IE settings may enable intranet intrusions
- By Kurt Mackie
- Apr 15, 2009
Default security settings in Microsoft's Internet Explorer browser could open a company's intranet to hacking attacks, according to a recent security white paper.
The report, posted last week by Argentina-based security consulting firm Argeniss, defined the issue based on Microsoft's scheme of using five security zones in Internet Explorer. In particular, the Local Intranet Zone has a more relaxed security setting by default than the Internet Zone. The white paper outlines a proof-of-concept attack based on that lowered security setting.
Someone with inside information about the appearance of the company's intranet interface could use that information in combination with phishing techniques to harvest passwords and gain access to workstations, according to the report's author, Cesar Cerrudo. The report focused on IE7, but it can apply to IE8 too.
Cerrudo notes that it's possible to get to the intranet, with its lower default security setting, through the Internet. Another issue is that Microsoft's cross-site scripting filter is disabled by default in IE. Consequently, an attacker just needs to lure the victim to a Web site controlled by him where script code opens a password login box that looks like the one used in the company's intranet. It's a scenario that requires inside information.
To prevent such a phishing scenario, Cerrudo recommends disabling two options that might allow the construction of such a fake login box: "allow script-initiated windows without size or position constraints" and "allow websites to open windows without address or status bar." He also recommends turning on the "enable XSS filter" setting on the Local Intranet Zone.
The report also mentions how SQL injection attacks could be carried out due to default security settings in IE. Cerrudo recommends turning on the "prompt for user name and password" setting on the Local Intranet Zone to help prevent such attacks.
Microsoft, when contacted about the report, stressed that such exploits are possible in "an untrustworthy internal environment."
"It's important to understand that the report outlines scenarios where the internal network cannot be trusted due to a breakdown in other security controls," a Microsoft spokesperson explained by e-mail. "Every attack that Cesar Cerrudo outlined requires that an internal server has a vulnerability or that security controls be relaxed enough so that unauthorized users are able to take inappropriate actions against internal servers."
Still, the Microsoft spokesperson said that the report "outlines viable security options for operating Internet Explorer" in such untrustworthy environments. The spokesperson recommended that IT pros change IE's default security settings in accord with organizational security policy.
Some additional IE8 security tips are referenced in Microsoft's team blog here, as well as at the Microsoft enterprise IE8 site.
The report, "Opening Intranets to attacks by using Internet Explorer," can be accessed at Argeniss' Web site here (PDF).