Rob Franco and team - IE 7 Security

Posted: Sep 15, 2005 at 6:24 PM

By: scobleizer

(1)

89,821 Views

26 Comments

Download

Right click “Save as…”

Mid Quality WMV (Lo-band, Mobile)
WMV (WMV Video)

format
< > embed
+ queue

Sign In first to access your queue.
Close

Sorry, video was not added to the queue, an error occurred. Please Contact Us and let us know.
Close

Embed code for this video

Copy the code above to embed our video on your website/blog.

Video format

Auto
Use our suggested format for this video.
Smooth Streaming
Adaptive bitrate streaming - little buffering but lower video quality at times of low bandwidth.
Progressive
Traditional buffered video format.
HTML5
For browsers that support h264 MP4 or WebM video playback such as:
IE9+, Chrome 5+, or Safari 4+.

Note: These selections will fall back to the next best format depending upon browser capability.

There's a ton of new things in Internet Explorer 7.0 that'll improve your security. Meet the IE team and learn what they are doing to protect computer users against phishing and malware and other kinds of attacks. For more about IE 7.0, visit the IE team's blog.

The interviewer here is Joshua Allen, IE evangelist, and he is well-known because he was Microsoft's first blogger.

The CDCer wrote:

It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years! Speaking about bugs, here is another one: While poking around MSN, I did a search for <a href='http://search.msn.com/results.aspx?q=MSN+sucks&srch_type=0&FORM=QBRE'>MSN sucks</a>, and found a grand total of 49 pages! Yes, you heard it right, it's 49 pages, not 49K. As you can imagine, there is no way that I could trust that number, so I immediately <a href='http://www.google.com/search?num=100&hl=en&lr=&safe=off&c2coff=1&q=MSN+sucks&btnG=Search'>checked with Google</a> and got over 2 million results, and the <a href='http://search.yahoo.com/search?p=MSN+sucks&prssweb=Search&ei=UTF-8&fr=ush-help&fl=0&x=wrt'>same search by Yahoo!</a> reports 3.7 million! But wait, it got much worse! Please read <a href='http://cdcer.com/?2005/09/bug-or-censorship-in-msn-search.html'>Bug or censorship in MSN search</a> for the whole story. These issues cost the industry countless hours of lost productivity (100s of millions hours per year by some estimation) and really make Microsoft look so incompetent and evil in the eyes of geeks.

Hi CDCer,
The IE team has been very well aware of the z-indexing issue with the select element. If you read the blog post from Chris Wilson on the IE team blog at http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx you'll see that this is on the list of issues being addressed in IE7.

Thanks
-Dave

Follow the Discussion

Subscribe to these comments

DevilsRejection addicted to rss

Sep 15, 2005 at 9:30 PM quote reply

Is it safe to confirm that IE7 will be the moset secure browser?

The sheer fact that it can't write a single thing to the hd without user approvable is enough for me to get me to switch back from Firefox.
nektar

Sep 16, 2005 at 2:16 AM quote reply

In the video you show your evil activex control and what it does is issue the "format c:" command. Actually, this command will fail since the C drive is in use by the operating system and cannot be formated and since the format command needs confirmation before it formats a harddisk, although the latter might be bypassed I guess. However, you are the IE Security Team and I hope that you know this. After all, hacker do much worse things and I hope that you know much more than you are telling us on their methods and on all the harmful senarios that are out there. Because a simple format c: is nothing and you should know that. I hope that your internal testing examples are much more sofisticated than what you say publicly.
johnbrien HARRIER

Sep 16, 2005 at 3:25 AM quote reply

"Need to get a camcorder with a light"

[6]ROBERT
Escamillo

Sep 16, 2005 at 3:40 AM quote reply

nektar, I believe that the evil ActiveX control didn't execute the "format c:" command, it installed into the user's startup folder a batch file that executed "format c:". The demo showed how the ActiveX control was blocked from installing the batch file.
Wells

Sep 16, 2005 at 3:54 AM quote reply

nektar wrote:

In the video you show your evil activex control and what it does is issue the "format c:" command. Actually, this command will fail since the C drive is in use by the operating system and cannot be formated and since the format command needs confirmation before it formats a harddisk, although the latter might be bypassed I guess. However, you are the IE Security Team and I hope that you know this. After all, hacker do much worse things and I hope that you know much more than you are telling us on their methods and on all the harmful senarios that are out there. Because a simple format c: is nothing and you should know that. I hope that your internal testing examples are much more sofisticated than what you say publicly.

That was just a trivial example - it didn't matter what was in the file, just the fact that the control tried to write a file but IE7 didn't let it.
TheAsher Just A Guy

Sep 16, 2005 at 4:57 AM quote reply

The pure evil movie, I have no idea, but this thing might know...
I can thing of one of the ghost busters sequels or Newman (from Seinfeld... he is pure evil)
CRPietschmann Chris Pietschmann

Sep 16, 2005 at 8:19 AM quote reply

Why is his phone off the hook, and the reciever is unplugged?
Kollner Nicolai A. Kollner is the C#deSamurai

Sep 16, 2005 at 9:02 AM quote reply

500MB download.. OMG!!!
mycroft

Sep 16, 2005 at 11:28 AM quote reply

Are there any plans to get rid of the registry altogether in the future? Always seemed like a bad idea, once somethings done the damage in there you're a bit screwed. Peoples registrys become such a mess of leftover keys from uninstalled software, hopefully Jim Allchins plans on keeping the performance up over time includes something on this.
Maurits AKA Matthew van Eerde

Sep 16, 2005 at 11:41 AM quote reply

pure evil:

Time Bandits? "Mum! Dad! Don't touch it! It's evil!"
scobleizer I'm the video guy

Sep 16, 2005 at 11:56 AM quote reply

Kollner: sorry. I've been experimenting with higher resolution vids.
The CDCer

Sep 20, 2005 at 9:16 AM quote reply

It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read A brutal solution to the IE z-index bug for more details and try to fix it. the world can't afford to fight with the bug for another 10 years! Speaking about bugs, here is another one: While poking around MSN, I did a search for MSN sucks, and found a grand total of 49 pages! Yes, you heard it right, it's 49 pages, not 49K. As you can imagine, there is no way that I could trust that number, so I immediately checked with Google and got over 2 million results, and the same search by Yahoo! reports 3.7 million! But wait, it got much worse! Please read Bug or censorship in MSN search for the whole story. These issues cost the industry countless hours of lost productivity (100s of millions hours per year by some estimation) and really make Microsoft look so incompetent and evil in the eyes of geeks.
The CDCer

Sep 20, 2005 at 9:20 AM quote reply

Can anyone tell me why HTML code not working here?
DMassy Driving!

Sep 20, 2005 at 11:03 AM quote reply

The CDCer wrote:

It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years! Speaking about bugs, here is another one: While poking around MSN, I did a search for <a href='http://search.msn.com/results.aspx?q=MSN+sucks&srch_type=0&FORM=QBRE'>MSN sucks</a>, and found a grand total of 49 pages! Yes, you heard it right, it's 49 pages, not 49K. As you can imagine, there is no way that I could trust that number, so I immediately <a href='http://www.google.com/search?num=100&hl=en&lr=&safe=off&c2coff=1&q=MSN+sucks&btnG=Search'>checked with Google</a> and got over 2 million results, and the <a href='http://search.yahoo.com/search?p=MSN+sucks&prssweb=Search&ei=UTF-8&fr=ush-help&fl=0&x=wrt'>same search by Yahoo!</a> reports 3.7 million! But wait, it got much worse! Please read <a href='http://cdcer.com/?2005/09/bug-or-censorship-in-msn-search.html'>Bug or censorship in MSN search</a> for the whole story. These issues cost the industry countless hours of lost productivity (100s of millions hours per year by some estimation) and really make Microsoft look so incompetent and evil in the eyes of geeks.

Hi CDCer,
The IE team has been very well aware of the z-indexing issue with the select element. If you read the blog post from Chris Wilson on the IE team blog at http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx you'll see that this is on the list of issues being addressed in IE7.

Thanks
-Dave
pilotbob

Sep 21, 2005 at 8:52 PM quote reply

Ok,

There has been all this talk about running LUA/LUP whatever you want to call it.

But, my understanding was that in XP home there really was not security. Logins are strictly for profiling? You need XP Pro to restrict a certain user from writing or accessing certain parts of the system.

Can someone comfirm or deny this? Please show the work of your proff.

BOb
ChrisD

Sep 25, 2005 at 8:35 PM quote reply

Pure Evil as in the Fifth Element I would Say
Eagle_Averro

Sep 29, 2005 at 2:00 PM quote reply

Robert once again Great Video can i recomend you use a Monopod or a Tripod...for the Camera ). Just to point out i have some of your CLips on the Yahoo site under the User name " Eagle_averro_isme Photo album" Nice seeing you great effort in the " Picture speaks a THOUSAND words" keep it up and many thanks to you and the teams.
KenQ Who's richer, the guy with the dough or friends?

Oct 09, 2005 at 2:13 PM quote reply

I would like to know if the final version of IE7 will have the toolbars locked or not. As in not giving the end user any way to move around the address toolbar or the buttons where you want them. I read somewhere on Channel9 that it will not be possible to move this around because that would make it easy to trick the end user or something.. Sorry i'm not very informative. I'm just not sure on this topic. Anyone with insight? Appreciated
BruceMorgan

Oct 21, 2005 at 9:33 PM quote reply

KenQ wrote:

I would like to know if the final version of IE7 will have the toolbars locked or not. As in not giving the end user any way to move around the address toolbar or the buttons where you want them.

In Windows, the Explorer windows (aka shell windows), the navigation bar (back, forward, address / breadcrumb bar / search) is fixed at the top. IE will do the same, for consistency with the shell as well as anti-spoofing.

For IE7 on XPSP2, we're considering our options. In Beta 1, we've heard a lot of feedback from people who want the ability to move the toolbars around, including the menus and the navigation bar. So no "final answer" on this issue yet.
Maurits AKA Matthew van Eerde

Oct 22, 2005 at 7:16 AM quote reply

BruceMorgan wrote:

In Windows, the Explorer windows (aka shell windows), the navigation bar (back, forward, address / breadcrumb bar / search) is fixed at the top. IE will do the same, for consistency with the shell as well as anti-spoofing.

Doesn't toolbar customization make it harder to spoof the chrome?

I know when I'm surfing on a Mac, and a spoofed Windows dialog pops up, I get a good laugh.
neelayshah

Nov 19, 2005 at 9:58 AM quote reply

I still don't exactly understand: "What stops an attacker from abusing the broker?" The broker is trusted and runs with higher privileges?

Neelay
JoshuaAllen

Dec 04, 2005 at 6:48 PM quote reply

The broker has only a few methods, which are carefully threat modeled and designed to require user interaction. The point is that you reduce the attack surface area by making the bare minimum code necessary be elevated.
cseifert

Jul 27, 2006 at 3:26 AM quote reply

Great video. Learnt a lot of where you guys are going. I have to say that I expect to see many privilege escalation exploits next....better priv escalation exploits than remote exploits that run under admin privs automatically....

...in the video you were referring to sending in exploits and vulnerabilities, so you guys can verify the threat model of IE. Is the threat model of IE published somewhere? I think if it is would give the security research community a more direct way to probe it for weaknesses...

Thanks -
Christian

-----

http://www.mcs.vuw.ac.nz/~cseifert/blog/index.php
antichris

Apr 06, 2007 at 7:24 AM quote reply

The CDCer wrote:

It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years!

Tell me about it. IE7 is in the wild, and I'm still having to workaround 10 year old z-index bugs. Every other browser seems to work with CSS.
phentermine 37.

Aug 20, 2010 at 1:17 AM quote reply

You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.

You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.
phentermine 37.

Aug 20, 2010 at 1:21 AM quote reply

You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.

Remove this comment

Remove this thread

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.