Security and Compatibility with IE7

One of the biggest challenges in making software more secure is maintaining compatibility with the existing functionality that customers depend on.  We’re here at the RSA security conference in Silicon Valley to work with other software and security professionals to meet our customers’ expectations for safety and compatibility. While we have taken a great deal of care to preserve compatibility, the new security features in Internet Explorer 7 do change the way platform works and only testing with your products can gauge the impact and investment you may need to make to be fully compatible with IE7.

For the IE7 Beta preview for XP SP2, we prepared preview documentation and a preliminary compatibility tool to help developers analyze and address the most difficult compatibility and security problems posed by IE7 for web sites and browser extensions. More documentation will follow for other security features, but we are releasing the documents for the most challenging security features first. This will give you the maximum time for testing and remediation of any issues you find.

One or more of the security enhancements in IE7 may require an update in your code. The most notable changes include:

  • "Protected Mode" for Windows Vista will run Internet Explorer with restrictions that help prevent attackers from using vulnerabilities to install malware or otherwise damage a user’s system. At the same time, Protected Mode restricts Internet Explorer itself and will restrict extensions run in Internet Explorer. It is possible that that you will need to update your extension to be compatible with Protected Mode.
  • "ActiveX opt-in" will disable most ActiveX controls on the system. If your ActiveX control needs to be enabled by default, we have put together a set of ActiveX best practices to help you understand how to make it safe enough to be used on the internet and enable it for use with IE7.
  • IE7 has more secure defaults for SSL. IE7 will disable SSLv2, enable TLSv1, block non-secure http content in secure https pages, and block navigation to sites that have SSL certificate errors.
  • We rebuilt critical code paths for URL parsing and Cross Domain security using new best practices for secure software development. Your website or application may need to be updated if it relies on a non-standard URL syntax. The compatibility tool will help you test for these problems.
  • We have retired a number of rarely-used legacy features from the product to reduce attack surface. The removal of these features may require you to update your website or your application. Please refer to the IE7 Beta preview release notes for the list of removed features.

Besides ensuring compatibility, Website Developers and Software Developers can take advantage of IE’s security features to help users feel more confident while they browse your site or download your code:

  • IE7 includes an enhanced experience for sites that include upcoming higher assurance SSL certificates including the lock icon with a green filled address bar. Along with other browsers, the Certificate authority industry is working with us towards a tougher SSL standard for the enhanced experience. This past Sunday and Monday, we met to work on the standard with the American Bar Association here in San Jose. The certificate authorities who coolaborated with us this weekend include Geotrust, Verisign, Identrus, Comodo, Cybertrust, Go Daddy and X-Ramp.  To see what the experience will be like, you can try out the enhanced experience by downloading a test root certificate and then visiting our demo site using IE7 Beta 2 Preview. If you think your site should have this experience, contact your certificate authority to learn about their plans to offer higher assurance SSL certificates that will be recognized by the IE7 address bar.
  • In the upcoming Beta 2 release, IE7 will let users sign into web sites using visual "InfoCards" rather than passwords.  This eliminates a number of common attacks because when no password is typed, there is none to be stolen (and none to forget).  The "InfoCard" system uses certificates to make it harder for imposter sites to pass themselves off as genuine.
  • IE7 checks the signatures on downloaded programs such as ActiveX controls and executables to make it easy for customers to identify your code. If you distribute software over the internet, you should sign your code with a valid code signing certificate.

We’ve already had the chance to work with engineers from companies like Adobe, Real Networks and many others. We found that our colleagues at these other companies are just as passionate about security as we are. We hope you’ll take this opportunity to work with us towards a safer experience for our mutual customers. We look forward to your feedback during this process and getting to know you better along the way!

 - Rob Franco

Comments

  • Anonymous
    February 14, 2006
    Why google adsense always come up as a suspicious site?

  • Anonymous
    February 14, 2006
    All - sorry it wasn't more clear, if you're running IE6SP1 or Windows XP (SP1 or SP2), you're not vulnerable. Only users still running IE 5.01 on Windows 2000 SP4 need apply this update.

    IE7 is also not affected.

    -Christopher

  • Anonymous
    February 14, 2006
    Great work!

  • Anonymous
    February 14, 2006
    Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode.

  • Anonymous
    February 14, 2006
    hi why is ie7 when you type a email and make a mistake there is a flaw in there that when you type make a mistake on webbase email like hotmail i got it does not delete the word you have to put the mouse on the letter to clear it see for you self try it can that be fixed

  • Anonymous
    February 14, 2006
    The comment has been removed

  • Anonymous
    February 14, 2006
    Or why not restrict file reads/writes from an ActiveX to once every second?  That way, any chaos can be slowed down...

  • Anonymous
    February 14, 2006
    I can understand that you want more security for your IE. But please, please allow to see the image I want to upload on the internet! I can't write document.all['imageobject'].src = this.value on an input object!
    The source from the image is the path in the internet + imagefile name. It should be path to the image + imagefile name!

  • Anonymous
    February 14, 2006
    "If you distribute software over the internet, you should sign your code with a valid code signing certificate."

    Presumably this statement does not apply to .NET controls hosted in IE?  Or at least not to those that don't require any additional trust than the standard internet zone?  (It's a bit worrying to see all this news about changes without any mention of .NET controls... but they do still work in the beta so I'm keeping my fingers crossed!)

  • Anonymous
    February 14, 2006
    The comment has been removed

  • Anonymous
    February 14, 2006
    PingBack from http://dancmorgan.wordpress.com/2006/02/15/security-and-compatibility-with-ie7/

  • Anonymous
    February 14, 2006
    Does InfoCard store private keys on user's computer? If attacker gains access to user's drive, can he steal his InfoCard identity?

  • Anonymous
    February 15, 2006
    "Or why not restrict file reads/writes from an ActiveX to once every second?  That way, any chaos can be slowed down..."

    Any idea on how this would be accomplished?  ActiveX code is just regular program code that gets called from within the iexplore.exe process.  There wouldn't be a reliable way to know whether a given file I/O is caused by an ActiveX control or a different part of IE.

  • Anonymous
    February 15, 2006
    The comment has been removed

  • Anonymous
    February 15, 2006
    The comment has been removed

  • Anonymous
    February 15, 2006
    Bill Gates talked at RSA about "higher assurance" ssl certificates for website.

    Only "higher assurance ssl website cert" would trigger the "green URL bar"
    in IE 7.

    Could anybody from Microsoft or external specialists explain to me:
    - what would be the differences with current ssl website certificates at the
    X509 cert fields level ?
    - what would be the difference at website identification level ?
    - what will be included inside the certificate fields to express that
    difference ?
    - would emission of "higher assurance" certificates be limited to
    certification authorities that comes by default with windows/IE and are
    updated via windows update ?  

    regards,

    Fred

  • Anonymous
    February 15, 2006
    Some questions and request to the IE 7 product management.

    I saw strange differences between IE 7 beta 1 and IE 7 beta 2 when clicking
    on the "SSL lock" (the one just on the right of the URL bar).

    In IE 7 beta 1: Displayed certificate information summary seem logical to
    me: it indicate the CN of the certification authority that did issue the ssl
    website certificate. This is inline with the "issued by" display when you
    double click on a certificate in earlier versions of the "view certificate
    details"

    IE 7 beta 1 displayed text is "SSL secure (128 bits) you should send
    confidential information only if you trust the organization listed
    what is a certificate ?
    Certificate information followed by :
    - the "O=" information of the website ssl cert
    - the "C=" infromation of the website ssl cert
    Website certification provided by : CN field of the X509 certificate of the
    issuing CA.

    In IE 7 beta 2, everything seems to have changed, clicking on the "SSL lock"
    (the one just on the right of the URL bar), I have:
    Secure connection
    "O=" field of the issuing CA has identified this site as
    CN of the website ssl cert
    Owner unverified
    Location unverified.

    Limited information about this website is available. You should send
    confidential information only if you trust this website.
    What is a certificate.

    Question 1:  It took a long time to educate customer/users to check the
    "issued by" field of the certificate details (= CN of the issuing CA cert),
    why now change the field identifying a Certification authority to the "O= "
    field ?

    I would like to stress that I think the IE 7 beta 1 "security message" is
    better because it relies on several years of education to customer and users
    for a lot of companies offering services on the internet and remains inline
    with past versions of windows and IE making easier the understanding for
    customer....simplicity in security communication to users is of primary
    importance here...

    Question 2: what is owner in this security message ? what is location in
    this security message ? to which X509 website and issuing certificate field
    does this correspond ? What is "security semantics and policies" around these
    items ?

    any clarifications and brainstorm around this more than welcome

    greetings


  • Anonymous
    February 15, 2006
    Re: Restricting ActiveX controls

    There was a comment above about "how can you restrict ActiveX controls," and the answer is application level security.

    The problem with ActiveX can be correctly resolved by the IE team, if they actually care to implement it.

    At module load time, every ActiveX control is assigned a HLIBRARY.  Given a return address on a call stack, I can determine what module is invoking a routine.  Based on that information, I can add a Windows XP group to the current effective permission set, which in turn allows me to restrict all file, installer, etc. access to the machine.

    This is how tools like DEP work on processors that don't support it -- Microsoft looks to see if the caller is a data segment, which it knows by the address.  It would be just as easy to have a quick-dirty check based on the module handle.

  • Anonymous
    February 15, 2006
    Here is the problem. I have Download Accelerator Plus 8.0 from Speedbit. Unfortunately, it sometimes intercepts files that are meant for a webpage in IE7. As soon as that happens, IE7 crashes. That's a bug in IE 7.0.5296.0 with DAP 8.0.4.1. I am running WinXP 5.1 with SP2 on an Athlon XP 2800 with (1/2)GB DDR memory on an AsRock K7VT4A+ motherboard.

  • Anonymous
    February 15, 2006
    Since InfoCards seem to be part of winfx, does that mean they are Vista only?

  • Anonymous
    February 15, 2006
    Dave Bacher: You can't trust the return address on the call stack, it's fairly easy to fake. For a good explanation, see:

    http://blogs.msdn.com/oldnewthing/archive/2004/01/01/47042.aspx

    And that's not how software-enfored DEP works at all. All software-enforced DEP does is, before a structure exception handler is dispatched, it checks that the SEH address is registered in the function table in the image. It doesn't check anything on the stack at all.

  • Anonymous
    February 15, 2006
    Clicking on the "SSL lock":
    You only show the certificate - that is not enough!
    Please show additional:
    * What kind of public/private key algorithm do you use for the session? What is the key length?
    * What kind of symmetic key algorithm do you use? What is the key length?

  • Anonymous
    February 16, 2006
    The comment has been removed

  • Anonymous
    February 16, 2006
    '"ActiveX opt-in" will disable most ActiveX controls on the system. If your ActiveX control needs to be enabled by default, we have put together a set of ActiveX best practices to help you understand how to make it safe enough to be used on the internet and enable it for use with IE7.'

    Wait, am I reading this correctly? Did somebody finally get the message?

  • Anonymous
    February 17, 2006
    "Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode."

    This is already available to anyone who wants it.  See here: http://msdn.microsoft.com/library/default.asp?url=/workshop/security/antivirus/reference/ifaces/iofficeantivirus/iofficeantivirus.asp

  • Anonymous
    February 19, 2006
    The location bar should be displayed only when the popup window comes from another domain.

  • Anonymous
    February 22, 2006
    Sounds great! I just hope it won't become too expensive. Small companies or group projects will probably have a need for a security certificates as well.

    (Off-topic: is there a "due date" by which I should have submitted the bugs I found in the IE7 public preview? I'd like to know approximately how much time I have, I want to be as thorough as possible, but careful as well.)

  • Anonymous
    February 23, 2006
    Hey,

    What happened to protected mode in Vista Feb. CPT. In IE 7 it no longer shows protected mode in the status bar in IE. It's just "Internet" .

    Any ideas?

    cya,

    Will

  • Anonymous
    February 23, 2006
    The comment has been removed

  • Anonymous
    February 26, 2006
    Hi,
    Recently I upgraded my IE 6 browser to IE7, after upgrade when I tried to log into Wells fargo (www.wellsfargo.com) site and it did not allowed me past the login screen, displaying that mine is an unsupported browser.
    I understand that IE7 is still a beta version and may not be tested and supported by Wells fargo as its supported browser.
    Is there a way I can still use my IE6 that I used to have in my computer before this IE7 upgrade.
    Now I remain strandled to download one of the free browsers that Wellsfargo supports.I really donot want to download any web browser other than IE, please advise me as how I can still log into the sites that support IE6 but not IE7.
    URGENT!

    Thanks
    Naga

  • Anonymous
    February 26, 2006
    I am using IE7 on Vista Feb CTP and I cannot get an IPSec cert for my machine through the normal Windows CA.  I go to the page to make the request and it sits forever at "Downloading ActiveX Control..".  I have added the site to my trusted site list but still no change.  Any ideas how to get past this?  Without this I can't take Vista on the road.
    Thanks,
    Joseph

  • Anonymous
    February 27, 2006
    About 'compatibility'...
    I have here (www.moneyshop-credit.com) a site that displays correctly in IE6, Firefox, Opera, Konqueror, Safari... Pretty much any browser, EXCEPT IE7b2 - and that is due to IE7 ignoring CSS in:
    - min-width,
    - max-width,
    - width: auto.
    Now, the latter was supposedly fixed in IE7b2, as said in http://blogs.msdn.com/ie/archive/2005/07/29/445242.aspx
    Looks to me like it isn't as of IE 7.0.5296.0...
    So, alright, this is not security-related, but I find strange that a supposedly fixed bug... isn't.

  • Anonymous
    February 27, 2006
    As Rob pointed out in his last blog post on security and compatibility in IE7, one of the biggest challenges...

  • Anonymous
    March 20, 2006
    I’m really excited for my talk tomorrow here at Mix06. This conference feels more like a party than work....

  • Anonymous
    June 12, 2006
    Hello, we are Durga and Bala, from the IE IDC team. We would like to describe to you, a new feature in...

  • Anonymous
    July 26, 2006
    I read about this internally yesterday and then on the blog posts today - IE7 will become part of the

  • Anonymous
    August 19, 2006
    PingBack from http://www.roks.xmgfree.com/blog/2006/08/19/ie7-to-be-distributed-via-automatic-updates/

  • Anonymous
    October 18, 2006
    PingBack from http://www.thepraveen.com/internet-explorer-7-for-windows-xp-available-now/

  • Anonymous
    October 18, 2006
    PingBack from http://www.webposible.com/blog/?p=268

  • Anonymous
    October 18, 2006
    PingBack from http://uberchurchtech.wordpress.com/2006/10/19/church-geek-links-10-19-06/

  • Anonymous
    October 18, 2006
    The comment has been removed

  • Anonymous
    October 18, 2006
    PingBack from http://invaleed.wordpress.com/2006/10/19/internet-explorer-7-for-windows-xp-available-now/

  • Anonymous
    October 19, 2006
    PingBack from http://arai.wordpress.com/2006/10/19/internet-explorer-7-released-for-windows-xp-and-windows-server-2003/

  • Anonymous
    October 21, 2006
    PingBack from http://stylegrind.com/ie-7-released/

  • Anonymous
    October 22, 2006
    PingBack from http://ekrishnakumar.wordpress.com/2006/10/22/internet-explorer-7-for-windows-xp-available-now/

  • Anonymous
    October 23, 2006
    PingBack from http://www.jasonruyle.com/2006/10/18/internet-explorer-7-released/

  • Anonymous
    March 12, 2007
    The comment has been removed

  • Anonymous
    June 16, 2009
    PingBack from http://www.ostreff.info/?p=415

  • Anonymous
    June 16, 2009
    PingBack from http://fixmycrediteasily.info/story.php?id=1630