Channel 9

Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

MSDN

Activity Profile

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements
Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Rob Franco and team - IE 7 Security

Embed code for this video

Copy the code above to embed our video on your website/blog.

Close

Video format

Option selected may change based on video formats available and browser capability.

Close

Download

How do I download the videos?

  • To download, right click the file type you would like and pick “Save target as…” or “Save link as…”

Why should I download videos from Channel9?

  • It's an easy way to save the videos you like locally.
  • You can save the videos in order to watch them offline.
  • If all you want is to hear the audio, you can download the MP3!

Which version should I choose?

  • If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available).
  • If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file.
  • If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file.
  • If you just want to hear the audio of the video, choose the MP3 file.

Right click “Save as…”

There's a ton of new things in Internet Explorer 7.0 that'll improve your security. Meet the IE team and learn what they are doing to protect computer users against phishing and malware and other kinds of attacks. For more about IE 7.0, visit the IE team's blog.

The interviewer here is Joshua Allen, IE evangelist, and he is well-known because he was Microsoft's first blogger.

Tags:

Follow the Discussion

  • DevilsRejectionDevils​Rejection addicted to rss
    Is it safe to confirm that IE7 will be the moset secure browser?

    The sheer fact that it can't write a single thing to the hd without user approvable is enough for me to get me to switch back from Firefox.
  • nektarnektar

    In the video you show your evil activex control and what it does is issue the "format c:" command. Actually, this command will fail since the C drive is in use by the operating system and cannot be formated and since the format command needs confirmation before it formats a harddisk, although the latter might be bypassed I guess. However, you are the IE Security Team and I hope that you know this. After all, hacker do much worse things and I hope that you know much more than you are telling us on their methods and on all the harmful senarios that are out there. Because a simple format c: is nothing and you should know that. I hope that your internal testing examples are much more sofisticated than what you say publicly.

  • johnbrienjohnbrien HARRIER

    "Need to get a camcorder with a light"


    [6]ROBERT


  • EscamilloEscamillo
    nektar, I believe that the evil ActiveX control didn't execute the "format c:" command, it installed into the user's startup folder a batch file that executed "format c:".  The demo showed how the ActiveX control was blocked from installing the batch file.
  • WellsWells
    nektar wrote:

    In the video you show your evil activex control and what it does is issue the "format c:" command. Actually, this command will fail since the C drive is in use by the operating system and cannot be formated and since the format command needs confirmation before it formats a harddisk, although the latter might be bypassed I guess. However, you are the IE Security Team and I hope that you know this. After all, hacker do much worse things and I hope that you know much more than you are telling us on their methods and on all the harmful senarios that are out there. Because a simple format c: is nothing and you should know that. I hope that your internal testing examples are much more sofisticated than what you say publicly.



    That was just a trivial example - it didn't matter what was in the file, just the fact that the control tried to write a file but IE7 didn't let it.
  • TheAsherTheAsher Just A Guy

    The pure evil movie, I have no idea, but this thing might know...
    I can thing of one of the ghost busters sequels or Newman (from Seinfeld... he is pure evil)

  • Chris PietschmannCRPietschma​nn Chris Pietschmann
    Why is his phone off the hook, and the reciever is unplugged?
  • KollnerKollner Nicolai A. Kollner is the C#deSamurai
    500MB download.. OMG!!! Embarassed
  • mycroftmycroft
    Are there any plans to get rid of the registry altogether in the future? Always seemed like a bad idea, once somethings done the damage in there you're a bit screwed. Peoples registrys become such a mess of leftover keys from uninstalled software, hopefully Jim Allchins plans on keeping the performance up over time includes something on this.

  • MauritsMaurits AKA Matthew van Eerde

    pure evil:

    Time Bandits?  "Mum!  Dad!  Don't touch it! It's evil!"

  • scobleizerscobleizer I'm the video guy
    Kollner: sorry. I've been experimenting with higher resolution vids.
  • The CDCerThe CDCer
    It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read A brutal solution to the IE z-index bug for more details and try to fix it. the world can't afford to fight with the bug for another 10 years! Speaking about bugs, here is another one: While poking around MSN, I did a search for MSN sucks, and found a grand total of 49 pages! Yes, you heard it right, it's 49 pages, not 49K. As you can imagine, there is no way that I could trust that number, so I immediately checked with Google and got over 2 million results, and the same search by Yahoo! reports 3.7 million! But wait, it got much worse! Please read Bug or censorship in MSN search for the whole story. These issues cost the industry countless hours of lost productivity (100s of millions hours per year by some estimation) and really make Microsoft look so incompetent and evil in the eyes of geeks.
  • The CDCerThe CDCer
    Can anyone tell me why HTML code not working here?
  • DMassyDMassy Driving!
    The CDCer wrote:
    It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years! Speaking about bugs, here is another one: While poking around MSN, I did a search for <a href='http://search.msn.com/results.aspx?q=MSN+sucks&srch_type=0&FORM=QBRE'>MSN sucks</a>, and found a grand total of 49 pages! Yes, you heard it right, it's 49 pages, not 49K. As you can imagine, there is no way that I could trust that number, so I immediately <a href='http://www.google.com/search?num=100&hl=en&lr=&safe=off&c2coff=1&q=MSN+sucks&btnG=Search'>checked with Google</a> and got over 2 million results, and the <a href='http://search.yahoo.com/search?p=MSN+sucks&prssweb=Search&ei=UTF-8&fr=ush-help&fl=0&x=wrt'>same search by Yahoo!</a> reports 3.7 million! But wait, it got much worse! Please read <a href='http://cdcer.com/?2005/09/bug-or-censorship-in-msn-search.html'>Bug or censorship in MSN search</a> for the whole story. These issues cost the industry countless hours of lost productivity (100s of millions hours per year by some estimation) and really make Microsoft look so incompetent and evil in the eyes of geeks.


    Hi CDCer,
    The IE team has been very well aware of the z-indexing issue with the select element. If you read the blog post from Chris Wilson on the IE team blog at http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx you'll see that this is on the list of issues being addressed in IE7.

    Thanks
    -Dave
  • pilotbobpilotbob
    Ok,

    There has been all this talk about running LUA/LUP whatever you want to call it.

    But, my understanding was that in XP home there really was not security. Logins are strictly for profiling? You need XP Pro to restrict a certain user from writing or accessing certain parts of the system.

    Can someone comfirm or deny this? Please show the work of your proff.

    BOb
  • ChrisDChrisD
    Pure Evil as in the Fifth Element I would Say Smiley
  • Eagle_AverroEagle_Averro
    Robert once again Great Video Smiley can i recomend  you  use a Monopod  or a Tripod...for the Camera Smiley). Just to point out  i have some of your CLips  on the  Yahoo site  under the User name " Eagle_averro_isme Photo album"   Nice seeing  you  great effort  in the " Picture speaks a THOUSAND words"  keep it  up and many thanks  to you and the teams.
  • KenQKenQ Who's richer, the guy with the dough or friends?
    I would like to know if the final version of IE7 will have the toolbars locked or not. As in not giving the end user any way to move around the address toolbar or the buttons where you want them. I read somewhere on Channel9 that it will not be possible to move this around because that would make it easy to trick the end user or something.. Sorry i'm not very informative. I'm just not sure on this topic. Anyone with insight? Appreciated Big Smile
  • BruceMorganBruceMorgan
    KenQ wrote:
    I would like to know if the final version of IE7 will have the toolbars locked or not. As in not giving the end user any way to move around the address toolbar or the buttons where you want them.

    In Windows, the Explorer windows (aka shell windows), the navigation bar (back, forward, address / breadcrumb bar / search) is fixed at the top.   IE will do the same, for consistency with the shell as well as anti-spoofing.

    For IE7 on XPSP2, we're considering our options.  In Beta 1, we've heard a lot of feedback from people who want the ability to move the toolbars around, including the menus and the navigation bar.   So no "final answer" on this issue yet.
  • MauritsMaurits AKA Matthew van Eerde
    BruceMorgan wrote:
    In Windows, the Explorer windows (aka shell windows), the navigation bar (back, forward, address / breadcrumb bar / search) is fixed at the top.   IE will do the same, for consistency with the shell as well as anti-spoofing.


    Doesn't toolbar customization make it harder to spoof the chrome?

    I know when I'm surfing on a Mac, and a spoofed Windows dialog pops up, I get a good laugh. Smiley
  • neelayshahneelayshah
    I still don't exactly understand: "What stops an attacker from abusing the broker?" The broker is trusted and runs with higher privileges?

    Neelay
  • JoshuaAllenJoshuaAllen
    The broker has only a few methods, which are carefully threat modeled and designed to require user interaction.  The point is that you reduce the attack surface area by making the bare minimum code necessary be elevated.
  • cseifertcseifert

    Great video. Learnt a lot of where you guys are going. I have to say that I expect to see many privilege escalation exploits next....better priv escalation exploits than remote exploits that run under admin privs automatically....

    ...in the video you were referring to sending in exploits and vulnerabilities, so you guys can verify the threat model of IE. Is the threat model of IE published somewhere? I think if it is would give the security research community a more direct way to probe it for weaknesses...

    Thanks -
    Christian

    -----

    http://www.mcs.vuw.ac.nz/~cseifert/blog/index.php

  • antichrisantichris
    The CDCer wrote:
    It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years!


    Tell me about it.  IE7 is in the wild, and I'm still having to workaround 10 year old z-index bugs.  Every other browser seems to work with CSS.
  • phentermine 37.phentermine 37.

    You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.

    You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.

  • phentermine 37.phentermine 37.

    You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.

More posts in this blog

See More

Related posts

Creative Commons License

© 2013 Microsoft. Except where designated as licensed by
Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License,
Microsoft reserves all rights associated with the materials on this site.