How to make IE safe

Posted by QSection:

Thank's for the page. I guess security configurations will remain a "moving target?"

 

Nope, minimizing windows doesn't seem to free up any RAM. This is Win98 Gold, though, so it probably has some RAM management problems.

 

Again, the thread isn't about which browser is better, I already decided that IE (Maxthon) is the best choice for me. I can't wait 40 seconds for Mozilla to startup, and it also uses more RAM, likely more CPU time, and the GUI still sucks.

I feel a whole lot better now that I know download.ject and the shell variation don't work with IE 5.01, I guess I just have to stop browsing ontrusted site with scripting enabled and I will have no problems. I can't imagine that there are a whole lot of bugs in IE that haven't been discovered yet LOL.

 

Check that your antivirus software is not scanning the browser cache. Most AVs will exclude IE's cache by default but need to be configured specifically to exclude Opera's or Mozilla's. This can cause particular delays on startup/shutdown when lots of (small) cache files are deleted.

 

Oh and maybe a dumb question, but can a firewall protect you from holes in IE? And if a firewall can't I guess an app like Proxomitron can?

And btw, download.ject does work on IE 5.01, I don't know why the site were I read it thinks differently. But sorry, I really can't abandon IE/Maxthon (IE starts up in 4 seconds and Maxthon rules when it comes to features/look and feel) trust me one this one. But I'm getting sick and tired of these holes, so that's why I'm looking for tips to make IE as safe as possible.

 

A firewall will probably give you some protection, but firewalls can be bypassed, and there are probably plenty of holes that a firewall couldn't do anything about.

I suppose downloading DCOMbobulator and totally disabling DCOM (also known as ActiveX) might help, as would using DSOStop to fix the DSO exploit and HTAStop to protect yourself from HTA scripts. Just remember, though, that IE users must be very, very careful about their online activities, since IE is inherently unsafe, even when you keep up with all the patches and updates.

 

Unless the firewall is configured to block IE from accessing the Internet, it can provide no real protection for it. Indeed any application allowed access through your firewall is a potential security hole and should be dealt with separately (the firewall gives you the ability to block unsolicited incoming traffic, unneeded applications or services and checks permitted applications for modifications).

Some firewalls do provide web-filtering options - these can help secure IE by blocking content like ActiveX, Java and Javascript. However many web pages will not display or work properly if you disable all these. ActiveX should always be disabled (WindowsUpdate being the sole exception), Java is best disabled by default (you can enable it for specific pages where it is really needed) but Javascript is likely to be more of a problem (I'd suggest you experiment here and make your own decision).

Proxomitron can provide some protection with its default filters and further filters can be added to detect and neutralise known HTML exploits (check the JDList for some examples).

To be honest though, trying to make IE completely "safe" is a bit like trying to make a house from sand - there are so many new vulnerabilities (and subsequent patches just seem to trigger further problems down the road) that you would have to filter incoming web traffic to an extent that would seriously hamper usability on many web pages. But it's your decision to make.

 

Rasheed187

I have heard of a couple (actually 3) free programs that help secure/patch holes in IE, but i'm not really too sure about them, because i never actually tried any of them. I have heard they are all good though, but just not exactly sure if they would cause any problems/conflicts with other software. Actually i asked about two of them in another thread https://www.wilderssecurity.com/showthread.php?t=42672 but no one replied, so i guess they're not too popular around here.

1. Smartfix http://www.majorgeeks.com/download4054.html

2. Qwik-fix http://www.majorgeeks.com/download.php?det=4033

3. Bugoff http://www.spywareinfoforum.com/~merijn/download.html

I heard Smartfix is the best of them followed by Qwik-fix and then Bugoff. But i also heard by using some the features in these helpful looking programs you may disable some parts of Windows temporarily. Luckily any changes you make be be reverted.

One of the things that makes Smartfix look better than Qwik-fix is you can clearly see what Smartfix is doing, and check and uncheck what you want, but with Qwik-fix you can't see or do much of anything. Bugoff is like a scaled down version of Qwik-fix. Hope you find them useful in your quest for better IE security.

 

Still not enough. The unfortunate fact is that that the only way to make IE safe is not to use it.

 

I've been thinking and I came to the conclusion that I'll will have to take my chances with IE. I've been reading about security problems with browsers in the past (IE and Netscape) and you had them too back then! And way back I was browsing the web like a maniac clicking on every possible link with activex enabled. Guess what, I never had a problem in those 6 years. So maybe I'm getting a bit too paranoid.

Of course, I can't close my eyes for the holes in IE, but I now know much more about security and follow all the news actively. The ADODB.Stream and Shell.Application holes really got me worried and since then I have even disabled active scripting.

But I feel a whole lot better now that I have fixed those critical problems. (Btw, IE 5.01 was not vulnerable to download.ject after all and I fixed the shell.application problem in the registry).

http://www.securityfocus.com/bid/10652
http://www.securityfocus.com/bid/10514

 

Btw, those apps (first 2) look cool to me Mesa7, but I would also like to know if they do their job well.

About the firewall, so if IE has access you won't be able to prevent the exploitation of a single hole? Can't you configure it in a way that hostile website can't do bad things? I know that firewalls should at least be able to stop trojans.

Look at this for example, the firewall won't help against this?

http://secunia.com/advisories/10157/

 

Rasheed187

Perhaps combining the first two apps i mentioned would help more than just one on its own. Smartfix is recommended by Lockergnome, by the way. I know you want to make IE as safe as possible, so combining the two apps i mentioned along with the the other very helpful replies from others (using IE-Spyad, SpywareBlaster, adjusting IE settings ect..) in this thread may just do the trick. But true IE will never be perfect no browser ever will be. There's always some stupid genius (can someone really be a stupid genius?) just waiting for his 15 minutes of fame. There's a lot of good advice here, i would take it, and just do the best you can with it, hopefully it will be enough. But i'm not saying to stop looking for ways to make IE more secure.




Pigman

No offense, but i don't think you're qualified to make that decision, if the apps i mentioned are enough for Rasheed's needs. They just may be what he needs to supplement his defenses. I have been reading your posts, Pigman, since you first started here, true you have learned much, but you don't have the experience to make that call IMO. Again no offense intended.

 

No, in general firewalls will not help with this sort of vulnerability. You must remember that many of the vulnerabilities outlined by the likes of Secunia are generally "Appication Layer" vulnerabilities. That is, the application itself is doing something with what it receives that can present a vector for a security breach. Firewalls typically are concerned with filtering traffic based upon "Layer 3 (or Network Layer)" (OSI model nomenclature) variables... i.e., things like Source IP Address, Destination IP Address, IP Protocol, TCP/UDP Source/Destination ports, etc. Firewalls are not making a blanket statement that all traffic that passes through is valid and non-malicious, rather think of them as a barbwire fence that enforces access procedures and policies. A fence has well defined entry and exit points that you know you should lock and/or guard, but that doesn't mean that a spy couldn't somehow creep in through one of those defined entry points.

The vulnerabilities that you often see referenced can't be blocked by firewalls because they mimic in some way valid traffic. So your browser sends out a request to a web server, the web server sends back a response to your browser. In general, most firewalls will ok this because the response is coming from a source IP (the web server) that you initiated contact with and because it is coming towards a destination TCP port that looks valid (the TCP port for your web browser). Yes, there are proxy firewalls and/or "deep inspection" firewalls that might look a little closer... but I would consider these to be atypical at this point.

BTW, in general, trojans aren't really "stopped" by firewalls. A trojan typically invades a victim through what appears to be a useful program download, email attachment, IM transfer, or p2p session. Once loaded, the trojan in fact begins executing with some hidden (or perhaps even not so hidden) nefarious purpose. Software, or host-based, firewalls will perhaps catch trojans that attempt to broadcast out to an IRC server channel or to some other location... but this isn't necessarily guaranteed and it nevertheless ignores the fact that the trojan has already loaded up and is executing and may have done irreperable harm already. Some trojans may not attempt to broadcast out, but rather set themselves up as remote access trojans (or RATs) that open a specific TCP port and listen for incoming traffic (or they do both). In general, most software and hardware firewalls will prevent this unsolicited inbound traffic (but there are still ifs, ands, buts, and gotchas to all of this).

Anyway, short answer, don't rely upon firewalls as all knowing and all powerful. Firewalls are simply part of an overall mix of a good defense.

BTW, if I might add my $0.02. Don't get overly worked up about all those that would push you to an alternative OS or an alternative browser. There are certainly some valid points, but there is also an extreme amount of background "noise" as well. IE does have its share of vulnerabilities. No question about it. But it isn't as problematic, in general, as many make it out to be. IE does offer significant functionality, much of which was certainly designed into the product before Microsoft became more "devoted" to security issues... but that doesn't mean that I, personally, would recommend that everyone trash it either. Many people using alternative browsers are living with a false sense of security. However, certainly everyone should feel free to use what works for them.

 

The right level which to handle IE exploits is at the application level.

That is via a proxy server not with a packet filter.

 

Thanks for the feedback Alec, I understand it much better now, and yes I agree, I was getting a bit too paranoid I think. Opera and Mozilla are saver yes, but like I said before, back in the days I was surfing the web unpatched and with activex enabled, never had a problem though.

And of course, it's the best not to get infected by a trojan or RAT, but I sure hope ZA Pro will detect such a trojan! Can you give me an example of a deep inspection firewall btw?

About Smartfix, it looks cool, but the problem is that I do not know which problems I already fixed my self, so I'm afraid it will maybe screw things up. But it's a nice concept of course, for people wo want a quick fix.

 

Vulnerabilities are exploited to a far greater extent nowadays - and with the latest ones involving alterations to popular websites, it is no longer simply a case of avoiding the darker side of the web.

The only trojans that a firewall has any chance of detecting are those that try to send data out over the Internet. Even then, there are ways of bypassing firewalls (check the leaktest description and review at PCFlank and the more recent results at Firewallleaktester) and the firewall, if it detects the communication, will simply give you the chance to block it. It will not prevent other actions by the trojan (e.g. altering system settings or overwriting Windows system files).

There is no such thing as a "deep inspection firewall" that scans traffic to find a trojan or virus download - any attempt at doing this could be easily foiled by using encrypted traffic (https). The closest thing would be software like CheckPoint Technologies Firewall-1 and this simply uses its knowledge of network application protocols to determine whether traffic should be permitted or not (e.g. checking the PORT commands issued during a File Transfer session to determine which data streams should be allowed).

The best solution is to use an anti-virus scanner (regularly updated) and, if you download files from Usenet, IRC or P2P (where someone could more easily implant a trojan without being traced) consider a specialist anti-trojan also. Also consider an application or process firewall like System Safety Monitor or Process Guard - these will alert you to software that tries shutting down other processes (many trojans will try to shut down firewalls for example), hooking into other processes (keyloggers will do this) or modifying the Windows Registry. While legitimate software will do these things also (e.g. mouse drivers need to hook into other processes), they can provide warning of many trojans though, as with a firewall, you have to decide what to allow and what to deny (so knowing your system is important).

While I would agree with the other points in your post Alec, I would ask you to consider the number of vulnerabilities for Internet Explorer 6 (55) compared to Firefox 0.x (7) or Opera 7.x (27). Not only that, but IE's vulnerabilities have tended to be more serious (15% rated Extremely Critical compared to 4% for Opera and 0% for Firefox). This is due to IE being integrated into the Windows Shell, meaning that an IE exploit is more likely to become a Windows exploit.

While patching can fix known problems, there is often a significant window between the time a problem is discovered until it is acknowledged and fixed (Microsoft are especially poor here, having taken more than 200 days to fix critical issues). It is far better therefore to select products that have been designed with security in mind - and Internet Explorer should be the choice of last resort in this case.

 

Thanks for the feedback Paranoid2000, this is of course all true what you said, I think I might as well use an app like SSM, but it uses 10% of my CPU almost constantly, on a slow system that does mather. That's why I also don't use any realtime AV protection, I just scan files that I download for viruses/trojans.

I did test ZA Pro and it passed all the tests (on Win9x at least) so I hope it will be able to spot most trojans, but I forgot that trojans can also alter your systemfiles, that's a bad thing of course. But abandoning IE/Maxthon is out of the question, other browsers suck too hard.

 

Rasheed, I've been lurking in on various IE security threads your in and admire your tenacity at exploring various approaches to suffice your means. It's good, members have come forward with great replies to your questions, enlightening myself and others. Just stick to your guns though, I think your onto something.

 

If CPU usage is an issue, then Process Guard is far less demanding than SSM (but it only runs on Win2K/XP not Win9x/ME). On my Win2K system (1GHz PIII), after 136 hours uptime SSM used 4:04 hours CPU while DCSUserProt (the Process Guard service) used 1:29.

Bear in mind that even if your firewall passes all leaktests (ZA should fail the more advanced ones like Thermite and Copycat - did you test these?), it can still be bypassed by a rootkit - this is a trojan that modifies Windows system files to hide its presence (so its Registry entries would not be displayed in Regedit, its files would not be visible in Explorer and its network traffic would not be shown by any network utilities). The Computer is trojaned proxy server thread at the Outpost forums has some useful information and links on these.

 

@ Global Force, you know what the thing is, I already knew that most people would say "use Firefox or Opera", but that's no solution for me.

@Pigman, I already disabled DCOM a while ago with SafeXP, but it's not the same as Activex I think.

@Paranoid2000, I've played a bit with SSM and it makes my system unstable, too bad. And I couldn't test Thermite and Copycat because they don't run on Win9x. Thanks for the link on rootkits, I hope I will never get one one my system.

 

@Rasheed187, "most people", though their not in your shoes. This activeX thing has you a little concerned, myself included.

I found this article on zones and activeXplanations while researching some links from Eric's site(netfiles.uiuc.edu). Further, I came across this exploit test page here, which offers a patch or a registry alteration, the latter of which I've read about elsewhere.(Reg mod working for me with no problems, xp home)

It does seem "Paranoid, Alec, guest Mesa7 and Justhelping" have stayed tight on this topic of IE safety, I would like to hear a "byte" more from our guest Justhelping on this proxy server item, or anyone else with a valid explanation.

Oh, and Mesa7, I do believe one can be a "Stupid Genius."

 

If a genius wastes his or her time making malware, he or she must be pretty damned stupid.

Yep, it's possible to be a stupid genius.

 

All this malware assembly must be leading to employment "Hacking" in one of those striped suits, eh?

 

I have a question, I tried to fix a high risk hole in the registry, by making the following registrykey:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{13709620-C279-11CE-A49E-444553540000}] "Compatibility Flags"=dword:00000400

But the problem is I will get to see a different dword number when making the key, so what's this dword about? Do I need to change it or is this calculated automaticly?

http://www.securityfocus.com/bid/10652/solution/