ED#164 : Warning - Microsoft Opened A Security Hole In Internet Explorer 11
Before anyone asks - yes, I'm still using Internet Explorer, and no, it's not the only Internet browser I use. Sure, it suffers from GDI leaks and it has its share of bugs, but it was still a decent Internet browser. Of course, I was glad to see Microsoft continue working on Internet Explorer.
When they released Internet Explorer 11, I installed it and immediately noticed that it was more stable than Internet Explorer 10. In fact, they seemed to have reduced GDI leaks, although it still seems to be there. Still, I would have irrevocably recommended that everyone using Internet Explorer upgrade to IE11. Internet Explorer 11 is definitely the best IE so far.
However, I have to point out that Microsoft actually introduced a security hole in Internet Explorer 11. This is something you can close, and we will show you how to do that in a moment, but it is absurd for Microsoft to actually open it in the first place.
The security hole that Microsoft opened in Internet Explorer 11 involves the Enhanced Protected Mode feature they introduced in Internet Explorer 10.
What Is Enhanced Protected Mode?
When first introduced, Microsoft stated that it "works by extending the existing Protected Mode functionality to help prevent attackers from installing software, accessing personal information, accessing information from corporate Intranets, and from modifying system settings. To do this, Enhanced Protected Mode must reduce some of the capabilities available to Internet Explorer, including:
- Restricting access to personal assets. Restricts Internet Explorer from locations that contain your personal information until you grant permissions to it. This helps prevent unauthorized access to your personal information.
- Restricting access to corporate assets. Restricts access to valuable information on your corporate network resources by controlling access through the following tab processes:
- Not allowing Internet tab processes to have access to a user's domain credentials.
- Not allowing Internet tab processes to operate as local web servers.
- Not allowing Internet tab processes to make connections to intranet servers."
- Not allowing Internet tab processes to have access to a user's domain credentials.
To do that, Enhanced Protected Mode "isolates untrusted web content in a restricted environment that's known as an AppContainer. This process limits how much access malware, spyware, or other potentially harmful code has to your system."
In addition, Enhanced Protected Mode improves your computer's security using these methods :
64-bit processes - A 32-bit number is large – it’s a little more than 4 billion. A 64-bit address is much larger number – roughly 18 pentillion and change (18,446,744,073,709,551,616). Not only does a 64-bit number let you address more memory, it also makes existing memory protection features such as ASLR (Address Space Layout Randomization) much more effective. Heap spray attacks, which are used by attackers to plant malicious code at predictable locations, become much more difficult because it isn’t practical to “fill up” a 64-bit address space – you’ll run out of memory and disk space long before any sizable fraction of the address space is sprayed.
Broker process - When you run a program, it has access to anything on the computer that you have access to, including your personal documents. Enhanced Protected Mode restricts Internet Explorer from locations that contain your personal information until you grant permission to it. This helps prevent exploit code from accessing your personal information without your permission. With Enhanced Protected Mode, a “broker process” will grant Internet Explorer temporary access to the file only if you actually click on “Open” on the file upload dialog. Notice that there are no extra prompts. Brokering is done automatically after you choose to open a file. This is like providing a single safe deposit box to Internet Explorer when requested, instead of giving access to the entire safe all of the time.
So What's The Problem?
Believe it or not, Microsoft disables Enhanced Protected Mode by default in Internet Explorer 11. Just how serious is this? Well, Microsoft actually has a Knowledge Base article on how to disable Enhanced Protected Mode in IE10. However, they warned that :
"This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk."
So why did they do it? It appears that this is because Enhanced Protected Mode disables incompatible add-ons, which includes the Adobe Acrobat Reader and the Adobe Flash Player. According to Adobe :
Acrobat products only partially supported EPM with 10.1.8 and 11.0.04. With those versions, incompatible add-ons are automatically disabled when EPM is on. If you encounter a site that needs an add-on such as an Acrobat plug-in, disable EPM for the specific website. Then, you can use the site while having EPM enabled for the rest of the Internet. Only disable EPM for websites you trust. Full support is provided with 10.1.9 and 11.0.06.
Presumably because of this issue, Microsoft decided to disable Enhanced Protected Mode by default in Internet Explorer 11 to allow all add-ons to work. However, this exposes IE11 users to attacks by malicious users or software - the very reason why they added this feature in IE10!
How Do We Fix This?
Simple - by re-enabling Enhanced Protected Mode. You will need to do this even though it was already enabled in Internet Explorer 10, and you only upgraded it to Internet Explorer 11. Here's a short step-by-step guide :
- In Internet Explorer 11, click on Tools and select Internet options.
When the Internet Options window opens up, select the Advanced tab.
Scroll down all the way until you are almost at the very end. Look for "Enable Enhanced Protected Mode". You will notice that it's unchecked.
- Click on the checkbox to enable it. Then click OK and restart your computer.
After you restart Windows, Internet Explorer 11 will run with Enhanced Protected Mode enable. That's it!
What About Adobe Acrobat Reader / Flash Player?
Even though Adobe claims that the Adobe Acrobat Reader will fully support the Enhanced Protected Mode as of version 11.0.06 (released on the 14th of January, 2014), it still reports that it is incompatible with Enhanced Protected Mode whenever I attempt to view a PDF file on IE11. See the example below (taken with Adobe Acrobat Reader 11.0.06.70) :
When you encounter this pop-up, you have to decide if you wish to view the PDF document directly on the browser for that website. You can always download it to your computer and open it manually using Adobe Acrobat Reader.
If you prefer to view the PDF document directly on the browser, you must be sure that you trust the website. If you do, all you need to do is click on the Run Control button. Once you do that, Enhanced Protected Mode will be disabled for that website permanently so that Acrobat Reader will never face the same problem again.
Please note again that clicking on Run Control will permanently disable Enhanced Protected Mode for the website you are viewing the PDF file. So you have to be very sure that it's a trustworthy website.
|If you like this article, please share it! ->|
- How To Fix Keychain Corruption In OS X Mavericks
- U Mobile Announces New Surprises For The New Year!
- AMD's Early 2014 Processor & Graphics Roadmap
- How To Fix Whatsapp Chat History Corruption
- The Price Of That Like Or Share On Facebook
- How To Fix GDI Leaks In Internet Explorer 10 and 9
- WhatsApp Is Moving To A Subscription Model? Don't Panic!
- The NVIDIA Control Panel Memory Leak Problem
If you have a scoop you want to share with us, just contact us! It doesn't have to be Apple-related. It can be anything in the tech industry, from mobile phones to P2P software. Just drop us a message!
Support Tech ARP!
Support us by buying from Amazon.com!
|Grab a FREE 30-day trial of Amazon Prime for free shipping, instant access to 40,000 movies and TV episodes and the Kindle Owners' Lending Library!|
Questions & Comments
If you have a question or comment on this editorial, please feel free to post them here!
Added more details on how Enhanced Protected Mode works.