News

IE Settings Can Enable Intranet Attacks, Report Says

Default security settings in Microsoft's Internet Explorer browser could open a company's intranet to hacking attacks, according to a recent security white paper.

Default security settings in Microsoft's Internet Explorer browser could open a company's intranet to hacking attacks, according to a recent security white paper.

The report, posted last week by Argentina-based security consultancy Argeniss, defined the issue based on Microsoft's scheme of using five security zones in Internet Explorer. In particular, the Local Intranet Zone has a more relaxed security setting by default than the Internet Zone. The white paper outlines a proof-of-concept attack based on that lowered security setting.

Someone with inside information about the appearance of the company's intranet interface could use that information in combination with phishing techniques to harvest passwords and gain access to workstations, according to the report's author, Cesar Cerrudo. The report focused on IE 7, but it can apply to IE 8 too.

Cerrudo notes that it's possible to get to the intranet, with its lower default security setting, through the Internet. Another issue is that Microsoft's cross-site scripting filter is disabled by default in IE. Consequently, an attacker just needs to lure the victim to a Web site controlled by him where script code opens a password login box that looks like the one used in the company's intranet. It's a scenario that requires inside information.

To prevent such a phishing scenario, Cerrudo recommends disabling two options that might allow the construction of such a fake login box: "allow script-initiated windows without size or position constraints" and "allow websites to open windows without address or status bar." He also recommends turning on the "enable XSS filter" setting on the Local Intranet Zone.

The report also mentions how SQL injection attacks could be carried out due to default security settings in IE. Cerrudo recommends turning on the "prompt for user name and password" setting on the Local Intranet Zone to help prevent such attacks.

Microsoft, when contacted about the report, stressed that such exploits are possible in "an untrustworthy internal environment."

"It's important to understand that the report outlines scenarios where the internal network cannot be trusted due to a breakdown in other security controls," a Microsoft spokesperson explained by e-mail." Every attack that Cesar Cerrudo outlined requires that an internal server has a vulnerability or that security controls be relaxed enough so that unauthorized users are able to take inappropriate actions against internal servers."

Still, the Microsoft spokesperson said that the report "outlines viable security options for operating Internet Explorer" in such untrustworthy environments. The spokesperson recommended that IT pros change IE's default security settings in accord with organizational security policy.

Some additional IE 8 security tips are referenced in Microsoft's team blog here, as well as at the Microsoft enterprise IE 8 site.

The report, "Opening Intranets to attacks by using Internet Explorer," can be accessed at Argeniss' Web site here (PDF).

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.