Welcome to MSDN Blogs Sign in | Join | Help

Security and Compatibility with IE7

One of the biggest challenges in making software more secure is maintaining compatibility with the existing functionality that customers depend on.  We’re here at the RSA security conference in Silicon Valley to work with other software and security professionals to meet our customers’ expectations for safety and compatibility. While we have taken a great deal of care to preserve compatibility, the new security features in Internet Explorer 7 do change the way platform works and only testing with your products can gauge the impact and investment you may need to make to be fully compatible with IE7.

For the IE7 Beta preview for XP SP2, we prepared preview documentation and a preliminary compatibility tool to help developers analyze and address the most difficult compatibility and security problems posed by IE7 for web sites and browser extensions. More documentation will follow for other security features, but we are releasing the documents for the most challenging security features first. This will give you the maximum time for testing and remediation of any issues you find.

One or more of the security enhancements in IE7 may require an update in your code. The most notable changes include:

  • "Protected Mode" for Windows Vista will run Internet Explorer with restrictions that help prevent attackers from using vulnerabilities to install malware or otherwise damage a user’s system. At the same time, Protected Mode restricts Internet Explorer itself and will restrict extensions run in Internet Explorer. It is possible that that you will need to update your extension to be compatible with Protected Mode.
  • "ActiveX opt-in" will disable most ActiveX controls on the system. If your ActiveX control needs to be enabled by default, we have put together a set of ActiveX best practices to help you understand how to make it safe enough to be used on the internet and enable it for use with IE7.
  • IE7 has more secure defaults for SSL. IE7 will disable SSLv2, enable TLSv1, block non-secure http content in secure https pages, and block navigation to sites that have SSL certificate errors.
  • We rebuilt critical code paths for URL parsing and Cross Domain security using new best practices for secure software development. Your website or application may need to be updated if it relies on a non-standard URL syntax. The compatibility tool will help you test for these problems.
  • We have retired a number of rarely-used legacy features from the product to reduce attack surface. The removal of these features may require you to update your website or your application. Please refer to the IE7 Beta preview release notes for the list of removed features.

Besides ensuring compatibility, Website Developers and Software Developers can take advantage of IE’s security features to help users feel more confident while they browse your site or download your code:

  • IE7 includes an enhanced experience for sites that include upcoming higher assurance SSL certificates including the lock icon with a green filled address bar. Along with other browsers, the Certificate authority industry is working with us towards a tougher SSL standard for the enhanced experience. This past Sunday and Monday, we met to work on the standard with the American Bar Association here in San Jose. The certificate authorities who coolaborated with us this weekend include Geotrust, Verisign, Identrus, Comodo, Cybertrust, Go Daddy and X-Ramp.  To see what the experience will be like, you can try out the enhanced experience by downloading a test root certificate and then visiting our demo site using IE7 Beta 2 Preview. If you think your site should have this experience, contact your certificate authority to learn about their plans to offer higher assurance SSL certificates that will be recognized by the IE7 address bar.
  • In the upcoming Beta 2 release, IE7 will let users sign into web sites using visual "InfoCards" rather than passwords.  This eliminates a number of common attacks because when no password is typed, there is none to be stolen (and none to forget).  The "InfoCard" system uses certificates to make it harder for imposter sites to pass themselves off as genuine.
  • IE7 checks the signatures on downloaded programs such as ActiveX controls and executables to make it easy for customers to identify your code. If you distribute software over the internet, you should sign your code with a valid code signing certificate.

We’ve already had the chance to work with engineers from companies like Adobe, Real Networks and many others. We found that our colleagues at these other companies are just as passionate about security as we are. We hope you’ll take this opportunity to work with us towards a safer experience for our mutual customers. We look forward to your feedback during this process and getting to know you better along the way!

 - Rob Franco

Published Tuesday, February 14, 2006 4:58 PM by ieblog

Comments

# re: Security and Compatibility with IE7

Tuesday, February 14, 2006 8:07 PM by Adam
Why google adsense always come up as a suspicious site?

# re: Security and Compatibility with IE7

Tuesday, February 14, 2006 10:48 PM by Christopher Vaughan [MSFT]
All - sorry it wasn't more clear, if you're running IE6SP1 or Windows XP (SP1 or SP2), you're not vulnerable. Only users still running IE 5.01 on Windows 2000 SP4 need apply this update.

IE7 is also not affected.

-Christopher

# re: Security and Compatibility with IE7

Tuesday, February 14, 2006 11:05 PM by Zian
Great work!

# re: Security and Compatibility with IE7

Tuesday, February 14, 2006 11:21 PM by Mitchel Tyrell
Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode.

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 12:10 AM by bryce schaufelberger
hi why is ie7 when you type a email and make a mistake there is a flaw in there that when you type make a mistake on webbase email like hotmail i got it does not delete the word you have to put the mouse on the letter to clear it see for you self try it can that be fixed

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 12:21 AM by game kid
"Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode."

I second that.  Then the spyware thingy can check for signs of suspiciousness before all hell breaks loose.  Sadly, all hell can still break loose with an ActiveX.

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 12:22 AM by game kid
Or why not restrict file reads/writes from an ActiveX to once every second?  That way, any chaos can be slowed down...

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 3:49 AM by adrianotiger
I can understand that you want more security for your IE. But please, please allow to see the image I want to upload on the internet! I can't write document.all['imageobject'].src = this.value on an input object!
The source from the image is the path in the internet + imagefile name. It should be path to the image + imagefile name!

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 4:06 AM by Max C
"If you distribute software over the internet, you should sign your code with a valid code signing certificate."

Presumably this statement does not apply to .NET controls hosted in IE?  Or at least not to those that don't require any additional trust than the standard internet zone?  (It's a bit worrying to see all this news about changes without any mention of .NET controls... but they do still work in the beta so I'm keeping my fingers crossed!)

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 6:00 AM by Paul
I really do appreciate the ActiveX Opt-In Improvement.
Could we get an Internet Zone Ajax-Maniac Opt-In feature as well? Just an information bar like: “This Webpage sucks: It's associated with more than 1000 lines of script. Click here to enable/continue script execution for this page.” ;-)

# MogBlog » Security and Compatibility with IE7

Wednesday, February 15, 2006 6:29 AM by MogBlog » Security and Compatibility with IE7
PingBack from http://dancmorgan.wordpress.com/2006/02/15/security-and-compatibility-with-ie7/

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 7:11 AM by kL
Does InfoCard store private keys on user's computer? If attacker gains access to user's drive, can he steal his InfoCard identity?

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 10:17 AM by PatriotB
"Or why not restrict file reads/writes from an ActiveX to once every second?  That way, any chaos can be slowed down..."

Any idea on how this would be accomplished?  ActiveX code is just regular program code that gets called from within the iexplore.exe process.  There wouldn't be a reliable way to know whether a given file I/O is caused by an ActiveX control or a different part of IE.

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 11:13 AM by cooperpx
Can you guys please update this page ...

http://msdn.microsoft.com/ie/releasenotes/default.aspx

... to report that Digest Authentication continually prompts for credentials (whatever the real reason)?

- going nuts here without any feedback

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 12:59 PM by jace
Thawte personal email certs won't download in IE 7.

When selecting these options (star (*) by the selected item)

X.509 Format Certificates


For an X.509 certificate, please choose your software from the list below:

 Netscape Communicator or Messenger
*Microsoft Internet Explorer, Outlook and Outlook Express
Lotus Notes R5
OperaSoftware Browser
C2Net SafePassage Web Proxy

I get the following message:

Form Processing Error


An error occurred while we were processing your form. Usually this means that one of the values you submitted in your form was invalid, or you did not put a value in a required field. Please check the error message below, and then review your submission.



The actual error given was:



Version 7 of MSIE does not support these certificates.



Kind regards,


thawte
it's a trust thing

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 2:40 PM by Blacksun06
Bill Gates talked at RSA about "higher assurance" ssl certificates for website.

Only "higher assurance ssl website cert" would trigger the "green URL bar"
in IE 7.

Could anybody from Microsoft or external specialists explain to me:
- what would be the differences with current ssl website certificates at the
X509 cert fields level ?
- what would be the difference at website identification level ?
- what will be included inside the certificate fields to express that
difference ?
- would emission of "higher assurance" certificates be limited to
certification authorities that comes by default with windows/IE and are
updated via windows update ?  

regards,

Fred

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 2:42 PM by Blacksun06
Some questions and request to the IE 7 product management.

I saw strange differences between IE 7 beta 1 and IE 7 beta 2 when clicking
on the "SSL lock" (the one just on the right of the URL bar).

In IE 7 beta 1: Displayed certificate information summary seem logical to
me: it indicate the CN of the certification authority that did issue the ssl
website certificate. This is inline with the "issued by" display when you
double click on a certificate in earlier versions of the "view certificate
details"

IE 7 beta 1 displayed text is "SSL secure (128 bits) you should send
confidential information only if you trust the organization listed
what is a certificate ?
Certificate information followed by :
- the "O=" information of the website ssl cert
- the "C=" infromation of the website ssl cert
Website certification provided by : CN field of the X509 certificate of the
issuing CA.

In IE 7 beta 2, everything seems to have changed, clicking on the "SSL lock"
(the one just on the right of the URL bar), I have:
Secure connection
"O=" field of the issuing CA has identified this site as
CN of the website ssl cert
Owner unverified
Location unverified.

Limited information about this website is available. You should send
confidential information only if you trust this website.
What is a certificate.

Question 1:  It took a long time to educate customer/users to check the
"issued by" field of the certificate details (= CN of the issuing CA cert),
why now change the field identifying a Certification authority to the "O= "
field ?

I would like to stress that I think the IE 7 beta 1 "security message" is
better because it relies on several years of education to customer and users
for a lot of companies offering services on the internet and remains inline
with past versions of windows and IE making easier the understanding for
customer....simplicity in security communication to users is of primary
importance here...

Question 2: what is owner in this security message ? what is location in
this security message ? to which X509 website and issuing certificate field
does this correspond ? What is "security semantics and policies" around these
items ?

any clarifications and brainstorm around this more than welcome

greetings


# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 4:57 PM by Dave Bacher
Re: Restricting ActiveX controls

There was a comment above about "how can you restrict ActiveX controls," and the answer is application level security.

The problem with ActiveX can be correctly resolved by the IE team, if they actually care to implement it.

At module load time, every ActiveX control is assigned a HLIBRARY.  Given a return address on a call stack, I can determine what module is invoking a routine.  Based on that information, I can add a Windows XP group to the current effective permission set, which in turn allows me to restrict all file, installer, etc. access to the machine.

This is how tools like DEP work on processors that don't support it -- Microsoft looks to see if the caller is a data segment, which it knows by the address.  It would be just as easy to have a quick-dirty check based on the module handle.

# Compatibility bug

Wednesday, February 15, 2006 5:58 PM by download accelerator incompatible
Here is the problem. I have Download Accelerator Plus 8.0 from Speedbit. Unfortunately, it sometimes intercepts files that are meant for a webpage in IE7. As soon as that happens, IE7 crashes. That's a bug in IE 7.0.5296.0 with DAP 8.0.4.1. I am running WinXP 5.1 with SP2 on an Athlon XP 2800 with (1/2)GB DDR memory on an AsRock K7VT4A+ motherboard.

# re: Security and Compatibility with IE7

Wednesday, February 15, 2006 6:35 PM by codemastr
Since InfoCards seem to be part of winfx, does that mean they are Vista only?

# re: Security and Compatibility with IE7

Thursday, February 16, 2006 12:41 AM by Dean Harding
Dave Bacher: You can't trust the return address on the call stack, it's fairly easy to fake. For a good explanation, see:

http://blogs.msdn.com/oldnewthing/archive/2004/01/01/47042.aspx

And that's not how software-enfored DEP works at all. All software-enforced DEP does is, before a structure exception handler is dispatched, it checks that the SEH address is registered in the function table in the image. It doesn't check anything on the stack at all.

# re: Security and Compatibility with IE7

Thursday, February 16, 2006 4:35 AM by Ralf
Clicking on the "SSL lock":
You only show the certificate - that is not enough!
Please show additional:
* What kind of public/private key algorithm do you use for the session? What is the key length?
* What kind of symmetic key algorithm do you use? What is the key length?

# re: Security and Compatibility with IE7

Thursday, February 16, 2006 12:14 PM by Fred
Hello,

On microsoft.public.internetexplorer.general, Eric Lawrence indicated that in the final IE 7 release, the IE 7  SSL Security report will
show the name of the root (the trust provider), and the Subject.CN.

Do you know what is meant by the "name of the root", is this the CN of the root CA ? Is it the "O" of the root CA, some other part of the DN or the complete DN of the root CA?

On the same newsgroup, he says "In the case of an enhanced validation cert,  IE 7 show the SubjectO, SubjectC, SubjectS, SubjectL".

What will happen if subject S and subject L are not inside the website ssl cert ? Does this have some specific impact on the user experience with the "ssl security report"? For exemple, if "L=" is not present, would "location unknown" be displayed to the user screen as I saw it during one of my IE 7 beta tests, even if the country C= would be present in the website certificate.

As you know, "State" doesn't exist in Europe and I don't think L is very used
either. Besides this, in Europe, the laws are identical in one country. This means
basically that the legal value of the CP is determined by the laws of the country of the certification authority, a "location unknown" would be too strong if L or S would be missing, but the country (C=) would be specified in the CA root and website ssl certificates.

Last but not least, what is so specific about the Enhanced Validation cert ? What is inside
or outside the cert that makes it recognized by IE 7 as "enhanced"  (special field, special certificate policies OIDs,...)?

Any help/hints greatly appreciated.

regards

Fred

# re: Security and Compatibility with IE7

Thursday, February 16, 2006 6:06 PM by streaky
'"ActiveX opt-in" will disable most ActiveX controls on the system. If your ActiveX control needs to be enabled by default, we have put together a set of ActiveX best practices to help you understand how to make it safe enough to be used on the internet and enable it for use with IE7.'

Wait, am I reading this correctly? Did somebody finally get the message?

# re: Security and Compatibility with IE7

Saturday, February 18, 2006 1:48 AM by EricLaw [MSFT]
"Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode."

This is already available to anyone who wants it.  See here: http://msdn.microsoft.com/library/default.asp?url=/workshop/security/antivirus/reference/ifaces/iofficeantivirus/iofficeantivirus.asp

# Location bar always on

Sunday, February 19, 2006 8:37 AM by James
The location bar should be displayed only when the popup window comes from another domain.

# re: Security and Compatibility with IE7

Wednesday, February 22, 2006 8:46 AM by Tim
Sounds great! I just hope it won't become too expensive. Small companies or group projects will probably have a need for a security certificates as well.

(Off-topic: is there a "due date" by which I should have submitted the bugs I found in the IE7 public preview? I'd like to know approximately how much time I have, I want to be as thorough as possible, but careful as well.)

# re: Security and Compatibility with IE7

Thursday, February 23, 2006 11:02 AM by Wil
Hey,

What happened to protected mode in Vista Feb. CPT. In IE 7 it no longer shows protected mode in the status bar in IE. It's just "Internet" .

Any ideas?

cya,

Will

# re: Security and Compatibility with IE7

Thursday, February 23, 2006 12:05 PM by Slugsie
I've found the security on the current beta to be pretty good, it's caught all the phishing sites I've tried, and it's blocked a lot of 'naughty stuff'.

I do have one request however, could the 'padlock' be moved to the other end of the address bar? The reason I ask is that I run at a high res (1600x1200) and the padlock can be a long way from the address, and it's less obvious. It would also be nice if the address bar changed colour (like Firefox does).

# re: Security and Compatibility with IE7

Sunday, February 26, 2006 6:37 PM by Naga
Hi,
Recently I upgraded my IE 6 browser to IE7, after upgrade when I tried to log into Wells fargo (www.wellsfargo.com) site and it did not allowed me past the login screen, displaying that mine is an unsupported browser.
I understand that IE7 is still a beta version and may not be tested and supported by Wells fargo as its supported browser.
Is there a way I can still use my IE6 that I used to have in my computer before this IE7 upgrade.
Now I remain strandled to download one of the free browsers that Wellsfargo supports.I really donot want to download any web browser other than IE, please advise me as how I can still log into the sites that support IE6 but not IE7.
URGENT!

Thanks
Naga

# re: Security and Compatibility with IE7

Sunday, February 26, 2006 10:49 PM by Joseph
I am using IE7 on Vista Feb CTP and I cannot get an IPSec cert for my machine through the normal Windows CA.  I go to the page to make the request and it sits forever at "Downloading ActiveX Control..".  I have added the site to my trusted site list but still no change.  Any ideas how to get past this?  Without this I can't take Vista on the road.
Thanks,
Joseph

# re: Security and Compatibility with IE7

Monday, February 27, 2006 9:42 AM by Mitch 74
About 'compatibility'...
I have here (www.moneyshop-credit.com) a site that displays correctly in IE6, Firefox, Opera, Konqueror, Safari... Pretty much any browser, EXCEPT IE7b2 - and that is due to IE7 ignoring CSS in:
- min-width,
- max-width,
- width: auto.
Now, the latter was supposedly fixed in IE7b2, as said in http://blogs.msdn.com/ie/archive/2005/07/29/445242.aspx
Looks to me like it isn't as of IE 7.0.5296.0...
So, alright, this is not security-related, but I find strange that a supposedly fixed bug... isn't.

# Application Compatibility Logging In IE7

Monday, February 27, 2006 1:42 PM by IEBlog
As Rob pointed out in his last blog post on security and compatibility in IE7, one of the biggest challenges...

# Safety First at Mix06

Monday, March 20, 2006 8:25 PM by IEBlog
I’m really excited for my talk tomorrow here at Mix06. This conference feels more like a party than work....

# Reset Internet Explorer Settings

Monday, June 12, 2006 3:05 PM by IEBlog
Hello, we are Durga and Bala, from the IE IDC team. We would like to describe to you, a new feature in...

# IE7 to become your befault browser - by default

Wednesday, July 26, 2006 11:27 PM by David Overton's Blog
I read about this internally yesterday and then on the blog posts today - IE7 will become part of the

# IE7 to be distributed via Automatic Updates! » Dee’s-Planet! Blog

Saturday, August 19, 2006 4:33 PM by IE7 to be distributed via Automatic Updates! » Dee’s-Planet! Blog
PingBack from http://www.roks.xmgfree.com/blog/2006/08/19/ie7-to-be-distributed-via-automatic-updates/

# The Praveen » Blog Archive » Internet Explorer 7 for Windows XP Available Now

Thursday, October 19, 2006 12:33 AM by The Praveen » Blog Archive » Internet Explorer 7 for Windows XP Available Now

PingBack from http://www.thepraveen.com/internet-explorer-7-for-windows-xp-available-now/

# Blog Posible » Blog Archive » Ya ha llegado internet explorer 7 para Windows XP

Thursday, October 19, 2006 2:50 AM by Blog Posible » Blog Archive » Ya ha llegado internet explorer 7 para Windows XP

PingBack from http://www.webposible.com/blog/?p=268

# Church Geek Links 10-19-06 « UberChurchTech

Thursday, October 19, 2006 5:51 AM by Church Geek Links 10-19-06 « UberChurchTech

PingBack from http://uberchurchtech.wordpress.com/2006/10/19/church-geek-links-10-19-06/

# Virtual Solutions Network - VSNetwork.co.uk · Internet Explorer 7 Final Released Today

Thursday, October 19, 2006 6:01 AM by Virtual Solutions Network - VSNetwork.co.uk · Internet Explorer 7 Final Released Today

PingBack from http://www.vsnetwork.co.uk/2006/10/18/internet-explorer-7-final-released-today.html

# Internet Explorer 7 for Windows XP Available Now « Just [invaleed]

Thursday, October 19, 2006 6:39 AM by Internet Explorer 7 for Windows XP Available Now « Just [invaleed]

PingBack from http://invaleed.wordpress.com/2006/10/19/internet-explorer-7-for-windows-xp-available-now/

# Internet Explorer 7 Released! For Windows XP and Windows Server 2003. « Amarjeet Rai’s Blog

Thursday, October 19, 2006 9:49 AM by Internet Explorer 7 Released! For Windows XP and Windows Server 2003. « Amarjeet Rai’s Blog

PingBack from http://arai.wordpress.com/2006/10/19/internet-explorer-7-released-for-windows-xp-and-windows-server-2003/

# IE 7 Released · Style Grind

Saturday, October 21, 2006 11:54 AM by IE 7 Released · Style Grind

PingBack from http://stylegrind.com/ie-7-released/

# Internet Explorer 7 for Windows XP Available Now « E.Krishna Kumar’s Weblog

Sunday, October 22, 2006 10:19 AM by Internet Explorer 7 for Windows XP Available Now « E.Krishna Kumar’s Weblog

PingBack from http://ekrishnakumar.wordpress.com/2006/10/22/internet-explorer-7-for-windows-xp-available-now/

# Internet Explorer 7 released : Jason Ruyle

Monday, October 23, 2006 2:03 PM by Internet Explorer 7 released : Jason Ruyle

PingBack from http://www.jasonruyle.com/2006/10/18/internet-explorer-7-released/

# invalid.web.id » Blog Archive » Internet Explorer 7 for Windows XP Available Now

Tuesday, March 13, 2007 5:03 AM by invalid.web.id » Blog Archive » Internet Explorer 7 for Windows XP Available Now

PingBack from http://invalid.web.id/?p=140

# IE7 is out of the door, Move along Firefox? | Jordan Ostreff's Place

Tuesday, June 16, 2009 10:36 AM by IE7 is out of the door, Move along Firefox? | Jordan Ostreff's Place

PingBack from http://www.ostreff.info/?p=415

# IEBlog Security and Compatibility with IE7 | fix my credit

Tuesday, June 16, 2009 9:59 PM by IEBlog Security and Compatibility with IE7 | fix my credit

PingBack from http://fixmycrediteasily.info/story.php?id=1630

New Comments to this post are disabled
 
Page view tracker