Rob Franco and team - IE 7 Security

Sign in to queue

Description

There's a ton of new things in Internet Explorer 7.0 that'll improve your security. Meet the IE team and learn what they are doing to protect computer users against phishing and malware and other kinds of attacks. For more about IE 7.0, visit the IE team's blog.

The interviewer here is Joshua Allen, IE evangelist, and he is well-known because he was Microsoft's first blogger.

Embed

Download

Download this episode

The Discussion

  • User profile image
    Devils​Rejection
    Is it safe to confirm that IE7 will be the moset secure browser?

    The sheer fact that it can't write a single thing to the hd without user approvable is enough for me to get me to switch back from Firefox.
  • User profile image
    nektar

    In the video you show your evil activex control and what it does is issue the "format c:" command. Actually, this command will fail since the C drive is in use by the operating system and cannot be formated and since the format command needs confirmation before it formats a harddisk, although the latter might be bypassed I guess. However, you are the IE Security Team and I hope that you know this. After all, hacker do much worse things and I hope that you know much more than you are telling us on their methods and on all the harmful senarios that are out there. Because a simple format c: is nothing and you should know that. I hope that your internal testing examples are much more sofisticated than what you say publicly.

  • User profile image
    johnbrien

    "Need to get a camcorder with a light"


    [6]ROBERT


  • User profile image
    Escamillo
    nektar, I believe that the evil ActiveX control didn't execute the "format c:" command, it installed into the user's startup folder a batch file that executed "format c:".  The demo showed how the ActiveX control was blocked from installing the batch file.
  • User profile image
    Wells
    nektar wrote:

    In the video you show your evil activex control and what it does is issue the "format c:" command. Actually, this command will fail since the C drive is in use by the operating system and cannot be formated and since the format command needs confirmation before it formats a harddisk, although the latter might be bypassed I guess. However, you are the IE Security Team and I hope that you know this. After all, hacker do much worse things and I hope that you know much more than you are telling us on their methods and on all the harmful senarios that are out there. Because a simple format c: is nothing and you should know that. I hope that your internal testing examples are much more sofisticated than what you say publicly.



    That was just a trivial example - it didn't matter what was in the file, just the fact that the control tried to write a file but IE7 didn't let it.
  • User profile image
    TheAsher

    The pure evil movie, I have no idea, but this thing might know...
    I can thing of one of the ghost busters sequels or Newman (from Seinfeld... he is pure evil)

  • User profile image
    CRPietschma​nn
    Why is his phone off the hook, and the reciever is unplugged?
  • User profile image
    Kollner
    500MB download.. OMG!!! Embarassed
  • User profile image
    mycroft
    Are there any plans to get rid of the registry altogether in the future? Always seemed like a bad idea, once somethings done the damage in there you're a bit screwed. Peoples registrys become such a mess of leftover keys from uninstalled software, hopefully Jim Allchins plans on keeping the performance up over time includes something on this.

  • User profile image
    Maurits

    pure evil:

    Time Bandits?  "Mum!  Dad!  Don't touch it! It's evil!"

  • User profile image
    scobleizer
    Kollner: sorry. I've been experimenting with higher resolution vids.
  • User profile image
    The CDCer
    It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read A brutal solution to the IE z-index bug for more details and try to fix it. the world can't afford to fight with the bug for another 10 years! Speaking about bugs, here is another one: While poking around MSN, I did a search for MSN sucks, and found a grand total of 49 pages! Yes, you heard it right, it's 49 pages, not 49K. As you can imagine, there is no way that I could trust that number, so I immediately checked with Google and got over 2 million results, and the same search by Yahoo! reports 3.7 million! But wait, it got much worse! Please read Bug or censorship in MSN search for the whole story. These issues cost the industry countless hours of lost productivity (100s of millions hours per year by some estimation) and really make Microsoft look so incompetent and evil in the eyes of geeks.
  • User profile image
    The CDCer
    Can anyone tell me why HTML code not working here?
  • User profile image
    DMassy
    The CDCer wrote:
    It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years! Speaking about bugs, here is another one: While poking around MSN, I did a search for <a href='http://search.msn.com/results.aspx?q=MSN+sucks&srch_type=0&FORM=QBRE'>MSN sucks</a>, and found a grand total of 49 pages! Yes, you heard it right, it's 49 pages, not 49K. As you can imagine, there is no way that I could trust that number, so I immediately <a href='http://www.google.com/search?num=100&hl=en&lr=&safe=off&c2coff=1&q=MSN+sucks&btnG=Search'>checked with Google</a> and got over 2 million results, and the <a href='http://search.yahoo.com/search?p=MSN+sucks&prssweb=Search&ei=UTF-8&fr=ush-help&fl=0&x=wrt'>same search by Yahoo!</a> reports 3.7 million! But wait, it got much worse! Please read <a href='http://cdcer.com/?2005/09/bug-or-censorship-in-msn-search.html'>Bug or censorship in MSN search</a> for the whole story. These issues cost the industry countless hours of lost productivity (100s of millions hours per year by some estimation) and really make Microsoft look so incompetent and evil in the eyes of geeks.


    Hi CDCer,
    The IE team has been very well aware of the z-indexing issue with the select element. If you read the blog post from Chris Wilson on the IE team blog at http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx you'll see that this is on the list of issues being addressed in IE7.

    Thanks
    -Dave
  • User profile image
    pilotbob
    Ok,

    There has been all this talk about running LUA/LUP whatever you want to call it.

    But, my understanding was that in XP home there really was not security. Logins are strictly for profiling? You need XP Pro to restrict a certain user from writing or accessing certain parts of the system.

    Can someone comfirm or deny this? Please show the work of your proff.

    BOb
  • User profile image
    ChrisD
    Pure Evil as in the Fifth Element I would Say Smiley
  • User profile image
    Eagle_Averro
    Robert once again Great Video Smiley can i recomend  you  use a Monopod  or a Tripod...for the Camera Smiley). Just to point out  i have some of your CLips  on the  Yahoo site  under the User name " Eagle_averro_isme Photo album"   Nice seeing  you  great effort  in the " Picture speaks a THOUSAND words"  keep it  up and many thanks  to you and the teams.
  • User profile image
    KenQ
    I would like to know if the final version of IE7 will have the toolbars locked or not. As in not giving the end user any way to move around the address toolbar or the buttons where you want them. I read somewhere on Channel9 that it will not be possible to move this around because that would make it easy to trick the end user or something.. Sorry i'm not very informative. I'm just not sure on this topic. Anyone with insight? Appreciated Big Smile
  • User profile image
    BruceMorgan
    KenQ wrote:
    I would like to know if the final version of IE7 will have the toolbars locked or not. As in not giving the end user any way to move around the address toolbar or the buttons where you want them.

    In Windows, the Explorer windows (aka shell windows), the navigation bar (back, forward, address / breadcrumb bar / search) is fixed at the top.   IE will do the same, for consistency with the shell as well as anti-spoofing.

    For IE7 on XPSP2, we're considering our options.  In Beta 1, we've heard a lot of feedback from people who want the ability to move the toolbars around, including the menus and the navigation bar.   So no "final answer" on this issue yet.
  • User profile image
    Maurits
    BruceMorgan wrote:
    In Windows, the Explorer windows (aka shell windows), the navigation bar (back, forward, address / breadcrumb bar / search) is fixed at the top.   IE will do the same, for consistency with the shell as well as anti-spoofing.


    Doesn't toolbar customization make it harder to spoof the chrome?

    I know when I'm surfing on a Mac, and a spoofed Windows dialog pops up, I get a good laugh. Smiley
  • User profile image
    neelayshah
    I still don't exactly understand: "What stops an attacker from abusing the broker?" The broker is trusted and runs with higher privileges?

    Neelay
  • User profile image
    JoshuaAllen
    The broker has only a few methods, which are carefully threat modeled and designed to require user interaction.  The point is that you reduce the attack surface area by making the bare minimum code necessary be elevated.
  • User profile image
    cseifert

    Great video. Learnt a lot of where you guys are going. I have to say that I expect to see many privilege escalation exploits next....better priv escalation exploits than remote exploits that run under admin privs automatically....

    ...in the video you were referring to sending in exploits and vulnerabilities, so you guys can verify the threat model of IE. Is the threat model of IE published somewhere? I think if it is would give the security research community a more direct way to probe it for weaknesses...

    Thanks -
    Christian

    -----

    http://www.mcs.vuw.ac.nz/~cseifert/blog/index.php

  • User profile image
    antichris
    The CDCer wrote:
    It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years!


    Tell me about it.  IE7 is in the wild, and I'm still having to workaround 10 year old z-index bugs.  Every other browser seems to work with CSS.
  • User profile image
    phentermine 37.

    You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.

    You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.

  • User profile image
    phentermine 37.

    You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to send us feedback you can Contact Us.