1. IE Security: Past, Present, and Future Tony Chor Group Program Manager Rob Franco Lead Program Manager Internet Explorer Microsoft Corporation

2. About this presentation PastPresent Guiding principles for IE Security The Security Development Lifecycle (SDL) Future High level browser threat model How IE7 addresses the threats

3. Past Compatibility and features trumped security Users fooled into making bad trust decisions Malware installed via architectural flaws Powerful extensibility misused Security seen as a servicing problem Adversarial relationship with community

4. Past “I suggest dumping Microsoft’s Internet Explorer Web browser, which has a history of security breaches.” Walt Mossberg Wall Street Journal September 2004

5. Present: IE is back! IE team reborn 24 months ago Improved security response IE 6.0 for Windows XP SP2 New versions Engaging the community Security is integral to our engineering practices

6. Present: Guiding principles The web must be safe Reduce attack surface Build defense-in-depth Secure by default Enable users to make smarter choices The web must be useful App compat and site compat are critical Corporate IT has different needs from consumers Partner with the community

7. Engineering Excellence Security Development Lifecycle Security Response Center Community feedback Improved quality of updates & tools Security Development Lifecycle

8. IE Security: Present “The assumption that Internet Explorer is easier to exploit is a common misconception…Internet Explorer has become quite tough, and it is very difficult to find vulnerabilities in it.” Security Focus Newsletter May 12, 2005

9. Future: IE 7 SDL-driven security strategy Dynamic protection against fraud User control over extensibility Architectural enhancements against malware Proactive engagement with community

10. Threat Model: Browser Data Flow Diagram Outbound:URLs HTTP requests Auth & cookie data Inbound:URLsHTMLScript Non-IE files

11. User Interface IEFrame Network request layer Page RenderingWinINet URLMon Browser Helper Objects Toolbars Mimefilters MSHTML ActiveX Script Engine BinaryBehaviors Threat Model: Internet Explorer Architecture

12. Sample Threats: Site spoofs user User lowers security settings Buffer overrun Threat Model: User Interface Layer

13. In this demo, you will see how IE 7: Uses a phishing filter to dynamically protect users from fraud Warns users about unsafe settings Demo: User Interface Mitigations

14. Sample Threats: URL parsed incorrectly Buffer overrun Threat Model: Network Request Layer

15. Threat Model: Network Request Layer Unified URL Parsing Problem: URLs passed as strings may be parsed inconsistently through the stack Special characters complicate URL parsing http://www.good.com@bad.comSolution: iURI is IE’s single URL parsing object Canonicalizes URLs targeting RFC 3986 IE passes the pre-parsed object through the stack  iURI available to ISVs

16. Sample Threats ActiveX controls misused Page Access rules fail Unsafe access defaults Page Redirects Buffer overrun Threat Model: Page Rendering Layer

17. Problem: ActiveX controls can expose dangerous functions and security bugs to any page on the web Solution: Pre-installed ActiveX controls will prompt on first use the same as downloaded controls Users can run in Add-ons disabled mode to shut off more extensions like BHOs “This move is worth praise.” Joe Wilcox, Jupiter Research, September 13, 2005 Threat Model: Page Rendering Layer ActiveX Opt-in

18. Problem: Hackers use script protocols to run domain- less script javascript:alert(document.body.innerHTML)Solution: Migrate the script protocol to run as script in the originating page Threat Model: Page Rendering Layer Cross Domain Security

19. Problem: Attacker finds a place where the parser does not check for size of an argument Solutions: Automated code review tools Safe memory APIs Fuzz testing  These tools are part of Visual Studio 2005 Threat Model: General Prevent Buffer Overruns

20. IExplore.exe Install an ActiveX control Change Settings, Download a Picture Cache Web contentExploit can install MALWARE Admin-Rights Access User-Rights Access Temp Internet Files HKLM Program Files HKCU My Documents Startup Folder Untrusted files & settings Threat Model: General EOP: Today

21. Protected Mode IE Protected Mode IE Install an ActiveX control Change settings, Save a picture Integrity Control Broker Process Redirected settings & files Compat Redirector Cache Web content Admin-Rights Access User-Rights Access Temp Internet Files HKLM HKCR Program Files HKCU My Documents Startup Folder Untrusted files & settings Threat Model: General EOP: Protected Mode Broker Process

22. Demo: Protected Mode IE In this demo, you will see how IE 7: Runs with restrictions to prevent exploits from installing malware on users’ systems Keeps the web useful Still allows users to download files or change settings Allows Intranet sites to run without restrictions

23. IE Security: Future “If all Windows users were running Vista [with IE7], the Internet would be a much safer place.” Larry Seltzer eWeek July 29, 2005

24. Internet Explorer 7.0 Win reviews and the popular vote Improving Trustworthy Browsing Amazing Everyday Browsing Good Web Developer Platform Release dates Windows Vista: 2 nd half of 2006 Windows XP SP2, Windows Server 2003 SP1, x64: TBD Status Beta 1 released in June Beta 2 Preview in October Beta 2 later this year

25. Resources Books Writing Secure Code Second Edition Michael Howard and David LeBlanc Threat Modeling Frank Swiderski and Window Snyder Resourcesblogs.msdn.com/ie/secure@microsoft.comTools Visual Studio 2005

26. Conclusion We’ve come a long way. We have a long way to go. We’d like your help Test IE 7 for security and compatibility Give us feedback – we’re listening!

27. Q&A Your quotes? Your thoughts? Your questions?

28. secure@microsoft.com