The world as frankps sees it!
Posts tagged Internet Explorer 8
Internet Explorer 8 – Security
0
Matt Heller
Internet Explorer Product Management
Microsoft Corp
IE 8 is feature complete.
Evolution and Change
Web has envolved a lot the last 2-3 years. Things change, Web 2.0, privacy … Mashups are getting common. Users use frameworks for that. This creates new vulnarabilities.
Users need to get control over things, especially this goes for privacy. User Preferences/Control. EU is coming with law/rules giving consumers privacy rights.
Growth in ecommerce depends on consumer trust. Consumers need to trust the sites they are visiting, but also the browser they use.
Shifting Threats and Exploits
Social Engineering
Phising Filters
Email Authentication
Browser Vulnerabilities
Web Server & Applications
The world beyond the browser.
Malvertising
More leveraged and efficient target
Reducing limitations with spam traps or phising filters
Threat Trends and Diversification
Attacks Getting More Sophisticated
- Spyware
- Rootkits
- Application attacks
- Phising (Smart Screen filtering) / Social engineering
Vulnerability Class
70 % of the vulnerabilities out there (XSS), are things that trad. browsers could not do anything about. MS tries to do things against them in IE 8.
XSS Exploits
XSS are the most prevalent vulnerability (41%)
XSS exploits are the new buffer overflow
Internet Explorer 8
Freedom from intrusion
- Social engineering and exploits: Emerging threat vectors, attacking multiple targets (users, businesses, brands and site owners), devirsification of attacks
- Reduce unwanted communications
Protection from harm
- Browser and web server exploits
- Deceptive websites, malicious code, fraud, identity theft
Control of information
- Choice and control
- Clear notice of information use
- InPrivate Browsing
- Deleting Cache
ActiveX Enhancements
Security, compatibility and functionality
Who? Per User. Doesn’t require elevating admin privileges. No longer installed per machine, but per user. Therefor admin acceptance is no longer needed. Installs to current user.
Can it be used? Opt-in. Before it can be used
Where? Per site. Developers can restrict to their site
Exploit Controls. ActiveX Killits. Pre IE 8. Can be requested by control publisher.
The Acitive X Enhancements can be configured via Group Policy.
IE 8 XSS Filter
Cross-site scripting attack
MS is only identifying the scripts. Known XSS scripts get changed to the point that it doesn’t run.
The domain name is in IE8 highlighted.
XSS Decision Process Flow – Photo made, available later.
More Secure Mashups
Typical for mashups is that the communication is cross domain.
- Cross Domain Request (XDR)
- Cross Document Messaging (XDM) – Part of the new HTML 5 draft
Third Party Content Serving
Over time, users’ history and profiles can unknowingly be aggregated:
- Any 3rd party contect can be used like a tracking cookie
- Unclear accountability with 3rd party security and privacy policies
User control
- InPrivate Browsing
- InPrivate Blocking
- InPrivate Subscription
Resources
Check out http://www.ie8demos.com
Introduction to Windows 7 Security
13 years ago
Paul Cooke – CISSP
Director
Microsoft
Core Security in Windows 7, explore related usage scenarios, and look into how to manage these in an enterprise environment.
The Windows Vista Foundation is continued. User Account Control and Enhanced Auditing. Security Development Lifecycle process. Kernel Patch Protection, Windows Service Hardening, DEP & ASLR (IE 8 inclusive), Mandatory Integrity Controls.
User Access Control
Make the system work well for standard users
Administrators use full privilege only for administrative tasks
File and registry virtualization helps applications that are not UAC compliant
Windows 7
Reduce the number of OS applications and tasks that require elevation
Refactor applications into elevated/non-elevated pieces
Flexible promt behavior for administrators
Customer Value: Users can do even more as a standard user (for instance change time zone) and administrators will see fewer UAC Elevation Prompts. MS has done a lot to evaluate user submitted data of their user experiences. Users will be able to do more in Windows 7 then in Vista.
Desktop Auditing
Simplidied configuration results in lower TCO
Demonstrate why a person has access to specific information
Understand why a person has been denied access to specific informatioin
Track all changes made by specific people or groups
Advanced Security Settings for Global File SACL (Photo taken) – you can then find when and who is poking around on the system.
UAC Control
Set the level for what level the UAC should prompted you on. You can no longer turn UAC off, but can set it to never prompt me. More or less the same? You can now look at the BitLocker state on your disk without getting prompted. Users can run updates without getting prompted. You set the level of UAC. You can also prevent them from doing so.
Securing Anywhere Access
Network Security
Windows Firefall can coexist with 3rd party products
Multi-Home Profiles – with Vista you can only have one such Home profile.
DNSSec
Network Access Protection (NAP)
Ensure that only “healthy” machines can access corporate data
Enable “unhealthy” machines to get clean before they gain access
NAP is the same as for Vista. Just as UAC, NAP is here to stay
DirectAccess
Same experiences accessing corporate resources inside and outside the office
Seamless connection increases productivity updates and policies
Seamless connection increases productivity of mobile users
Easy to service mobile PCs and distribute updates and policies
Built on Open Standards, IPv6 and IPSec. Not many people has IPv6 deployed. Torado protocol to tunnel IPv6 over an IPv4 network. Use Kerberos token. Cisco VPN also use IPSec. It is the VPNless VPN…
AppLocker
Application Control
Users can install and run non-standard application. Run applications from USB sticks and non-standard applications.
Even standard users can install some types of software
unauthorized applications may:
- introduce malware
- Increase helpdesk calls
- Reduce user productivity
Simple Rule Strcture: Allow, Exception & Deny
Publisher Rules: Product Publisher, Name, Filename & Version
Multiple Policies: Executables, installers, scripts & DLLs
Rule creation tools & wizard
Audit mode only
He actually mentioned somebody bloged about blocking Google apps. I guess that was my blog …
(Photo of a white list)
Publisher – Path – Hash are different ways of blocking/allowing applications. You can set version number, but also allow higher version number. Then you don’t have to maintain the white list every time there is a patch. You can also allow applications from a Publisher, for instance Microsoft, and you allow one specific application or a suite of applications. You can also allow a specific user or a group of users to use an application that is banned for the rest of the organization.
More about AppLocker tomorrow – First lecture, 9 o’clock.
Internet Explorer 8
(foto)
Freedom from intrusion – Social Engineering and Exploits
Reduce unwanted communications
Protection from harm: Browser and Web Server Exploits.
Protect Data
RMS, EFS and BitLocker
30 % of lost data is from lost devices.
BitLocker To Go
USB external devices (sticks and drives)
Create group policies to mandate the use of encryption
Now supports the FAT filesystem from Windows 7.
New Key Protectors for BitLocker
- Domain Recovery Agent (DRA)
- Smart Card – data volumes only
Windows 7 has a bunch of new GPOs for BitLocker. You can now set the minimum pin length. Deny write access to removable media if it is not BitLocker protected. A BitLocker protected device only give write access to other Windows 7 machines, but read access to XP SP2, Vista and Windows Server 2008.
You can choose between passphrase or smart card for your removable devices.