IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Browse by Tags

Tagged Content List
  • Blog Post: Braindump: ActiveX in Windows 8

    Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect...
  • Blog Post: Brain Dump: Shims, Detours, and other “magic”

    Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect...
  • Blog Post: Authenticode, HTTPS, and Weak RSA Keys

    Over on the Microsoft PKI blog , there’s some important information about upcoming changes for website operators who use HTTPS or deploy Authenticode-signed applications or ActiveX controls. Weak RSA Keys Blocked To briefly summarize the PKI team’s post, a security update coming to...
  • Blog Post: Authenticode and Weak Certificate Chains

    Recently, someone attempted to download a deprecated version of the Windows Script debugger . This tool was used to debug scripts prior to the introduction of more powerful, modern tools like those that are built into IE8 and later. The user emailed me when they encountered a very surprising outcome...
  • Blog Post: Consent and Browser Refreshes

    Modern browser APIs like the GeoLocation API are designed to have an asynchronous consent experience, whereby the API simply will not undertake a privileged action until the user consents. Unfortunately, many browser features like popup windows and ActiveX controls were designed before privilege limitations...
  • Blog Post: Controlling Java in Internet Explorer

    Recently, there’s been some interest in how to control the use of Java within Internet Explorer. Java is a unique form of extensibility because it can be invoked in two ways: Using an APPLET element Using an OBJECT element with a CLSID of a JVM These two invocation methods are subject...
  • Blog Post: The Web Browser Control and the Silent Flag

    Applications that host the Web Browser Control have the opportunity to set the Silent flag to suppress all dialogs that the web browser control may generate. In some cases, this is useful, because it can help ensure a “quiet” user experience without unexpected popups. Current versions...
  • Blog Post: Controlling ActiveX in Internet Explorer

    In today’s post, I’ll provide a high-level overview of features in Internet Explorer that impact the loading of ActiveX controls. Internet Explorer 6 and later allow the user to enable or disable ActiveX controls on an individual basis using the Manage Add-ons screen. Internet...
  • Blog Post: Understanding Local Machine Zone Lockdown

    Recently, a colleague sent me an email which provided a flashback into my own past: Hey, Eric-- Why do we show this when opening HTML locally? What are we protecting the user from? -Ben I myself had sent an email with almost the same text nearly seven years ago, and the surprisingly...
  • Blog Post: Certificate Enrollment from the Browser

    Back in Windows XP, an ActiveX control known as XEnroll could be used from the browser to request digital certificates on the client’s behalf. Certificate authorities and others would use this control when a customer purchased a certificate for code signing, server authentication, or other purposes...
  • Blog Post: Why doesn’t Flash/Silverlight work in my .NET Application?

    Over the past few months, I’ve run across a number of developers who have reported problems where their .NET application fails to render Flash or Silverlight content within a Web Browser Control. The most common reason for this problem is that .NET, by default, compiles with a target of AnyCPU...
  • Blog Post: Understanding the Protected Mode Elevation Dialog

    Internet Explorer 7 introduced Protected Mode, a feature which helps ensure that the browser and its add-ons run with a minimal set of permissions. Code running inside the “Low Rights” process doesn’t have permission to write to your user-profile’s folders or registry keys, which helps to constrain the...
  • Blog Post: The JVM Install Prompt

    Many years ago, Microsoft developed an implementation of a Java Virtual Machine to run Java content. Internet Explorer 5 included code that would download and install the JVM (if needed) when a user encountered Java content on the web. After some time, support was discontinued for the Microsoft JVM,...
  • Blog Post: Understanding DEP/NX

    Despite being one of the crucial security features of modern browsers, Data Execution Prevention / No Execute (DEP/NX) is not well understood by most users, even technical experts without a security background. In this post, I’ll try to provide some insight into how DEP/NX works, explain why...
  • Blog Post: Protecting ActiveX Controls

    When evaluating the security of Internet Explorer’s ActiveX support, there are two threats to consider: · Malicious controls · Malicious websites To mitigate the threat of malicious ActiveX controls (malware), features like the IE8 SmartScreen Filter , Windows Defender, anti-virus software,...
  • Blog Post: The Privacy Impact of Add-ons: New APIs for IE8

    By default, when starting a new session using IE8's InPrivate Browsing feature, toolbars and Browser Helper Objects are disabled. This is done to help protect the user's privacy: many toolbars and extensions maintain their own navigation/search/etc history lists, and such lists could violate the user...
  • Blog Post: Building Safer ActiveX controls: DOM Bridging

    Over on the BlueHat blog, security researcher Manuel Caballero wrote up an interesting post on how Silverlight avoids exposing unsecured private browser APIs to abuse from RIA content. Anyone building ActiveX controls that take untrusted input should have a look to ensure that their controls don't...
Page 1 of 1 (17 items)