Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Internet Explorer
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Security== {{See also|Browser security}} Internet Explorer uses a zone-based [[computer security|security]] framework that groups sites based on certain conditions, including whether it is an Internet- or intranet-based site as well as a user-editable whitelist. Security restrictions are applied per zone; all the sites in a zone are subject to the restrictions. Internet Explorer 6 SP2 onwards uses the ''Attachment Execution Service'' of Microsoft Windows to mark executable files downloaded from the Internet as being potentially unsafe. Accessing files marked as such will prompt the user to make an explicit trust decision to execute the file, as executables originating from the Internet can be potentially unsafe. This helps in preventing the accidental installation of malware. Internet Explorer 7 introduced the phishing filter, which restricts access to [[phishing]] sites unless the user overrides the decision. With version 8, it also blocks access to sites known to host [[malware]]. Downloads are also checked to see if they are known to be malware-infected. In Windows Vista, Internet Explorer by default runs in what is called ''Protected Mode'', where the privileges of the browser itself are severely restricted—it cannot make any system-wide changes. One can optionally turn this mode off, but this is not recommended. This also effectively restricts the privileges of any add-ons. As a result, even if the browser or any add-on is compromised, the damage the security breach can cause is limited. Patches and updates to the browser are released periodically and made available through the Windows Update service, as well as through Automatic Updates. Although security patches continue to be released for a range of platforms, most feature additions and security infrastructure improvements are only made available on operating systems that are in Microsoft's mainstream support phase. On December 16, 2008, [[Trend Micro]] recommended users switch to rival browsers until an emergency patch was released to fix a potential security risk which "could allow outside users to take control of a person's computer and steal their passwords." Microsoft representatives countered this recommendation, claiming that "0.02% of internet sites" were affected by the flaw. A fix for the issue was released the following day with the Security Update for Internet Explorer KB960714, on Microsoft Windows Update.<ref>{{Cite news |date=December 16, 2008 |title=Security risk detected in Internet Explorer software |url=http://www.belfasttelegraph.co.uk/breaking-news/world/north-america/security-risk-detected-in-internet-explorer-software-14110209.html |archive-url=https://web.archive.org/web/20090127055017/http://www.belfasttelegraph.co.uk/breaking-news/world/north-america/security-risk-detected-in-internet-explorer-software-14110209.html |archive-date=27 January 2009 |newspaper=[[Belfast Telegraph]]}}</ref><ref>{{Cite news| url=http://news.bbc.co.uk/2/hi/technology/7784908.stm |newspaper=BBC News | title=Serious security flaw found in IE | date=December 16, 2008 | access-date=May 5, 2010}}</ref> In 2010, Germany's Federal Office for Information Security, known by its German initials, BSI, advised "temporary use of alternative browsers" because of a "critical security hole" in Microsoft's software that could allow hackers to remotely plant and run malicious code on Windows PCs.<ref>{{Cite news|title=Business Technology: Microsoft's Internet Explorer Is Under Fire in Europe|last1=Wingfield|first1=Nick|date=January 19, 2010|work=The Wall Street Journal|last2=McGroarty|first2=Patrick}}</ref> In 2011, a report by Accuvant, funded by Google, rated the security (based on sandboxing) of Internet Explorer worse than [[Google Chrome]] but better than [[Mozilla Firefox]].<ref>{{cite web|url=https://www.theregister.co.uk/2011/12/09/chrome_ie_firefox_security_bakeoff|title=Chrome is the most secured browser – new study|website=The Register|first=Dan|last=Goodin|date=December 9, 2011|access-date=October 15, 2012}}</ref><ref>{{cite web|title=Accuvant Study Finds Chrome is Most Secure Browser|url=http://www.esecurityplanet.com/browser-security/accuvant-study-finds-chrome-is-most-secure-browser.html|date=December 13, 2011|publisher=eSecurity Planet|access-date=May 22, 2012}}</ref> A 2017 browser security white paper comparing Google Chrome, Microsoft Edge [Legacy], and [[Internet Explorer 11]] by X41 D-Sec in 2017 came to similar conclusions, also based on sandboxing and support of legacy web technologies.<ref>{{cite web|url=https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf|title=Browser Security White Paper|publisher=X41-Dsec GmbH|date=September 18, 2017|access-date=September 21, 2017}}</ref> ===Security vulnerabilities=== {{See also|Comparison of web browsers#Security and vulnerabilities}} Internet Explorer has been subjected to many security vulnerabilities and concerns such that the volume of criticism for IE is unusually high. Much of the [[spyware]], [[adware]], and [[computer virus]]es across the Internet are made possible by exploitable bugs and flaws in the security architecture of Internet Explorer, sometimes requiring nothing more than viewing of a malicious web page to install themselves. This is known as a "[[drive-by download|drive-by install]]". There are also attempts to trick the user into installing malicious software by misrepresenting the software's true purpose in the description section of an ActiveX security alert. A number of security flaws affecting IE originated not in the browser itself, but in ActiveX-based add-ons used by it. Because the add-ons have the same privilege as IE, the flaws can be as critical as browser flaws. This has led to the ActiveX-based architecture being criticized for being fault-prone. By 2005, some experts maintained that the dangers of ActiveX had been overstated and there were safeguards in place.<ref>{{cite web |url=http://www.eweek.com/c/a/Security/The-Lame-Blame-of-ActiveX/ |title=The Lame Blame of ActiveX |date=April 14, 2005 |access-date=April 7, 2006 |work = Security—Opinions |publisher=eWeek |last=Seltzer |first=Larry }}</ref> In 2006, new techniques using [[automated testing]] found more than a hundred vulnerabilities in standard Microsoft ActiveX components.<ref>{{cite web |url=http://www.securityfocus.com/news/11403 |title=ActiveX security faces storm before calm |date=July 31, 2006 |access-date=July 11, 2009 |publisher=Security Focus |last=Lemos |first=Robert |archive-date=July 25, 2008 |archive-url=https://web.archive.org/web/20080725094146/http://www.securityfocus.com/news/11403 |url-status=dead }}</ref> Security features introduced in Internet Explorer 7 mitigated some of these vulnerabilities. In 2008, Internet Explorer had a number of published security vulnerabilities. According to research done by security research firm [[Secunia]], Microsoft did not respond as quickly as its competitors in fixing security holes and making patches available.<ref>{{cite web |url=http://secunia.com/gfx/Secunia2008Report.pdf |title=Secunia 2008 Report |publisher=Secunia }}</ref> The firm also reported 366 vulnerabilities in ActiveX controls, an increase from the previous year. According to an October 2010 report in ''[[The Register]]'', researcher Chris Evans had detected a known security vulnerability which, then dating back to 2008, had not been fixed for at least six hundred days.<ref>{{cite web |url=https://www.theregister.co.uk/2010/11/01/internet_explorer_600_day_bug/ |title=Internet Explorer info leak festers for 2 years |website = The Register |date = November 1, 2010 |access-date=November 2, 2010 |first = Dan |last = Goodin |location = San Francisco }}</ref> Microsoft says that it had known about this vulnerability, but it was of exceptionally low severity as the victim web site must be configured in a peculiar way for this attack to be feasible at all.<ref>{{cite web |url = https://www.zdnet.com/blog/security/two-year-old-data-leakage-flaw-still-haunts-internet-explorer/7604 |archive-url = https://web.archive.org/web/20101104042202/http://www.zdnet.com/blog/security/two-year-old-data-leakage-flaw-still-haunts-internet-explorer/7604 |url-status = dead |archive-date = November 4, 2010 |title = Two-year-old data leakage flaw still haunts Internet Explorer |work = [[ZDNet]] |publisher = [[CBS Interactive]] |date = November 1, 2010 |access-date = November 2, 2010 |first = Ryan |last = Naraine }}</ref> In December 2010, researchers were able to bypass the "Protected Mode" feature in Internet Explorer.<ref>{{cite web|url=https://www.theregister.co.uk/2010/12/03/protected_mode_bypass/ |title=Researchers bypass Internet Explorer Protected Mode |website=[[The Register]] |date = December 3, 2010 |access-date=December 4, 2010 }} </ref> ===Vulnerability exploited in attacks on U.S. firms=== {{Main|Operation Aurora}} In an advisory on January 14, 2010, Microsoft said that attackers targeting Google and other U.S. companies used software that exploits a security hole, which had already been patched, in Internet Explorer. The vulnerability affected Internet Explorer 6 from on Windows XP and Server 2003, IE6 SP1 on Windows 2000 SP4, IE7 on Windows Vista, XP, Server 2008, and Server 2003, IE8 on Windows 7, Vista, XP, Server 2003, and Server 2008 (R2).<ref>{{cite news |title=New IE hole exploited in attacks on U.S. firms |first=Elinor |last=Mills |newspaper=[[CNET News]] |publisher=[[CBS Interactive]] |date=January 14, 2010 |url=http://news.cnet.com/8301-27080_3-10435232-245.html |access-date=September 26, 2010 |archive-date=December 24, 2013 |archive-url=https://web.archive.org/web/20131224110914/http://news.cnet.com/8301-27080_3-10435232-245.html |url-status=dead }}</ref> The [[Germany|German government]] warned users against using Internet Explorer and recommended switching to an alternative web browser, due to the major security hole described above that was [[Operation Aurora#Attack analysis|exploited in Internet Explorer]].<ref>{{Cite news| url=http://news.bbc.co.uk/1/hi/technology/8463516.stm | work=BBC News | title=Germany issues Explorer warning | date=January 16, 2010 | access-date=March 26, 2010 | first=Daniel | last=Emery}}</ref> The Australian and French governments also issued a similar warning a few days later.<ref>{{Cite news| url=http://news.bbc.co.uk/1/hi/technology/8465038.stm | work=BBC News | title=France in fresh Explorer warning | date=January 18, 2010 | access-date=March 26, 2010 | first=Jonathan | last=Fildes}}</ref><ref>{{cite web|url=http://www.abc.net.au/news/stories/2010/01/19/2795684.htm |archive-url=https://web.archive.org/web/20100123001337/http://www.abc.net.au/news/stories/2010/01/19/2795684.htm |url-status=dead |archive-date=January 23, 2010 |title=Govt issues IE security warning |author=Emily Bourke for AM |date=January 19, 2010 |publisher=abc.net.au |access-date=September 26, 2010}}</ref><ref>{{Cite news| url=http://www.sfgate.com/cgi-bin/blogs/techchron/detail?&entry_id=55509 | title=The Technology Chronicles : France and Germany warn users not to use Internet Explorer | first=Alejandro | last=Martinez-Cabrera | date=January 18, 2010 | work=The San Francisco Chronicle}}</ref><ref>{{Cite news| url=https://www.telegraph.co.uk/technology/microsoft/7011626/Germany-warns-against-using-Microsoft-Internet-Explorer.html |archive-url=https://ghostarchive.org/archive/20220111/https://www.telegraph.co.uk/technology/microsoft/7011626/Germany-warns-against-using-Microsoft-Internet-Explorer.html |archive-date=January 11, 2022 |url-access=subscription |url-status=live | work=The Daily Telegraph | location=London | title=Germany warns against using Microsoft Internet Explorer | first=Fiona | last=Govan | date=January 18, 2010 | access-date=March 26, 2010}}{{cbignore}}</ref> ===Major vulnerability across versions=== On April 26, 2014, Microsoft issued a security advisory relating to {{CVE|2014-1776}} (use-after-free vulnerability in Microsoft Internet Explorer 6 through 11<ref>{{cite web|url=https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1776|title=CVE-2014-1776|website=Common Vulnerabilities and Exposures (CVE)|date=January 29, 2014|access-date=May 16, 2017|archive-url=https://web.archive.org/web/20170430095220/http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1776|archive-date=April 30, 2017|url-status=dead}}</ref>), a vulnerability that could allow "remote code execution" in Internet Explorer versions 6 to 11.<ref>{{Cite web| url=https://technet.microsoft.com/en-US/library/security/2963983 | title=Microsoft Security Advisory 2963983 | date=April 26, 2014 | publisher=Microsoft | access-date=April 28, 2014}}</ref> On April 28, 2014, the United States [[Department of Homeland Security]]'s [[United States Computer Emergency Readiness Team]] (US-CERT) released an advisory stating that the vulnerability could result in "the complete compromise" of an affected system.<ref>{{cite news | url=https://www.reuters.com/article/us-cybersecurity-microsoft-browser-idUSBREA3Q0PB20140428 | title=U.S., UK advise avoiding Internet Explorer until bug fixed | first=Jim | last=Finkle | date=April 28, 2014 | work=Reuters | access-date=April 28, 2014}}</ref> US-CERT recommended reviewing Microsoft's suggestions to mitigate an attack or using an alternate browser until the bug is fixed.<ref>{{Cite web | url=http://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being | title=Microsoft Internet Explorer Use-After-Free Vulnerability Guidance | date=April 28, 2014 | publisher=United States Computer Emergency Readiness Team | access-date=April 28, 2014}}</ref><ref>{{Cite web | url=http://www.kb.cert.org/vuls/id/222929 | title=Vulnerability Note VU#222929 – Microsoft Internet Explorer use-after-free vulnerability | date=April 27, 2014 | publisher=Carnegie Mellon University | access-date=April 28, 2014}}</ref> The UK National Computer Emergency Response Team (CERT-UK) published an advisory announcing similar concerns and for users to take the additional step of ensuring their antivirus software is up to date.<ref>{{cite news | url=https://www.chicagotribune.com/business/technology/chi-microsoft-explorer-security-flaws-20140428,0,4797833.story | title=U.S.: Stop using Internet Explorer until security holes are fixed | date=April 28, 2014 | newspaper=Chicago Tribune | access-date=April 28, 2014}}</ref> [[NortonLifeLock|Symantec]], a cyber security firm, confirmed that "the vulnerability crashes Internet Explorer on Windows XP."<ref>{{Cite web | url=https://www.bbc.com/news/technology-27184188 | title=Microsoft warns of Internet Explorer flaw | date=April 28, 2014 | publisher=BBC | access-date=April 28, 2014}}</ref> The vulnerability was resolved on May 1, 2014, with a security update.<ref name=IEfix>{{Cite web |url=https://technet.microsoft.com/library/security/ms14-021 |title=Microsoft Security Bulletin MS14-021 – Critical Security Update for Internet Explorer (2965111) |date=May 1, 2014 |publisher=Microsoft Technet |access-date=July 6, 2014}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)