Windows Vista and IE7

1
Windows Vista and IE7

• Juhani VuorioISV Developer EvangelistMicrosoft
  Oyjuhani.vuorio_at_microsoft.com

2
Agenda

• Background
• Tools
• Changes in IE

3
Secure and Trustworthy Browsing

• Malicious web pages often install malware or
  modify files by exploiting buffer overruns or
  other critical security exploits in IE or add-ons
• Solution Protected Mode (Vista)
• Eliminates silent install of malicious code
• Protects registry, file system from silent
  malware installs
• Does NOT prevent running Win32 code
• Only available on Windows Vista

4
Integrity Levels and policy

• Integrity levels defined by Security IDs (SIDs)
• The RID defines the integrity level
• Primary integrity levels
• Low S-1-16-4096 (0x1000)
• Medium S-1-16-8192 (0x2000)
• High S-1-16-12288 (0x3000)
• System S-1-16-16384 (0x4000)
• Integrity level policies associated with generic
  access rights
• No-Write-Up - means lower IL process cannot
  modify higher IL object
• No-Read-Up prevents lower IL process from
  having generic read
• No-Execute-Up prevents lower IL process
  generic execute access
• Default policy is No-Write-Up

5
Process Integrity Level

• Security token in every process is assigned an
  integrity level
• Examples of assigned levels
• Low Protected-mode IE, and processes started
  by PM IE
• Medium Standard user processes, non-elevated
  admin
• Accessibility processes run at slightly above
  Medium
• High Elevated Administrator processes
• System Local System and local Service processes
• Process usually inherits the IL of its parent
• If an executable file has an explicit IL, process
  will have an IL that is the minimum of parents
  and files
• Processes can also be created at an explicit IL
  (e.g. elevation)
• Ways to view a process integrity level
• Command Whoami /all
• Sysinternals Process Explorer and AccessChk
  (http//www.microsoft.com/technet/sysinternals/def
  ault.mspx)

6
Integrity Levels and User Interface

• The Windows subsystem also honors integrity
  levels with UIPI
• Lower IL process cannot send window messages to a
  window of a higher IL app based on filter
• Certain read-type messages are allowed past
  filter and can be sent to the higher IL windows
  process
• Higher IL process can register additional
  messages that pass filter (ChangeWindowMessageFilt
  er)
• Lower IP process cannot install hooks
• Prevents shatter attacks

7
Object Versus Process Accesses
Objects
Processes
High
High
Medium
Medium
Medium IL Process
Low
Low
Low IL Process
Read
Write
8
Protected-Mode Internet Explorer

• Problem drive-by-download malware uses buffer
  overflows and other vulnerabilities in IE, IE
  extensions, and ActiveX controls to compromise
  the user
• Modifies behavior of users account
• Installs malware
• Solution IE 7 on Vista uses integrity and UIPI
  to isolate IE from the users other processes,
  windows and settings
• Runs IE at Low IL
• Also called Low-Rights IE (LoRIE)
• Objects that must be writeable by IE are set to
  Low IL e.g.
• Temporary Internet Files
• Cookies
• Recycle Bin
• Various Registry keys, including ones under
  HKCU\Software\Microsoft\Internet Explorer

9
Saving Content in Protected-Mode IE

• IE promotes explicitly downloaded content to
  Medium
• Makes it equivalent to the users other data and
  code
• Prevents malware from tampering with it
• IE running at low cant do that itself
• Downloads first to a Low directory
• Asks IEUser.exe, which runs at Medium IL, to
  promote

IEUser.exe (Medium)
IEShowFileSaveDialog
IESaveFile
IExplore.exe (Low)
10
IE7 in Protected Mode is least privileged
IExplore in Protected Mode
Integrity Control and UIPI
IEInstall.exe
Admin-Rights Access
HKLM HKCR Program Files
IEUser.exe
User-Rights Access
HKCU My Documents Startup Folder
Temp Internet Files
Untrusted files settings
11
Tools

• Application Compatibility Manager
• Internet Explorer Compatibility Test Tool
• IE7 Readiness toolkit

12
Internet Explorer Compatibility Test Tool

• Monitors web application testing in real time
• Notification appears in IE7
• Windows XP / Windows Server 2003
• LMZL Mime HandlingWindows Restrictions Zone
  ElevationBinary Behaviors Object
  CachingActiveX Blocking Popup BlockingDownload
  Blocking CURL - Centralized URL
  ParsingInternational Domain Names (IDN)
  SupportSSL XDom BarrierManage
  Add-ons Anti-PhishingCross Frame navigation CSS
  fixes
• Windows Vista all of the above, plus
• Internet Explorer Protected Mode
• Data can be saved and viewed locally, and can be
  uploaded to the ACT server to include in
  compatibility evaluation

13
IE7 Readiness Toolkit

• Web developer toolbar IE6
• Rich tool set for exploring DHTML and CSS
• ExpressionFinder
• Identifies CSS hacks
• Fiddler HTTP monitor
• http//blogs.msdn.com/IE/

14
IE 7 Readiness Toolkit

• Dev Toolbar Features
• Explore Web Page DOM
• Locate page elements
• Selectively clear cache and cookies
• Validate HTML, CSS, RSS
• Use full featured ruler to help arrange content
• Disable/Enable CSS parsing
• Color Picker
• Fiddler (http//www.fiddlertool.com/Fiddler/help/l
  og.asp)
• Easy to use tool to monitor HTTP traffic
• Set Traffic Breakpoints
• And Fiddle with incoming or outgoing data

15
Compatibility (1)

• User Agent Strings and Browser Detection
• Accounts for 1/3 of compatibility problems
• Base your version-testing on gt, NOT
• Overflow
• Use min-height/width or correct box size
• lt?xmlgt prolog doesnt prevent strict mode in IE7,
  which affects the CSS Box Model
• lt?xml version"1.0"?gt lt!DOCTYPE html PUBLIC
  "-//W3C//DTD XHTML 1.0 Strict//EN"
  "DTD/xhtml1-strict.dtd"gt

16
Compatibility (3)Fix CSS Hacks

• Rely on parser bugs and/or not yet implemented
  features
• html (Target IE only)
• _height50px (Target IE only)
• height// 300px (Target Everyone but IE)
• html gt body (Target Everyone but IE)
• Ideally no workarounds are needed but reality
  intrudes
• If you use CSS hacks only target
  already-obsoleted UAs
• Know in what browser version your hack will stop
  working
• IE Alternative Conditional Comments to target
  browser versionslt!--if lte IE 6gt ltlink
  rel"stylesheet" type"text/css"
  href"iestyles.css" /gt lt!endif--gt

17
Compatibility (2)Fixing Broken Work Arounds

• Most famous CSS Filter break the Holly hack
• html height1
• Used to force Has Layout
• IE internal data structure still exists in IE7
• Responsible for sizing and positioning itself
• Article produced in cooperation with WASP1
• What can you do?
• IE6 and below Use of Holly hack is ok
• IE7 (if needed) conditional comments zoom1

1http//msdn.microsoft.com/library/default.asp?url
/library/en-us/ietechcol/cols/dnexpie/expie200508
31.asp
18
Changes in IE7Adding the most requested features

• Fixed inconsistencies with the W3C specs
• Enable hover on all elements not just on ltagt
• Background-attachment fixed on all elements
• Improved ltobjectgt fallback
• Added standards features (CSS 2/HTML 4)
• Fixed positioning support
• Min/Max-Width/Height support
• Selectors first-child, adjacent, attribute,
  child
• CSS 3 attribute selectors prefix, suffix and
  substring

19
IE7 and CSShttp//www.positioniseverything.net/ex
plorer.html
20
Questions?