Rob Franco and team - IE 7 Security

The Discussion

• 

  Is it safe to confirm that IE7 will be the moset secure browser?
  
  The sheer fact that it can't write a single thing to the hd without user approvable is enough for me to get me to switch back from Firefox.
  

• 

  In the video you show your evil activex control and what it does is issue the "format c:" command. Actually, this command will fail since the C drive is in use by the operating system and cannot be formated and since the format command needs confirmation before it formats a harddisk, although the latter might be bypassed I guess. However, you are the IE Security Team and I hope that you know this. After all, hacker do much worse things and I hope that you know much more than you are telling us on their methods and on all the harmful senarios that are out there. Because a simple format c: is nothing and you should know that. I hope that your internal testing examples are much more sofisticated than what you say publicly.

• 

  "Need to get a camcorder with a light"
  

  
  [6]ROBERT
  

  
  

• 

  nektar, I believe that the evil ActiveX control didn't execute the "format c:" command, it installed into the user's startup folder a batch file that executed "format c:".  The demo showed how the ActiveX control was blocked from installing the batch file.
  

• 

  nektar wrote:

  In the video you show your evil activex control and what it does is issue the "format c:" command. Actually, this command will fail since the C drive is in use by the operating system and cannot be formated and since the format command needs confirmation before it formats a harddisk, although the latter might be bypassed I guess. However, you are the IE Security Team and I hope that you know this. After all, hacker do much worse things and I hope that you know much more than you are telling us on their methods and on all the harmful senarios that are out there. Because a simple format c: is nothing and you should know that. I hope that your internal testing examples are much more sofisticated than what you say publicly.

  
  
  That was just a trivial example - it didn't matter what was in the file, just the fact that the control tried to write a file but IE7 didn't let it.

• 

  The pure evil movie, I have no idea, but this thing might know...
  I can thing of one of the ghost busters sequels or Newman (from Seinfeld... he is pure evil)

• 

  Why is his phone off the hook, and the reciever is unplugged?

• 

  500MB download.. OMG!!!

• 

  Are there any plans to get rid of the registry altogether in the future? Always seemed like a bad idea, once somethings done the damage in there you're a bit screwed. Peoples registrys become such a mess of leftover keys from uninstalled software, hopefully Jim Allchins plans on keeping the performance up over time includes something on this.
  
  

• 

  pure evil:

  Time Bandits?  "Mum!  Dad!  Don't touch it! It's evil!"
  

• 

  Kollner: sorry. I've been experimenting with higher resolution vids.

• 

  It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read A brutal solution to the IE z-index bug for more details and try to fix it. the world can't afford to fight with the bug for another 10 years! Speaking about bugs, here is another one: While poking around MSN, I did a search for MSN sucks, and found a grand total of 49 pages! Yes, you heard it right, it's 49 pages, not 49K. As you can imagine, there is no way that I could trust that number, so I immediately checked with Google and got over 2 million results, and the same search by Yahoo! reports 3.7 million! But wait, it got much worse! Please read Bug or censorship in MSN search for the whole story. These issues cost the industry countless hours of lost productivity (100s of millions hours per year by some estimation) and really make Microsoft look so incompetent and evil in the eyes of geeks.

• 

  Can anyone tell me why HTML code not working here?

• 

  The CDCer wrote:

  It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years! Speaking about bugs, here is another one: While poking around MSN, I did a search for <a href='http://search.msn.com/results.aspx?q=MSN+sucks&srch_type=0&FORM=QBRE'>MSN sucks</a>, and found a grand total of 49 pages! Yes, you heard it right, it's 49 pages, not 49K. As you can imagine, there is no way that I could trust that number, so I immediately <a href='http://www.google.com/search?num=100&hl=en&lr=&safe=off&c2coff=1&q=MSN+sucks&btnG=Search'>checked with Google</a> and got over 2 million results, and the <a href='http://search.yahoo.com/search?p=MSN+sucks&prssweb=Search&ei=UTF-8&fr=ush-help&fl=0&x=wrt'>same search by Yahoo!</a> reports 3.7 million! But wait, it got much worse! Please read <a href='http://cdcer.com/?2005/09/bug-or-censorship-in-msn-search.html'>Bug or censorship in MSN search</a> for the whole story. These issues cost the industry countless hours of lost productivity (100s of millions hours per year by some estimation) and really make Microsoft look so incompetent and evil in the eyes of geeks.

  
  
  Hi CDCer,
  The IE team has been very well aware of the z-indexing issue with the select element. If you read the blog post from Chris Wilson on the IE team blog at http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx you'll see that this is on the list of issues being addressed in IE7.
  
  Thanks
  -Dave
  

• 

  Ok,
  
  There has been all this talk about running LUA/LUP whatever you want to call it.
  
  But, my understanding was that in XP home there really was not security. Logins are strictly for profiling? You need XP Pro to restrict a certain user from writing or accessing certain parts of the system.
  
  Can someone comfirm or deny this? Please show the work of your proff.
  
  BOb
  

• 

  Pure Evil as in the Fifth Element I would Say

• 

  Robert once again Great Video can i recomend  you  use a Monopod  or a Tripod...for the Camera ). Just to point out  i have some of your CLips  on the  Yahoo site  under the User name " Eagle_averro_isme Photo album"   Nice seeing  you  great effort  in the " Picture speaks a THOUSAND words"  keep it  up and many thanks  to you and the teams.

• 

  I would like to know if the final version of IE7 will have the toolbars locked or not. As in not giving the end user any way to move around the address toolbar or the buttons where you want them. I read somewhere on Channel9 that it will not be possible to move this around because that would make it easy to trick the end user or something.. Sorry i'm not very informative. I'm just not sure on this topic. Anyone with insight? Appreciated
  

• 

  KenQ wrote:

  I would like to know if the final version of IE7 will have the toolbars locked or not. As in not giving the end user any way to move around the address toolbar or the buttons where you want them.

  
  In Windows, the Explorer windows (aka shell windows), the navigation bar (back, forward, address / breadcrumb bar / search) is fixed at the top.   IE will do the same, for consistency with the shell as well as anti-spoofing.
  
  For IE7 on XPSP2, we're considering our options.  In Beta 1, we've heard a lot of feedback from people who want the ability to move the toolbars around, including the menus and the navigation bar.   So no "final answer" on this issue yet.

• 

  BruceMorgan wrote:

  In Windows, the Explorer windows (aka shell windows), the navigation bar (back, forward, address / breadcrumb bar / search) is fixed at the top.   IE will do the same, for consistency with the shell as well as anti-spoofing.
  

  
  
  Doesn't toolbar customization make it harder to spoof the chrome?
  
  I know when I'm surfing on a Mac, and a spoofed Windows dialog pops up, I get a good laugh.

• 

  I still don't exactly understand: "What stops an attacker from abusing the broker?" The broker is trusted and runs with higher privileges?
  
  Neelay
  

• 

  The broker has only a few methods, which are carefully threat modeled and designed to require user interaction.  The point is that you reduce the attack surface area by making the bare minimum code necessary be elevated.

• 

  Great video. Learnt a lot of where you guys are going. I have to say that I expect to see many privilege escalation exploits next....better priv escalation exploits than remote exploits that run under admin privs automatically....

  ...in the video you were referring to sending in exploits and vulnerabilities, so you guys can verify the threat model of IE. Is the threat model of IE published somewhere? I think if it is would give the security research community a more direct way to probe it for weaknesses...

  Thanks -
  Christian

  -----

  http://www.mcs.vuw.ac.nz/~cseifert/blog/index.php

• 

  The CDCer wrote:

  It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years!

  
  
  Tell me about it.  IE7 is in the wild, and I'm still having to workaround 10 year old z-index bugs.  Every other browser seems to work with CSS.
  

• 

  You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.

  You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.

• 

  You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.