A Follow up to Low-Rights IE

IEBlog

Internet Explorer Team Blog

A Follow up to Low-Rights IE

  • Comments 51

Hi, I’m John Bedworth, the Development Manager for Internet Explorer Security.  I wanted to address some of the excellent questions that came up in the feedback to Rob Franco’s "Clarifying Low-Rights IE" post.

How is "low-rights" IE different than, in XP, running as a regular (limited) user? At home, I use a limited user account--is there anything about low-rights IE that is different than my situation?

The primary difference is that IE 7 on Longhorn will be running with fewer rights than a limited user.  As a limited user, you are still able to write to a part of the registry known as the "user hive" or HKCU, as well as the My Documents folder, etc.  With these permissions, it is possible to write to parts of the system that contain sensitive user information and application configuration information.  In practice, even a limited user needs access to write to these areas. For example, without these permissions, it would be impossible to put a file in a predictable location on the hard drive, change an application’s configuration settings, or to put an application in the user’s Startup folder.  However, IE does not generally need the ability to do these things.  This is what Low Rights IE is all about.

"As a result, even if a malicious site attacks a vulnerability in IE, the site’s code won’t have enough privileges to install software, copy files to Startup folder, or hijack the settings for the browser’s homepage or search provider."

Firefox and other modern browsers have it from scratch. What's innovative in it?!

This is important to understand, so I’m going to try to be very clear.  Defense in depth means that we have to assume that every application has at least some potential for vulnerability that could allow 3rd party binary code to run within its process.  In a traditional system, this code would execute and run with the user’s full permissions and if attacked, could do anything the user is capable of doing.

This is true on any Operating System and application running today.  The advantage IE 7’s users are going to have on Longhorn is that IE 7 will run with a more restricted set of permissions than even the lowest privileged user account.  If IE 7 doesn’t have rights to install software, copy files, or change settings, exploit code running inside that process can not do these things either.  This is very different from what you get with applications that run with the full user’s permissions today - "other modern browsers" included.

As the team continues to develop the Low Rights IE feature, you can expect to see more technical posts that explain how other applications can take advantage of the new functionality in Longhorn to provide a more secure user experience.  I can candidly say that the hardest part of doing this right is maintaining the balance between security and compatibility.  We want to share what we learn along the way to help other developers implement a security model using the least possible permissions necessary while still providing users with a usable product.

-- John

  • Loading...