News

IE Settings Can Enable Intranet Attacks, Report Says

Default security settings in Microsoft's Internet Explorer browser could open a company's intranet to hacking attacks, according to a recent security white paper.

Default security settings in Microsoft's Internet Explorer browser could open a company's intranet to hacking attacks, according to a recent security white paper.

The report, posted last week by Argentina-based security consultancy Argeniss, defined the issue based on Microsoft's scheme of using five security zones in Internet Explorer. In particular, the Local Intranet Zone has a more relaxed security setting by default than the Internet Zone. The white paper outlines a proof-of-concept attack based on that lowered security setting.

Someone with inside information about the appearance of the company's intranet interface could use that information in combination with phishing techniques to harvest passwords and gain access to workstations, according to the report's author, Cesar Cerrudo. The report focused on IE 7, but it can apply to IE 8 too.

Cerrudo notes that it's possible to get to the intranet, with its lower default security setting, through the Internet. Another issue is that Microsoft's cross-site scripting filter is disabled by default in IE. Consequently, an attacker just needs to lure the victim to a Web site controlled by him where script code opens a password login box that looks like the one used in the company's intranet. It's a scenario that requires inside information.

To prevent such a phishing scenario, Cerrudo recommends disabling two options that might allow the construction of such a fake login box: "allow script-initiated windows without size or position constraints" and "allow websites to open windows without address or status bar." He also recommends turning on the "enable XSS filter" setting on the Local Intranet Zone.

The report also mentions how SQL injection attacks could be carried out due to default security settings in IE. Cerrudo recommends turning on the "prompt for user name and password" setting on the Local Intranet Zone to help prevent such attacks.

Microsoft, when contacted about the report, stressed that such exploits are possible in "an untrustworthy internal environment."

"It's important to understand that the report outlines scenarios where the internal network cannot be trusted due to a breakdown in other security controls," a Microsoft spokesperson explained by e-mail." Every attack that Cesar Cerrudo outlined requires that an internal server has a vulnerability or that security controls be relaxed enough so that unauthorized users are able to take inappropriate actions against internal servers."

Still, the Microsoft spokesperson said that the report "outlines viable security options for operating Internet Explorer" in such untrustworthy environments. The spokesperson recommended that IT pros change IE's default security settings in accord with organizational security policy.

Some additional IE 8 security tips are referenced in Microsoft's team blog here, as well as at the Microsoft enterprise IE 8 site.

The report, "Opening Intranets to attacks by using Internet Explorer," can be accessed at Argeniss' Web site here (PDF).

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

comments powered by Disqus

Featured

  • Multi-Class Classification Using PyTorch: Model Accuracy

    Dr. James McCaffrey of Microsoft Research continues his four-part series on multi-class classification, designed to predict a value that can be one of three or more possible discrete values, by explaining model accuracy.

  • Python in VS Code Adds Data Viewer for Debugging

    The January 2021 update to the Python Extension for Visual Studio Code is out with a short list of new features headed by a data viewer used while debugging.

  • GitHub Ships Enterprise Server 3.0 Release Candidate

    It's described as "the biggest ever change to Enterprise Server," with improvements to Actions, Packages, mobile, security and more.

  • Attacks on .NET Apps Grow in Number, Severity, Says Security Firm

    .NET apps were found to have more serious vulnerabilities and suffer more attacks last year, according to data gathered by Contrast Labs.

Upcoming Events