try a different cup of Java. Recent flaws exposed in Microsoft's Java Virtual Machine prompt some anti-spyware experts to suggest using Sun's VM instead. Before you choose to uninstall Microsoft's Java VM, be certain this decision meets the organization's long term objectives. If, for example, you are going to migrate from Java/J2EE to a .NET framework, and will eventually disable Java entirely, is this step necessary? Do any business applications needed by your organization require a specific version of JVM?
ConclusionInternet Explorer has its share of problems, and you may conclude your organization is better off with an alternative Web browser. But your organization doesn't have to be easy prey for spyware. With some planning, you can implement appropriate measures to minimize your IE-related spyware vulnerability profile. Switching browsers or locking IE down are both valid options. Doing nothing is not. ##
Further ReadingSpyware Risk: It's Time to "Get Smart"
Spyware Remediation: It's Not "Mission Impossible"
Dave's Spyware and Anti-Spyware Resources
The Internet Explorer Answer: "Have a Freaking Clue" (exclusive interview with Tim Mullen from BlackHat 2004)