IE Security: Past, Present, IE Security: Past, Present, and Futureand Future

Tony ChorTony ChorGroup Program ManagerGroup Program Manager

Rob FrancoRob FrancoLead Program ManagerLead Program ManagerInternet ExplorerInternet ExplorerMicrosoft CorporationMicrosoft Corporation

About this presentationAbout this presentation

PastPastPresentPresent

Guiding principles for IE SecurityGuiding principles for IE SecurityThe SecurThe Securityity Development Lifecycle Development Lifecycle (SDL)(SDL)

FutureFutureHigh level browser threat modelHigh level browser threat modelHow IE7 addresses the threatsHow IE7 addresses the threats

PastPast

Compatibility and features trumpCompatibility and features trumpeded securitysecurity

Users fooled into making bad Users fooled into making bad trust trust decisionsdecisions

Malware installed via aMalware installed via architectural flawsrchitectural flaws

Powerful extensibility misusedPowerful extensibility misused

Security Security seen asseen as a servicing problem a servicing problem

Adversarial relationship with Adversarial relationship with communitycommunity

PastPast

“I suggest dumping Microsoft’s Internet Explorer Web browser, which has a history of security breaches.”

Walt MossbergWall Street JournalSeptember 2004

Present: IE is back!Present: IE is back!

IE team reborn 24 months agoIE team reborn 24 months agoImproved security responseImproved security response

IE 6.0 for Windows XP SP2IE 6.0 for Windows XP SP2

New versionsNew versions

Engaging the communityEngaging the community

Security is integral to our engineering Security is integral to our engineering practicespractices

Present: Guiding principlesPresent: Guiding principles

The web must be safeThe web must be safeReduce attack surfaceReduce attack surface

Build defense-in-depthBuild defense-in-depth

Secure by defaultSecure by default

Enable users to make smarter choicesEnable users to make smarter choices

The web must be usefulThe web must be usefulApp compat and site compat are criticalApp compat and site compat are critical

Corporate IT has different needs from Corporate IT has different needs from consumersconsumers

Partner with the communityPartner with the community

Engineering Engineering ExcellenceExcellence

Security Security Development Development LifecycleLifecycle

Security Security Response CenterResponse Center

Community Community feedbackfeedback

Improved quality Improved quality of updates & of updates & toolstools

Security Development Security Development LifecycleLifecycle

IE Security: PresentIE Security: Present“The assumption that Internet Explorer is easier to exploit is a common misconception…Internet Explorer has become quite tough, and it is very difficult to find vulnerabilities in it.”

Security Focus NewsletterMay 12, 2005

Future: IE 7Future: IE 7

SDL-driven security strategySDL-driven security strategyDynamic protection against fraudDynamic protection against fraud

User control over extensibilityUser control over extensibility

Architectural enhancements against Architectural enhancements against malware malware

Proactive engagement with Proactive engagement with communitycommunity

Threat Model:Threat Model:

Browser Browser Data Flow Data Flow DiagramDiagram

Outbound:Outbound:URLs URLs

HTTP requests HTTP requests

Auth & cookie Auth & cookie datadata

Inbound:Inbound:URLsURLs

HTMLHTML

ScriptScript

Non-IE filesNon-IE files

www.BadGuys.com

Cache boundary

User Profile

Internet Explorer

External Helper Applications

Program Files, Registry, etc.

Requests

Content

Documents, Settings,

etc.

ActiveX controlsDownloads, etc.

Helper requests

User Interface IEFrameIEFrame

Network request layer

PageRendering

WinINetWinINet

URLMonURLMon

Browser Browser Helper Helper ObjectsObjects

ToolbarsToolbars

MimefilteMimefiltersrs

MSHTMLMSHTML

ActiveXActiveX

Script Script EngineEngine

BinaryBinaryBehaviorsBehaviors

Threat Model:Threat Model:

Internet Explorer ArchitectureInternet Explorer Architecture

Sample Threats:Sample Threats:

Site spoofs userSite spoofs user

User lowers User lowers security settingssecurity settings

Buffer overrunBuffer overrun

User Interface(IEFrame)

Network Requests(Wininet & URLMon)

Page Rendering (MSHTML)

URL Requests

URLs, Files

WindowCommands

Threat Model:Threat Model: User Interface LayerUser Interface Layer

In this demo, you will see how In this demo, you will see how IE 7:IE 7:

Uses a phishing filter to Uses a phishing filter to dynamically protect users from dynamically protect users from fraudfraud

Warns users about unsafe settingsWarns users about unsafe settings

Demo:Demo:

User InterfaceUser Interface MitigationsMitigations

www.BadGuys.com

Cache boundary

NetworkRequests

(Wininet & URLMon)

Pluggable Protocols

Requests

Content

URLs,HTML

Helper requests

Page Rendering (MSHTML)

User Interface(IEFrame)

URL Requests

URL Requests

URLs,Non-HTML files

Helper requests

Sample Threats:Sample Threats:

URL parsed URL parsed incorrectlyincorrectly

Buffer overrun Buffer overrun

Threat Model:Threat Model: Network Request Network Request LayerLayer

Threat ModelThreat Model: Network Request Layer: Network Request Layer Unified URL ParsingUnified URL Parsing

Problem:Problem:URLs passed as strings may be parsed URLs passed as strings may be parsed inconsistently through the stackinconsistently through the stack

Special characters complicate URL Special characters complicate URL parsingparsing

http://www.good.com@bad.comhttp://www.good.com@bad.com

Solution:Solution:iURI is IE’s single URL parsing objectiURI is IE’s single URL parsing object

Canonicalizes URLs targeting RFC 3986Canonicalizes URLs targeting RFC 3986

IE passes the pre-parsed object IE passes the pre-parsed object through the stackthrough the stack

iURI available to ISVsiURI available to ISVs

Network Requests(Wininet & URLMon)

Script Engine

URLs,HTML

Page access

Page Rendering (MSHTML)

URL Requests

Script

ActiveX Controls

COM Calls

COM Calls

URL Requests

COM Calls

Sample ThreatsSample Threats

ActiveX ActiveX controls controls misusedmisused

Page Access Page Access rules failrules fail

Unsafe access Unsafe access defaultsdefaults

Page RedirectsPage Redirects

Buffer overrunBuffer overrun

Threat ModelThreat Model:: Page Rendering LayerPage Rendering Layer

Problem:Problem:ActiveX controls can expose ActiveX controls can expose dangerous functions and security dangerous functions and security bugs to any page on the webbugs to any page on the web

Solution:Solution:Pre-installed ActiveX controls will Pre-installed ActiveX controls will prompt on first use the same as prompt on first use the same as downloaded controlsdownloaded controlsUsers can run in Add-ons disabled Users can run in Add-ons disabled mode to shut off more extensions like mode to shut off more extensions like BHOsBHOs

““This move is worth praise.”This move is worth praise.”Joe Wilcox, Jupiter Research, September 13, 2005Joe Wilcox, Jupiter Research, September 13, 2005

Threat Model: Page Rendering LayerThreat Model: Page Rendering Layer ActiveX Opt-inActiveX Opt-in

Problem:Problem:Hackers use script protocols to run Hackers use script protocols to run domain-less script domain-less script javascript:alert(document.body.innerHTML)javascript:alert(document.body.innerHTML)

Solution:Solution:Migrate the script protocol to run as Migrate the script protocol to run as script in the originating pagescript in the originating page

Threat Model: Page Rendering LayerThreat Model: Page Rendering Layer Cross Domain SecurityCross Domain Security

Problem: Attacker finds a place where the parser does not check for size of an argument

Solutions:Automated code review toolsSafe memory APIs Fuzz testing

These tools are part of Visual Studio 2005

Threat Model: GeneralThreat Model: General Prevent Buffer OverrunsPrevent Buffer Overruns

IExplore.exeIExplore.exe

Install an ActiveXcontrol

Change Settings,

Download a Picture

Cache Web content

Exploit can install MALWARE

Exploit can install MALWARE

Admin-Rights Access

Admin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

HKLM

Program Files

HKCU

My Documents

Startup Folder

Untrusted files & settings

Threat Model: GeneralThreat Model: General EOP: TodayEOP: Today

ProtectedMode

IE

ProtectedMode

IE

Install an ActiveX control

Change settings,

Save a picture

Inte

gri

ty C

on

tro

l

Bro

ker

Pro

cess

Redirected settings & files

Com

pat

Red

irect

or

Cache Web content

Admin-Rights Access

Admin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

HKLM

HKCR

Program Files

HKCU

My Documents

Startup Folder

Untrusted files & settings

Threat Model: GeneralThreat Model: General EOP: Protected ModeEOP: Protected Mode

Bro

ker

Pro

cess

Demo: Protected Mode IEDemo: Protected Mode IE

In this demo, In this demo, you will see how you will see how IE IE 77::RunRunss with restrictions to prevent exploits with restrictions to prevent exploits from installing malware on users’ from installing malware on users’ systemssystems

KeepKeepss the web useful the web usefulStill allows users to download files or change Still allows users to download files or change settingssettings

Allows Intranet sites to run without Allows Intranet sites to run without restrictionsrestrictions

IE Security: FutureIE Security: Future

“If all Windows users were running Vista [with IE7], the Internet would be a much safer place.”

Larry SeltzereWeek

July 29, 2005

Internet Explorer 7.0Internet Explorer 7.0

Win reviews and the popular voteWin reviews and the popular voteImproving Trustworthy BrowsingImproving Trustworthy Browsing

Amazing Everyday BrowsingAmazing Everyday Browsing

Good Web Developer Platform Good Web Developer Platform

Release datesRelease datesWindows Vista: 2Windows Vista: 2ndnd half of 2006 half of 2006

Windows XP SP2, Windows Server 2003 SP1, Windows XP SP2, Windows Server 2003 SP1, x64: TBDx64: TBD

StatusStatusBeta 1 released in JuneBeta 1 released in June

Beta 2 Preview in OctoberBeta 2 Preview in October

Beta 2 later this yearBeta 2 later this year

ResourcesResources

BooksBooksWriting Secure CodeWriting Secure Code Second EditionSecond EditionMichael Howard and David LeBlancMichael Howard and David LeBlanc

Threat ModelingThreat ModelingFrank Swiderski and Window SnyderFrank Swiderski and Window Snyder

ResourcesResourcesblogs.msdn.com/ie/blogs.msdn.com/ie/

secure@microsoft.comsecure@microsoft.com

ToolsToolsVisual Studio 2005Visual Studio 2005

ConclusionConclusion

We’ve come a long way.We’ve come a long way.

We have a long way to go.We have a long way to go.

We’d like your helpWe’d like your helpTest IE 7 for security and compatibilityTest IE 7 for security and compatibility

Give us feedback – we’re listening!Give us feedback – we’re listening!

Q&AQ&A

Your quotes?Your quotes?

Your thoughts?Your thoughts?

Your questions?Your questions?

secure@microsoft.com