Protection against international domain namesYou could almost consider this security feature as an extension
of the phishing filter except that it is automatically enabled and
is used whether the phishing filter is in use or not. The idea is
that oftentimes malicious Web sites try to impersonate well-known
legitimate Web sites. One of the hardest things for a malicious Web
site to impersonate is the legitimate site's URL. Less
sophisticated perpetrators often rely on close misspellings of the
legitimate site's URL. More sophisticated scam artists have begun
using foreign language character sets in the URL. The idea is that
some foreign language character sets use characters that are
visually identical to characters used in the English alphabet, but
they are not treated the same by the computer. This allows for the
creation of a URL that looks identical to a legitimate URL.
To protect against this technique, Internet Explorer now
notifies you when a URL contains a mix of character sets, since
that often indicates that the site is malicious or misleading.
Again, you don't have to do anything to enable this feature; it is
enabled automatically.
URL handling
A feature that is similar to the foreign language filter is a
new URL parser. In the past, attackers have embedded remote code
execution commands in the URL. There are several different
variations on this technique, but the most popular technique was
one that included a command with an extremely long URL. The idea
was that the URL's excessive length would cause a buffer overflow.
If a command was positioned at just the right position within the
URL, then the command could execute when the buffer overflow
occurred.
That particular exploit was fixed long ago, but there are
countless varieties of the technique that are still used today. IE7
contains a new URL parser that Microsoft designed to perform a sort
of integrity check on URLs prior to unleashing them up on Internet
Explorer.
The new URL parser is another example of a security feature that
is enabled by default and is not configurable.
Configuring IE7 security on Vista
Home:
Introduction
Step 1:
General security configuration
Step 2:
Phishing filter
Step 3:
Protection against international domain names, URL
handling
Step 4:
ActiveX opt-ins, information bar and cross-domain
protection
Step 5:
Windows Vista and IE7
| ABOUT THE
AUTHOR: |
|
Brien M. Posey, MCSE, MVP
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for
his work with Windows 2000 Server and IIS. He has served as CIO for
a nationwide chain of hospitals and was once in charge of IT
security for Fort Knox. As a freelance technical writer, he has
written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant
Technologies and other technology companies. You can visit his
personal Web site at
www.brienposey.com.Copyright 2006TechTarget |
|