Browser Security News

This paper will help you configure your web browser for safer internet surfing. It is written for home computer users, students, small business workers, and any other person who works with limited information technology (IT) support and broadband (cable modem, DSL) or dial-up connectivity. Although the information in this document may be applicable to users with formal IT support as well, organizational IT policies should supersede these recommendations.

I. Why Secure Your Web Browser?

Today, web browsers such as Internet Explorer, Mozilla Firefox, and Safari (to name a few), are installed on almost all computers. Because web browsers are used so frequently, it is vital to configure them securely. Often, the web browser that comes with an operating system is not set up in a secure default configuration. Not securing your web browser can lead quickly to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer.

Ideally, computer users should evaluate the risks from the software they use. Many computers are sold with software already loaded. Whether installed by a computer manufacturer, operating system maker, internet service provider, or by a retail store, the first step in assessing the vulnerability of your computer is to find out what software is installed and how one program will interact with another. Unfortunately, it is not practical for most people to perform this level of analysis.

There is an increasing threat from software attacks that take advantage of vulnerable web browsers. In recent months, US-CERT has observed a trend whereby new software vulnerabilities are exploited and directed at web browsers through the use of compromised or malicious web sites. This problem is made worse by a number of factors, including the following:

* Many web browsers are configured to provide increased functionality at the cost of decreased security.
* New security vulnerabilities may have been discovered since the software was configured and packaged by the manufacturer.
* Many web sites require that users enable certain features or install more software, putting the computer at additional risk.
* Many users do not know how to configure their web browsers securely.
* Many users are unwilling to enable or disable functionality as required to secure their web browser.
* Many users are unaware whether or not their computer has been compromised.
* Many users fail to properly “clean” a compromised computer.

As a result, exploiting vulnerabilities in web browsers has become a popular way for attackers to compromise computer systems.

In addition to following this paper’s recommendations, refer to the documentation in the References section for other steps you can take to secure your computer.

II. Understanding Web Browser Features

It is important to understand the functionality and features of the web browser you use. Enabling some web browser features may lower security. For example, the ActiveX software feature has a history of vulnerabilities that have lead to severe security impacts when enabled.

Multiple web browsers may be installed on your computer. Other software applications on your computer, such as email clients or document viewers, may use a different browser than the one you normally use to access the web. Also, certain file types may be configured to open with a different web browser. Using one web browser to access web sites does not mean other applications will automatically use the same browser. For this reason, it is important to securely configure each web browser installed on your computer.

Web sites may require the use of a browser that supports scripting or active content, such as JavaScript or ActiveX controls, or the sites themselves may contain vulnerabilities. Web sites can be considered products, and as a user of the product, you can contact the web site administrators and request that the sites be designed so that they do not require the use of features that may pose a computer security risk.

Some specific web browser features and attributes are described in this document. Understanding what different features do will help you understand how they affect your web browser’s functionality and the security of your computer.

ActiveX is a technology used by Microsoft Internet Explorer on Microsoft Windows. ActiveX allows applications or parts of applications to be utilized by the web browser. A web page can use ActiveX components that may already reside on a Windows system, or may download the component from a web site. This gives extra functionality to traditional web browsing, but may also introduce more severe vulnerabilities if not properly implemented.

Java is an object-oriented programming language that can be used to develop active content for web sites. A Java Virtual Machine, or JVM, is used to execute the Java code, or “applet,” provided by the web site. The JVM is designed to separate, or “sandbox,” running code so that it does not affect the rest of the system. Some operating systems come with a JVM, while others require a JVM to be installed before Java can be used. Java applets run independently from the operating systems.

Active Content, or plug-ins, are intended for use in the web browser. They are similar to ActiveX controls but cannot be executed outside of a web browser. Macromedia Flash is an example of Active Content that can be provided as a plug-in.

JavaScript is a dynamic scripting language that is used to develop active content for web sites. Unlike Java, JavaScript is a language that is interpreted by the web browser directly. There are specifications in the JavaScript standard that restrict certain features such as accessing local files.

VBScript is a programming language that is unique to Microsoft Windows. VBScript is similar to JavaScript, but it is not as widely used in web sites because of its limited compatibility with browsers other than Internet Explorer.

Cookies are text files placed on your computer to store data that is used by a web site. A cookie can contain any information that a web site is designed to place in it. Cookies may contain information about the sites you visited, or may even contain credentials for accessing the site. Cookies are designed to be readable only by the web site that created them.

Security Zones and the Domain Model are methods Microsoft Windows uses designed to provide multiple levels of security settings for a single system. While primarily used by Internet Explorer, it can be invoked by other applications on the system that use components of Internet Explorer. Securing Your Web Browser