MS to Lock Down Security Zones in IE7

Iria · Dec 7, 2005, 10:52 PM

Continuing its endeavor to ensure Internet Explorer 7 is safe from the attacks that have plagued its predecessor, Microsoft is making changes to the browser's built-in security zones. Zones are used to classify Web sites into different security levels, but also bring risks themselves.

IE includes four standard zones: Internet, Intranet, Trusted Sites and Restricted Sites. Most browsing is done in the Internet zone, with the Intranet zone reserved for accessing local network sites, often used by businesses. The Intranet zone contains fewer restrictions, and in turn is more vulnerable to attack.

By default, Internet Explorer detects where the Web site is located -- on the Web or internally -- and utilizes the appropriate zone. However, it is possible to trick the browser. "If there is a flaw in IE's zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in," says IE developer Vishu Gupta.

Although Microsoft has improved URL parsing in IE6 SP2 and IE7, the company acknowledges there is an inherent risk associated with such an approach. To fix the problem, IE7 will no longer use the Intranet zone unless the computer has joined a domain.
__________
Read More / Source: BetaNews

Dec 7, 2005, 10:52 PM	#1
Iria DriverHeaven Extreme Member Join Date: Apr 2004 Posts: 7,275 Rep Power: 87	MS to Lock Down Security Zones in IE7 Continuing its endeavor to ensure Internet Explorer 7 is safe from the attacks that have plagued its predecessor, Microsoft is making changes to the browser's built-in security zones. Zones are used to classify Web sites into different security levels, but also bring risks themselves. IE includes four standard zones: Internet, Intranet, Trusted Sites and Restricted Sites. Most browsing is done in the Internet zone, with the Intranet zone reserved for accessing local network sites, often used by businesses. The Intranet zone contains fewer restrictions, and in turn is more vulnerable to attack. By default, Internet Explorer detects where the Web site is located -- on the Web or internally -- and utilizes the appropriate zone. However, it is possible to trick the browser. "If there is a flaw in IE's zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in," says IE developer Vishu Gupta. Although Microsoft has improved URL parsing in IE6 SP2 and IE7, the company acknowledges there is an inherent risk associated with such an approach. To fix the problem, IE7 will no longer use the Intranet zone unless the computer has joined a domain. __________ Read More / Source: BetaNews