Friday, 15 January 2010

How to improve Internet Explorer security






You may have heard (e.g. BBC, MacWorld, New Scientist) about the recent cyberspying attacks from within China which tried to obtain secret commercial data from the systems of Google and other large companies like Adobe (corporate espionage, it seems) and to access Gmail accounts of human rights advocates - attacks which led Google to reconsider its approach to China and stop filtering / censoring search results there.

Now it's emerged from computer security company McAfee (see ComputerWeekly, Reuters, BBC) that one of the attacks exploited a little known vulnerability in Microsoft's ubiquitous Internet Explorer browser software - more details are in Microsoft's security advisory and blog post.

If you use Internet Explorer 6 (or indeed Internet Explorer 7 or Internet Explorer 8) in Windows, clicking on a link or file attachment, e.g. in an email from a supposedly trusted source, can through this vulnerability cause malware to be downloaded, enabling control to be taken of your computer totally unbeknownst to you. The cyber attacks were mainly focused on Internet Explorer 6 which, while now outdated and very insecure, is still used by many organisations

Even if you don't think you have juicy intellectual property on your system and you're not a human rights activist, you can bet your bottom dollar that bad hackers everywhere will want to exploit this vulnerability to try to get into computers generally.

So if you have Internet Explorer you should take steps to try to secure it better. The Microsoft security advisory has suggestions but I always find screenshots more helpful so here's a summary of what they said (bearing in mind that 100% security can never be guaranteed):

  1. Internet security zone - the best protection seems to be to set this zone's security to High. Then you'll get warning prompts before certain possibly dangerous things (ActiveX controls, Active Scripting) can be run, which you can refuse (it may be safer to say No if you're not sure). Though this may cause some websites not to function fully.
    1. How? - menu Tools > Internet Options > Security tab, click Internet, move slider to High:

    2. See the advisory for more details e.g. dealing with trusted sites so you don't have to keep clicking Yes for those.

  2. Internet and Local intranet security zone - to get a prompt before running Active Scripting or (which may make some sites stop working) to disable it completely.
    1. How? - menu Tools > Internet Options > Security tab, click Internet then Custom Level (see pic above). Then find the Scripting section, Active scripting subheading and ensure it's set to Prompt or Disable, then OK:

    2. Then again - menu Tools > Internet Options > Security tab, click Local intranet this time, then Custom Level:

      - then find the Scripting section, Active scripting subheading and ensure it's set to Prompt or Disable, then OK as before.
    3. See the advisory for more details e.g. dealing with trusted sites so you don't have to keep clicking Yes for those.

  3. Internet Explorer 7 or Internet Explorer 6 SP2 (to check your version, menu Help > About Internet Explorer) - enable Data Execution Prevention or DEP. It should already be enabled in IE 8.
    1. How to enable DEP? Go to this site and under "Enable Application Compatibility Database" click the Fix it button, Run and follow the instructions.
    2. Alternative way to enable DEP - menu Tools > Internet Options, Advanced tab, scroll down to the Security section and ensure "Enable memory protection to help mitigate online attacks" is ticked, then OK.


      1. Can't do it? Close IE, rightclick the Internet Explorer icon, choose "Run as Administrator" to re-open it and try again. If that doesn't work still, login as administrator. You may not have administrator rights in which case this won't work.
  4. Use another less attacked browser like the free Firefox browser instead (ideally with NoScript)! If you have Outlook be sure to then set Outlook to open email links in Firefox instead of IE, so that when you click links in an email they won't open up in Internet Explorer but in Firefox.

And of course, ensure you use a firewall like the free ZoneAlarm, plus anti-virus and anti-spyware software, which can be free, make sure you regularly update them and run the scans, and also regularly update Windows and other software like Firefox, Adobe Acrobat Reader, Adobe Flash and so on.

A helpful official UK site for beginners:

No comments: