Application security

Microsoft revamps browser security zones

“Security zones are groupings of sites that give them different levels of access to the local system. The zoning system has been an achilles heel for Explorer in the past, with malicious sites able to gain access to the user’s system by tricking the browser.”

More like, “The zoning system has been the achilles heel for attackers…”. There is no question that the zoning model needs to change in Internet Explorer. However, the changes they are developing are on only modifications to the existing model. The zone model needs to be completely redesigned, not just given a facelift. Example:

“One of the most significant changes for enterprise users will be the elimination of the intranet zone.”

Okay, so you removed a zone that uses a worn out buzzword. This does little to improve the security of the browser. But wait, there’s more:

“If a user wants to re-enable their intranet zone, they’ll be able to.”

Nice! There are some positive changes:

“By default Explorer 7 will assign “trusted sites” a “Medium” security level, the level given to Internet-zone sites under Explorer 6, Microsoft said. Users will get the option of manually lowering the trusted-sites security settings back to the Explorer 6 level via Internet Options or through policy settings, Microsoft said.

This is a step in the right direction. However, if the trusted zone still exists, and the user has the ability to allow sites to run in its context, attackers could also find a way to allow their sites to run in it too. I really do hope version 7 helps to improve the security of the browser. However, in order to keep pace with Firefox their going to have to add new features, which means new code to exploit :-)
You can find more information about all things IE on the IE Blog from Microsoft (What, has Security Weekly lost his mind? He’s linking to Micro$oft? Yikes!)

Full Article


Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.