Security Features in IE7 - dslreports.com

Author	All Replies
Steve I'm a PC, so shut up Consultant join:2001-03-10 Yorba Linda, CA	reply to Steve Security Features in IE7 Presenter: Program Manager of the Trustworthy Browsing team. He spoke really fast and this was a challenge to keep up. Priority 0: "Ship the world's most trustworthy browser" Priority 2: everything else The threat environment ranges from an internal intranet where you want to enable a lot of stuff to support the enterprise, to visiting the seedier side of the internet where you want IE to have access to nearly nothing. This is a very wide panorama of threat models. A goal is "Secure by default" - they did this with Server 2003, and believe it was absolutely the right thing to do. When features are disabled, they can't be exploited. Another goal is "Defense in depth" - this sure seems like the only sane way to do this: if something fails or is exploited, something else can backstop it. Third goal: Defend against current and future threats. It's straightforward enough to fix/patch things that were broken, but they want to build an infrastructure that resists future, unknown attacks. Protected Mode - "User Account Protection" (run with least privilege) has been the case with Unix for years, but it only protects the machine, not your account. Malware can easily trash your login settings. IE7 extends this even more: the main goal of the browser is to render content, and if we can (say) remove access to the filesystem other than temporary internet file Writes to the user's profile will be automatically redirected to a subdirectory of Temporary Internet Files: this virtualizes the settings, and it applies to things like a Quicktime plugin. No way to delete My Documents from a bogus plugin. They do allow exceptions (say, saving a Word Template to your templates directory), but it prompts the user. This is handled by brokers that do the elevated-priv stuff, and it guards access carefully. There is a whole Integrity Control layer that sits between IE and the system, and it looks really well thought out - it's very comprehensive. The Protected Mode requires Vista. Consolidated URL (CURL) class -- they found that an awful lot of their security issues were due to parsing of URLs. These are complicated because they include so much information, and there are all kinds of games you can play. Remember the old days where you saw www.good.com@bad.com, it was treated as going to bad.com because the part before the @ is a password. Then there are games with % encoding and the like. To idea is that when they get a URL, they have one place where it's parsed into the various parts, and you avoid the whole area of passing strings around where they have to be re-parsed. If the security manager says that your URL is in the internet zone, but the download manager thinks that it's a different zone, you get security surprises This strikes me as a huge architectural win with no downside. It makes the code much more reliable because you don't have every plugin doing its own URL parsing (which it can't ever get right all the time), and it also makes the code smaller. Big win in every conceivable way. ActiveX Opt-In I'm not very strong with the whole plugin control thing, but there are constantly surprises here. They make a distinction between controls that should run in a browser, and others which are not. They now prompt for permission for ActiveX controls, and they had a lot more clever+sophisticated stuff than I can report here. They have added a mode where IE starts with none of the extensions: no ActiveX, no BHO, etc. This lets you recover from a dorked configuration with some prayer of success. It will include the Windows Update control, though: otherwise you're in a chicken-and-egg situation. They've done a lot to protect against cross-domain scripting and more secure zones. The Intranet zone is now off by default. I'm very weak with the whole zone thing, so I can't really describe this in better detail. The above was about protecting the platform, which is actually the easier problem - it's strictly about technology. Pointing the gun away from the foot Now we're talking about protecting the users from doing something stupid, which is clearly harder. Ultimately, users have to make trust decisions because Microsoft can't call the shots. They have a new anti-Phishing service which looks really promising. Yes, you have to send data to a server as you browse, but I'm not sure there are technical solutions that don't involve this. They have heuristics, such as "post to an IP address" which suggests something is dodgy: there's confirmation for this and other issues. They don't tell about all the heuristics because they don't want the bad guys to know how to tailor their phishing sites. Communications with the server is done over SSL (those in the middle can't figure out where you are going), and they pass the hostname and path only - not the query parameters. They have a whitelist of known-good sites (amazon, ebay, etc.) so we don't have to query an MS server for those popular sites. The client-side whitelist is heavily protected. They're shuffling around the SSL lock location, and giving less geeky certificate information. Certificate errors will be showed in a much more end-user-friendly way. Generally speaking, they've removed most of the modal dialogs from the SSL experience and do the secure thing by default. I hate those damn SSL modal dialogs. Clear My Tracks This is the "FBI is at the door, clear my browser history" feature, and this time they claim it really really does it right. Clears history, temp files, cookies, etc. They claim you cannot find fragments after the fact. International Domain Name support When a domain name contains funky foreign characters that look just like Roman letters, people can get spoofed into going to the wrong site. They have a lot of support to mitigate this, though this is always going to be a hard problem. Misc stuff Just some tidbits: •Prompt on scripted reads of the clipboard •New search box permits non-binary extensibility •Warnings for insecure Inet control panel settings •Block status bar updates from script (avoids spoofing of hover-over-link) •Dialogs show address bar -- This was a very fast-paced presentation, but it sure looked like these guys have a handle on what's required to secure the browser. Being a developer, the consoldated URL class looks the most promising to me: avoiding the nightmare situation of everybody parsing a URL a different way is fantastic. There was a question about why there's no way to turn off sending of referrals: they simply don't have this now. Referrers are sent by the browser to a website saying where the page was clicked from. This is great for the website to find out where traffic came from, but it's sometimes considered a privacy leak. Some sites won't work without them, and other products have them: I guess we'll have to use add-ons to manage this. There was some complaining about how much work is required to change proxy settings - it's nothing like one-click as it is on other browsers. "We'll get to that sometime". I think it's lunchtime! Steve -- Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site
	to forum · permalink · · 2005-09-30 14:36:45 ·
Tuulilapsi Kenosis join:2002-07-29 Finland	said by Steve : Protected Mode - "User Account Protection" (run with least privilege) has been the case with Unix for years, but it only protects the machine, not your account. Malware can easily trash your login settings. IE7 extends this even more: the main goal of the browser is to render content, and if we can (say) remove access to the filesystem other than temporary internet file Writes to the user's profile will be automatically redirected to a subdirectory of Temporary Internet Files: this virtualizes the settings, and it applies to things like a Quicktime plugin. No way to delete My Documents from a bogus plugin. They do allow exceptions (say, saving a Word Template to your templates directory), but it prompts the user. This is handled by brokers that do the elevated-priv stuff, and it guards access carefully. There is a whole Integrity Control layer that sits between IE and the system, and it looks really well thought out - it's very comprehensive. Now this sounds interesting, and promising. Thank you for posting this. Very, very interesting stuff. -- And lead me not into temptation - for I can find my way there myself easily enough.
Tuulilapsi Kenosis join:2002-07-29 Finland	to forum · permalink · · 2005-09-30 14:47:40 ·
psloss Premium join:2002-02-24 Alpharetta, GA	said by Tuulilapsi : Now this sounds interesting, and promising. Thank you for posting this. Very, very interesting stuff. It is...in case anyone is interested in more overview words, here are several online: »msdn.microsoft.com/library/en-us···ista.asp -- Feedback? e-mail: stuff@lupwa.org
psloss Premium join:2002-02-24 Alpharetta, GA	to forum · permalink · · 2005-09-30 18:24:21 ·


Wednesday, 09-Dec 04:17:35	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF