Compartilhar via


Clarifying Low-Rights IE

Hi, I’m Rob
Franco, Lead Program Manager for IE Security. Today I want to focus on clearing
up a few details about an important feature that we’re calling “Low-Rights IE”.
“Low-Rights IE” is one of several new features that we’re working on to help
keep users safe. It is a defense-in-depth feature, meant to back up and support
the many other security features.

First, while
most IE7 security features will be available in IE7 for Windows XP SP2,
Low-rights IE will only be available in Longhorn because it’s based on the new
Longhorn security features that make running without Administrator privileges an
easy option for users (“User Account Protection”). When users run programs with
limited user privileges, they are safer from attack than when they run with
Administrator privileges because Windows can restrict the malicious code from
taking damaging actions.

We are using the
same Longhorn security infrastructure to limit IE to just enough privileges to
browse the web but not enough to modify user files or settings by default. As a
result, even if a malicious site attacks a vulnerability in IE, the site’s code
won’t have enough privileges to install software, copy files to Startup folder,
or hijack the settings for the browser’s homepage or search provider.

Second, the
primary goal of Low Rights IE is to restrict the impact of a security
vulnerability while maintaining compatibility. Low-rights IE doesn’t “fix”
vulnerabilities, but it can limit the damage a vulnerability can do. In that
way, it’s like the “Local Machine Zone Lockdown” feature in XP SP2. That
lockdown prevents cross domain vulnerabilities from installing malicious
software on users’ machines. We expect Low-rights IE to protect users from other
classes of vulnerabilities .

I also want to
point out two other scenarios that some people have confused with Low-rights IE.
Low-rights IE does not prevent users from downloading and installing software
that turns out to be malicious. Any programs that the user downloads and runs
will be limited by User Account Protection, unless the user explicitly gives the
program Administrator privileges. Microsoft and other software makers
provide tools
to help protect against spyware downloads. Another issue to clarify is that
Low-rights IE will not change IE security settings for ActiveX and script as the
Enhanced Security Configuration for IE on Windows Server 2003 did. We are
considering changes to some default security settings for IE, but that work is
separate from Low-rights IE and will not impact the user experience in the way
that ESC did for Windows Server 2003.

Some websites
and browser add-ons may expect users to run with Administrator privileges. Our
goals are to be as secure and compatible as possible and we’re doing work to
help sites and add-ons continue to work as users expect. We’re looking forward
to feedback from web developers and add-on partners in Longhorn Beta 2 when low-rights and many other security features are first
enabled in the software.

I want to be
clear that Longhorn and IE7 have many other facilities in addition to Low-rights
IE for keeping users safe. I look forward to writing about more of them soon. We
hope you will download the upcoming Betas to see more and provide feedback on
all of our work.

Comments

  • Anonymous
    January 01, 2003
    "We hope you will download the upcoming Betas to see more and provide feedback on all of our work."

    okay, now i'm curious... can you give us a clue/hint when the new IE7 beta will be out for us to checkout? curious as always

  • Anonymous
    January 01, 2003
    This is definately a step in the right direction. I'm hoping that Low-Rights IE in Longhorn is secure enough to prevent any sort of malware from being transparently installed.

    Having said that, I'm still not sure if this solves the problem.

    1) How hard will it be for a user to give administrator rights to a downloaded program / ActiveX script? Will anyone who isn't in-the-know be able to do it?

    2) What about malicious scripts that tell/trick the user into saying yes anyway?

    Hope this is taken into account.

  • Anonymous
    January 01, 2003
    How is "low-rights" IE different than, in XP, running as a regular (limited) user? At home, I use a limited user account--is there anything about low-rights IE that is different than my situation?

  • Anonymous
    January 01, 2003
    Very nice post. Sounds like Microsoft is finally doing stuff about security. I hope IE 7 can turn out to be good so people that don't know how to install alternatives like Firefox can have a safer time when surfing than they do now.

  • Anonymous
    January 01, 2003
    The tabbed browsing released today for IE6 is really bad.

    Please improve it before IE7!

  • Anonymous
    January 01, 2003
    That's MSN Tabbed browsing... it isn't part of IE.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Joe, what difference does it make to me whether its its IE or MSN?

    And if they are different then why do they have 2 different teams working on the same feature?

  • Anonymous
    January 01, 2003
    > Firefox and other modern browsers have it from scratch. What's innovative in it?!

    Nothing except the numerous subjects we can read here are just entries that tell us Microsoft is copying features that already exists in other browsers "PNG alpha layer, tabs, etc...".

    What I'm really waiting for now is a post that talks about the really thing IE lacks about (I let you guess what I'm talking about).

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I wonder... if privileges are dropped so that IE can't mess with user settings... does that mean that the Windows Explorer codebase is beginning to divorce from IE? If so, good. Or will Windows Explorer not be able to do certain things as a result of the dropped privileges?

  • Anonymous
    January 01, 2003
    Some individual developers implemented tab browing far better MSN Team did in years.

    http://www.avantbrowser.com

  • Anonymous
    January 01, 2003
    "it does the best it can with existing technology (IE 6)"

    Hmm. I doubt it is doing the best it can, seeing that there are several other tabbed addons for IE6 which do a much better job...

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    PatriotB: "even if you are an administrator, specific privileges will be dropped when you run IE so that the process doesn't have permission to install software, etc."
    Ok, I didn't understand it. Now, it sounds great for me, but try to do everything so that "Low-Rights" won't have to be used ;)

  • Anonymous
    January 01, 2003
    There already is a partial solution for Windows XP to run IE6 (and Outlook or FireFox or other programs) with fewer privileges, even if you are logged on as an administrator. It is a tool called DropMyRights. If you launch IE6 through this tool, it prevents malicious software from exploiting security holes in IE6 to install software etc. by denying certain administrative rights. DropMyRights was written by Michael Howard. He works on security at Microsoft. Check out his blog post and the comments for more information: http://blogs.msdn.com/michael_howard/archive/2004/11/18/266033.aspx.

  • Anonymous
    January 01, 2003
    Ah, another blog entry, another 50 comments from clueless Firefox nerds making snide remarks about IE "catching up" with features their wonderful browser doesn't even have. Please explain how Firefox restricts the permissions of executed code when an exploit is discovered. It doesn't? Never mind, go back to creating new "I use Firefox!!!" buttons to put on your web page.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    "Ah, another blog entry, another 50 comments from clueless Firefox nerds"

    spot on :-) I wish they'd all return to the hive (spreadfirefox.com). It's a shame that this blog is suffering at the hands of Firefox/OSS-promoting idiots, but I guess that was always going to be inevitable

  • Anonymous
    January 01, 2003
    @Chris Beach : This blog is also suffering from anti-OSS idiots :o

  • Anonymous
    January 01, 2003
    Everything I'd heard about IE7 thus far had lead me to believe that IE7 would run in a reduced-privileges state on SP2. You're saying that is false?

    It was my understanding that SP2 laid the groundwork for this to be possible. Even Jim Allchin said in an interview that they "almost got it in for IE 6 in SP2" but that it was pushed back to IE 7.

    I think that's a grave mistake, if true. IE 7 (and all downloads/activeX controls/etc) should run with limited rights on XP SP2.

    That was the feature I was most looking forward to (as I believe nothing else will have such a large impact on malware installations).

  • Anonymous
    January 01, 2003
    It would likely be a good idea to distribute the low-rights version as the full version. It much less likely that a clueless user would secure his browser that it is that an advanced user knowingly unsecures his browser.

  • Anonymous
    January 01, 2003
    "There's a big difference between the MSN Toolbar's tabbed browsing and apps like Avant Browser, Maxthon, etc. The latter are completely separate applications, which wrap the web browser and provide their own menus, toolbars, etc. It is very easy for this type of application to do tabbed browsing."

    OK. Anyone know why MS didn't do it the 'very easy' way then?

  • Anonymous
    January 01, 2003
    I STILL DON'T UNDERSTAND HOW MICROSOFT IS NOT ABLE TO MAKE A SECURE BROWSER FOR ALL ITS OS VERSIONS WHILE OPERA AND FIREFOX CAN........

  • Anonymous
    January 01, 2003
    KRD, as clever as the IE team are, there's little they can do to help you with your intelligence problems.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Mike, why not to list open bugs and how critical they are, huh?

  • Anonymous
    January 01, 2003
    Having an easy-to-use manner for executing IE and its add-ons with less privileges is a great improvement. An ideal solution along this route would be even finer tuning of the comopnent architecture of IE and making every part only communicate securely, a job that is much more complex than a "simple secure protocol".

    This task is made more challenging when you have millions lines of of legacy and third-party code to support. If FireFox keeps picking up market share, its vulnerabilities list might well enlarge at the same rate.

    And for those think Unix is a "secure" OS by "design", a good hisotrical lesson would be to read some of the very early academic papers that were written when Unix was still a design "alternative" to Multics. At that moment the multitians argued that Unix was "insecure". Simple software and protocols can be proved to be secure, but for any large piece of code, the security comes from careful initial design and disciplined evolution.

  • Anonymous
    January 01, 2003
    exactly Mike. If you don't watch the severity rating, your statement isn't even worth reading. Quantity != Quantity. And even if it were: (secunia.com security advisories):

    Mozilla Firefox 1.x
    Currently, 5 out of 18 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    Microsoft Internet Explorer 6.x
    Currently, 20 out of 81 Secunia advisories, is marked as "Unpatched" in the Secunia database.

  • Anonymous
    January 01, 2003
    Supporting a lowered default user level is
    how Windows ought to have been designed. It is good that Microsoft meanders in this direction.
    IE will take advantage of what new features of Longhorn? Many are actually writing programs that talk to the internet and some of them have GUI's. How should these people modfify their programs? What new API's are assisting with this task? If a programmer uses the Internet Explorer SDK, will his or her programs be effected? How? What changes in the IE SDK are going to break applications?

    Without answers to these questions, most of the discussion on "Low Rights" is marketing jibe. Can you give any of us some sort of indication when these question will be answered?

    Thank you.

  • Anonymous
    January 01, 2003
    Hey, ...

    I wonder exactly how much the WinXP SP2 IE7 will differ from the Longhorn IE7 version?
    Low rights browsing feature will be available only on Longhorn.

    I really hope that IE7 will not diverge too much between SP2/Longhorn cause webdevelopers have to test their pagefunctionality in enough many browsers already

    Ronny

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    To fasteddie... you have two options here:
    1. You code the stuffs u've mention yourself
    2. Use other OS

  • Anonymous
    January 01, 2003
    I would like to know when the kind of code i've got posted at http://flum.se/ie/ WON'T be able to crash your IE & Computer. The latest entry to my crash page puts down both IE 6 SP1 AND WinXP totally!! And what exactly is this? Some naughty ActiveX code? Nope, it's just a normal <img src=... height="9999999999" width="999999999999"> As you can see, totally out of propotion and it even crashes the "beloved" firefox!

    When will we see a fix for this and the other crash codes i've got there?

  • Anonymous
    January 01, 2003



    For those of you who haven't already heard, the IE team has a blog and recently...

  • Anonymous
    March 17, 2006
    Security as a feature can be hard to measure. I
    want to provide some insight into our security strategy...

  • Anonymous
    December 23, 2006
    The comment has been removed

  • Anonymous
    January 20, 2008
    PingBack from http://canlive.net/ie-security-guy-at-microsoft-talks.html

  • Anonymous
    February 09, 2008
    PingBack from http://www.etixet.com/ie-security-guy-at-microsoft-talks.html

  • Anonymous
    February 10, 2008
    PingBack from http://software.hane.us/ie-security-guy-at-microsoft-talks.html

  • Anonymous
    June 06, 2008
    PingBack from http://thought.mobiforumz.com/2005/09/02/ie7-beta-chat-transcript-from-today/

  • Anonymous
    July 10, 2008
    PingBack from http://winzenz.mobiforumz.com/2005/09/02/ie7-beta-chat-transcript-from-today/

  • Anonymous
    December 13, 2008
    Source WOW way to never learn from the past. Share ...

  • Anonymous
    January 22, 2009
    PingBack from http://www.hilpers.nl/151491-internet-explorer-7-een-ramp

  • Anonymous
    April 18, 2009
    PingBack from http://www.geeknewscentral.com/2005/06/10/geek-news-central-podcast-72-2005-06-10/

  • Anonymous
    May 29, 2009
    PingBack from http://paidsurveyshub.info/story.php?title=ieblog-clarifying-low-rights-ie

  • Anonymous
    June 09, 2009
    PingBack from http://cellulitecreamsite.info/story.php?id=3829