Boost IE security by disabling Active Scripting and ActiveX controls

Security problems have plagued Microsoft's Internet Explorer for years, and the Web browser continues to suffer from critical vulnerabilities. In fact, Microsoft has known about one of IE's latest security threats since May 2005. Considered a critical vulnerability that affects most versions of IE, the threat has languished in IE, and black hats have taken advantage of its presence to wreak havoc on the Web--at least until this week.

As part of its monthly release of security bulletins, which typically falls on the second Tuesday of the month, Microsoft has released Security Bulletin MS05-054, "Cumulative Security Update for Internet Explorer." MS05-054 focuses on four vulnerabilities in Internet Explorer, two of which have a critical rating for most versions. The bulletin addresses the following flaws:

• File Download Dialog Box Manipulation vulnerability
• HTTPS Proxy vulnerability
• COM Object Instantiation Memory Corruption vulnerability
• Mismatched Document Object Model Objects Memory Corruption vulnerability

To learn how attackers can take advantage of these vulnerabilities to reveal unauthorized information, cause your system to become unstable, or take over your system using a hostile Web application, read the security bulletin for more details.

Further compounding these problems is the fact that hundreds of COM object add-ins written by third parties are out there. And when was the last time you updated a COM object you downloaded from another vendor?

While not updating third-party software isn't a good idea and can have its own repercussions, there's a bigger issue at hand: IE's integration with other functions on your computer. That integration of functionality--along with the accompanying vulnerabilities--happens through Active Scripting and ActiveX controls.

By disabling Active Scripting and ActiveX controls on your computer, you may give up a little functionality--but you'll gain a lot more security. Let's look at how you can disable both.

Disable Active Scripting
You can better protect your system from some vulnerabilities by configuring IE settings to prompt before running Active Scripting. Or, you can disable Active Scripting in the Internet security zone altogether.

Follow these steps:

1. In Internet Explorer, go to Tools | Internet Options.
2. On the Security tab, click the Internet icon, and click the Custom Level button.
3. In the Settings list box, scroll to Scripting.
4. For Active Scripting, select Prompt or Disable, and click OK.
5. If IE prompts you to confirm the change, click Yes.
6. Click OK to save your settings, and close all dialog boxes.

Now that you've taken care of Active Scripting, it's time to disable the more dangerous component--ActiveX.

Disable ActiveX controls
You can also protect your system from some vulnerabilities by configuring IE settings to prompt before running ActiveX controls. And again, you can also disable ActiveX controls in the Internet security zone altogether.

Follow these steps:

1. In Internet Explorer, go to Tools | Internet Options.
2. On the Security tab, click the Internet icon, and click the Custom Level button.
3. In the Settings list box, scroll to ActiveX Controls And Plug-ins.
4. For Run ActiveX Controls And Plug-ins, select Prompt or Disable, and click OK.
5. If IE prompts you to confirm the change, click Yes.
6. Click OK to save your settings, and close all dialog boxes.

Maintain a list of trusted sites
Keep in mind that disabling Active Scripting and ActiveX controls in IE's Internet security zone may cause some Web sites to work incorrectly. I've configured these settings to Prompt on my own system, so when I visit a new site that includes Active Scripting or ActiveX controls, I must decide whether to trust the site.

If it's a site I'm going to use frequently, I put the site address in my list of trusted sites, which keeps the prompts from popping up. To add sites to your trusted sites list, follow these steps:

1. Right-click the URL in your browser, and select Copy.
2. Go to Tools | Internet Options.
3. On the Security tab, click the Trusted Sites icon, and click the Sites button.
4. Right-click the Add This Web Site To The Zone text box, and select Paste.
5. Deselect the Require Server Verification (HTTPS:) For All Sites In This Zone check box.
6. Click Add, and click OK.
7. Click OK to save your settings, and close all dialog boxes.

Final thoughts
Disabling Active Scripting and ActiveX controls makes IE safer for browsing the Web. While Internet Explorer has had more than its fair share of security problems, it remains the most popular Web browser in use today. If you don't want to switch to a different browser such as Firefox or Opera, you need to increase your security settings in order to safely browse the Internet.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.