IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Browse by Tags

Tagged Content List
  • Blog Post: Script Polyglots

    Lately, there’s been a resurgence of interest in hiding script inside files of other types; sometimes this is known as a polyglot file . On Twitter, there’s been some excitement about a new tool that creates GIF/JavaScript polyglots. As you can see in the example provided in the aforementioned...
  • Blog Post: Caveats for Authenticode Code Signing

    Back in 2011, I wrote a long post about Authenticode , Microsoft’s Code Signing technology. In that post, I noted: Digitally signing your code helps to ensure that it cannot be tampered with, either on your servers, or when it is being downloaded to a user’s computer, especially over...
  • Blog Post: Strict Transport Security

    Ivan Ristic’s meticulously researched Bulletproof SSL & TLS book spurred me to spend some time thinking about the HTTP Strict Transport Security (HSTS) feature under development by the Internet Explorer team and already available in other major browsers . HSTS enables a website to opt-in to...
  • Blog Post: Bolstering Protected Mode

    Internet Explorer 7 introduced Protected Mode, a defense-in-depth security feature which relied upon the Windows Vista Integrity Levels (IL) system to mitigate drive-by attacks against the browser. Internet Explorer 10 introduced a stronger version of that feature, called Enhanced Protected Mode (EPM...
  • Blog Post: Internet Explorer 11 and Perfect-Forward-Secrecy

    In case you missed it, the recent Windows 8.1 Update update adds four new ciphersuites (including two supported by Chrome32) and changes the ciphersuite order to prefer algorithms that offer Perfect-Forward-Secrecy. You can read more about this update here. Wikipedia has a nice article on PFS , but...
  • Blog Post: Windows Server as a Workstation

    Back in the Windows 2003 timeframe, Microsoft had a problem. The security press of the time liked to put out charts showing which operating systems had the most vulnerabilities. Windows 2000 wasn’t looking so hot, owing to the fact that Windows 2000 Server had a full web browser built-in, “out...
  • Blog Post: Same Origin Policy Part 0: Origins

    Recently, someone asked a pretty simple question: “ Why doesn’t IE consider the port when evaluating Same Origin Policy? ” and I realized that my Same-Origin-Policy series lacks an in-depth look at the concepts surrounding origins . Table of Contents: Same Origin Policy Posts ...
  • Blog Post: Browser Arcana: IP Literals in URLs

    While virtually all web traffic flows over connections based on the Internet Protocol, most of the time your browser first uses DNS to look up the target hostname’s IP address. However, sometimes URLs directly specify an IP address, skipping DNS altogether. When an IP appears directly within such...
  • Blog Post: There’s never magic, but plenty of butterfly effects

    I’ve always enjoyed magic shows, but I’ve never attempted to understand how the tricks are performed, since that would take all of the fun out of them. In contrast, if I see a web browser demonstrating seemingly magical behavior or misbehavior , I find it hard to sleep until I figure out...
  • Blog Post: “Continue” Link Missing from Certificate Error Page?

    A user recently reported that IE11 wasn’t showing the “Continue” link on the certificate error page shown when visiting their 2009-era router’s configuration UI. They were curious why that link wasn’t shown in this instance. The error page’s Continue link is hidden...
  • Blog Post: What I’d like to see in IE12

    As the holidays approach, I’ve decided to publish my “wishlist” for the next version of Internet Explorer. I’ve been pretty good this year, so hopefully the IE team will deliver some of these presents. :-) Please remember: I’m just an MVP, and I don’t have any magic...
  • Blog Post: Braindump: Feature Control Keys and URLActions

    Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect...
  • Blog Post: Understanding Zone Elevation

    The security setting “Websites in less privileged web content zone can navigate into this zone”: ... is one that leads to more questions than almost any other. This setting, also known as Zone Elevation protection , was originally designed to prevent navigation from untrusted Internet...
  • Blog Post: Enhanced Protected Mode and Local Files

    Ordinarily, Internet Explorer loads local HTML files in the Local Machine Zone. Locally-loaded HTML files are subject to the Local Machine Lockdown feature which prevents pages from running active content like JavaScript or ActiveX controls, showing the following notification: In order to...
  • Blog Post: Authenticode, HTTPS, and Weak RSA Keys

    Over on the Microsoft PKI blog , there’s some important information about upcoming changes for website operators who use HTTPS or deploy Authenticode-signed applications or ActiveX controls. Weak RSA Keys Blocked To briefly summarize the PKI team’s post, a security update coming to...
  • Blog Post: The Intranet Zone

    Internet Explorer maps web content into one of five security zones. After the Local Machine Zone, the Local Intranet Zone is probably the most misunderstood of the Zones, and is a common source of confusion and compatibility glitches. Mapping into the Local Intranet Zone For the Trusted and Restricted...
  • Blog Post: Brain Dump: Random Tidbits

    This post contains random IE-related tidbits for which there’s either not enough material or time to write a full post. I expect to revisit and expand this list from time to time. Case-Sensitivity in Cross-Frame Scripting of File URIs Same-Origin-Policy controls how script running in web...
  • Blog Post: Same Origin Policy Part 2: Limited Write

    In Part 1 of this series, I described how Same Origin Policy prevents web content delivered from one origin from reading content from another origin. (If you haven’t read that post yet, please do start there.) In today’s post, we’ll look at what restrictions are placed on writing...
  • Blog Post: Understanding Enhanced Protected Mode

    Last week, Andy Zeigler announced the introduction of Enhanced Protected Mode (EPM) over on the IEBlog. In today’s post, I’d like to provide further technical details about EPM to help security researchers, IT professionals, enthusiasts, and developers better understand how this feature works...
  • Blog Post: Beware Silly Similes

    Recently, there was a blog post which described a browser security feature as " like a seat-belt that snaps when you crash ." This wasn’t a particularly noteworthy event because similes are pretty common in our field. Almost e veryone likes similes because they enable the simplification of highly...
  • Blog Post: Authenticode and Weak Certificate Chains

    Recently, someone attempted to download a deprecated version of the Windows Script debugger . This tool was used to debug scripts prior to the introduction of more powerful, modern tools like those that are built into IE8 and later. The user emailed me when they encountered a very surprising outcome...
  • Blog Post: Internet Explorer 9.0.2 Update

    Tuesday’s Update for Internet Explorer updates the IE9 Help > About dialog’s version number to v9.0.2. The update includes a number of security and functionality fixes; many of these fixes are described in the More Information section of KB2559049 . One fix enables the IE9 Download Manager...
  • Blog Post: Understanding Protocols

    For over a decade, Internet Explorer has enabled developers to extend the browser with new URL protocol schemes. These protocols can be one of two types: Asynchronous Pluggable Protocols - COM objects that implement the IInternetProtocolRoot interface and return content to URLMon, usually for rendering...
  • Blog Post: Integrated Windows Authentication

    Inside Internet Explorer’s Tools > Internet Options > Advanced dialog, there’s an option named Enable Integrated Windows Authentication : This preference is stored using a REG_DWORD named EnableNegotiate inside HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings...
  • Blog Post: Enhanced Mitigation Experience Toolkit Update

    Microsoft’s Security Research and Defense team has released an updated version of their Enhanced Mitigation Experience Toolkit (EMET), a tool that allows the application of enhanced security mitigations around the application of your choice. While Internet Explorer 9 already natively includes...
Page 1 of 3 (68 items) 123