In the previous episode we saw the features of Internet Explorer that helps a lot in the day to day browsing. We saw how the pop-up blocker, Information bar, Add-ons Manager reduces the pain of unwanted intrusion by third parties. Today we will some more features that have been implemented in Windows XP SP2. But these are not directly seen by the user and hence we will refer to them as internal features because the user might not notice the difference if he doesn’t pay enough attention.

The features that we will discuss today are :-

File Downloading

Another way of intrusion on a user’s computer without the user’s knowledge was through the downloading of files. When the user clicked on a link to download the file, the site would redirect him to another site to begin the download and before the user could realize what happened, the download would begin with additional software that wasn’t requested. This led to the installation of spy ware and other software that was harmful to the user’s computer.

Windows XP SP2 has made additional changes to this behaviour. Since the files that can be downloaded are of different types and serve different purposes, for example, a game, a picture, or even a program. For this reason, Internet Explorer has stepped up its scrutiny of any file you begin to download, open, or save from the Web. Internet Explorer checks to see whether the file is the type of file it says it is and provides strong warnings if there are irregularities in how the file describes itself or if there seems to be a potential for harm based on the particular type of file Internet Explorer also offers more concise information to help you understand the implications of opening or saving a file. Internet Explorer users will immediately notice several changes to the dialog box when they download files. The following examples indicate the behaviour that Internet Explorer’s security mechanism warns during downloading files.

1. Internet Explorer displays the type of file that is being attempted to be download. In Windows XP SP2, the user will also see the size of the file as well as the type of file it is. Downloaded executable files are checked for publisher information. The publisher check provides information that can be used to check whether the files are from suspicious or unidentified publishers and provides a systematic way to prevent executable files from compromising the security of the computer.

2. Internet Explorer displays the source of the download so that the user can know where the software comes from. A new security information area at the bottom of the dialog box that provides information depending on whether the downloaded file is of higher or lower risk.

3. Internet Explorer offers guidance about the type of file that is being downloaded. A new file handler icon displays the default application that will be associated with the download.

4. If the user isn’t still sure what to do with the downloaded file, Internet Explorer provides the “How can I decide what software to run?” link to make a more informed decision about what to do.

Publishers

Windows XP SP2 has undergone several enhancements to block downloads from specific Publishers. Some publishers will go to great lengths to have users install their programs. Some users have experienced a situation in which they were unable to get rid of the repeatedly prompting to install a program that you didn't want or didn't trust and in some cases the user even installed the program by mistake when trying to get the prompts to go away.

Now, Internet Explorer helps you to avoid this situation. With a simple click of the mouse, you have the option of automatically preventing certain programs from being installed or run on your computer. This includes an option to block all software from a specific publisher. Internet Explorer also provides the facility to handle downloads from a specific publisher with the Add-on Manager.

As discussed in an earlier chapter we explored the Add-on Manager which allows the user to block certain Active X controls.

Stronger Zone Defense

As a security measure, Internet Explorer corrals all Web sites on the Internet into a single zone—the Internet zone—and applies a certain level of security protection which helps you to browse more securely. Internet Explorer will prompt you before you download content that it identifies as potentially unsafe.

Internet Explorer also specifies four other zones, including Trusted and Restricted zones, to which you can assign Web sites either that you trust completely, such as Windows Update, or that arouse your suspicion. It also assigns your hard disk to the Local Machine zone (although this zone is not displayed in the settings for Internet Explorer).

When you open a Web page, Internet Explorer restricts the actions a page can take based on the zone of the Web page—Internet, Restricted, and so on. For example, Web pages that are located in the Internet zone, might not be able to perform some operations, such as accessing information from the local hard drive.

In previous versions of Internet Explorer, your hard drive (or Local Machine zone) was considered to be secure, and content in this zone was allowed to run with relatively few security restrictions. However, attackers often tried to take advantage of these low restrictions to compromise computers.

In Windows XP SP2 this changes. Internet Explorer applies strong security settings to the Local Machine zone to help protect against some common types of attacks, such as the running of a harmful download or a malicious script.

Local Machine Zone Lockdown

Prior to Windows XP Service Pack 2, the content on the local file system, was considered to be secure and was assigned to the Local Machine security zone. This security zone normally allows content to run in Internet Explorer with relatively few restrictions. However, attackers often try to take advantage of the Local Machine zone to elevate privilege and compromise a computer.

Many of the exploits that involve the Local Machine zone will be mitigated by other changes to Internet Explorer in Windows XP SP2. However, attackers may still be able to figure out ways to exploit the Local Machine zone. Windows XP SP2 further protects the user by locking down the Local Machine zone in Internet Explorer by default. Local HTML hosted in other applications will run under the less restrictive, previous default settings of the Local Machine zone unless that application makes use of Local Machine Zone Lockdown.

With Windows XP Service Pack 2, Local Machine Zone Lockdown will be even more restrictive than the Internet zone. Any time that content attempts one of these actions, the Information Bar will appear in Internet Explorer with the following text:

"To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options..."

The user can click the Information Bar to remove the lockdown from the restricted content. This kind of security enables the user to know when an interactive CD is trying to execute an ActiveX script.

Outlook Express - Attachment Manager

Another important security feature implemented with SP2 is the e-mail applications. Since downloads also occur with email attachments, it is also important to provide a secure environment in the same way that was provided for the downloading of files in Internet Explorer. SP2 provides Outlook Express with the Attachment Manager.

Attachment Manager is a new set of application programming interfaces (APIs) that is used to check e-mail attachments. The use of Attachment Manager allows applications to eliminate custom code that performs similar safety checks and instead rely on this centrally managed API set. In addition, Attachment Manager provides a consistent user experience across all applications that check the security of an attachment. When Outlook Express opens an e-mail that has an attachment, it now calls Attachment Manager to determine whether the attachment is safe. Based on the type of attachment, Outlook Express takes different actions:

1. Safe attachments (for example a JPEG or GIF file) are completely available to the user. Safe images are displayed, and safe attached plaintext files are shown as available attachments.

2. Unsafe attachments (for example, binary executables) are blocked. The user cannot open them at all but does see a notice of the blockage.

Suspicious attachments trigger a warning prompt when the user attempts to drag, save, open, or print the file. If the user accepts the option to drag, save, open, or print the file, the file is handled in a way that is guaranteed to trigger any active antivirus program.

Windows Messenger uses similar logic and identical dialogs for handling file attachments. A major difference between Outlook Express and Windows Messenger is that e-mail attachments are normally downloaded without any intervention by the user. The instant messaging attachments normally require the recipient's permission before they can be received.

HTML Content blocking in Outlook Express

Businesses and individuals that use spam as a marketing technique typically include external content (such as references to images that reside on their Web servers) inside the HTML e-mail message. When the user opens the e-mail that contains the image, previous versions of Outlook Express would automatically contact the Web server to download and display the images. This process would allow the Web server to record a “hit” that would be used to identify the recipient. Specifically, this verified that a spam e-mail message was received by a recipient in the spam originator’s mailing list. With SP2, the “Don’t Download External HTML Content” feature of Outlook Express allows the user to do the following:

Block external images and other external content in Outlook Express when viewing e-mail in HTML mode. This download behavior is configurable and is enabled by default when you install Windows XP Service Pack 2. When active, the option can load the blocked external content for an e-mail message with a single click. The feature preserves the user's privacy and prevents future attacks.

Minimize the likelihood that downloaded e-mail with external Internet content will automatically attempt to start a dial-up connection when read offline. Prior to implementing this feature, if a user downloaded e-mail messages and then disconnected from the Internet, and if the user subsequently attempted to view an HTML message that included pictures or other external Internet content, the user’s modem would automatically attempt to dial out to download the external content.

As an additional measure, when the user sets Outlook Express to read all messages in plaintext, Outlook Express uses the rich edit control instead of the HTML browser control (mshtml) from Internet Explorer. This choice offers a reduced surface to attackers.

We covered a lot today and saw how Service Pack 2 safeguards the operating system internally from external threats. We also saw how Outlook Express included security for attachments and HTML rendering. In the next section we will see how the networking environment has been enhanced with Service Pack 2 to safeguard from the hostile perils of the network whether internal or external.