If youve read about Microsofts Service Pack 2 for Windows XP, you know about the new, improved firewall that is turned on by default. But theres a more important security enhancement in SP2 that will make a bigger dent in the stream of vulnerabilities in Internet Explorer: SP2 locks down the My Computer zone.
The security model for Internet Explorer has been based on security zones. Different Web pages execute in different zones, which have varying levels of privilege. To see this, go to Tools | Internet Options and click on the Security tab. Click on a zone and you can add a site to it if you like or change the security settings.
One of the most important zones is the My Computer security zone, which is actually hidden by default. (To view and modify the settings for this zone, see “How to Enable the My Computer Security Zone in Internet Options“.) Web pages on your computer run in the My Computer zone, which is completely trusted. The theory is that pages running on your computer were installed—perhaps as part of an application—and need access to local resources such as files on the system.
The problem is that a large number of cross-zone vulnerabilities, such as the one described at www.securityfocus.com/bid/9628/, have let Web pages on the Internet execute script and other code in the My Computer zone.
Click here to view the complete story on PCmag.com.