IE Security Zones

re: IE Security Zones

Artist — Fri, 28 Jan 2005 20:37:00 GMT

bullshit

>Of course a website can't manipulate which >sites are in which security zones; it can >only be done by code running on the user's >machine.

http://secunia.com/advisories/11830/

"bitlance winter has reported a vulnerability in Internet Explorer (IE), allowing malicious people to bypass security zones or conduct phishing attacks.

The vulnerability is caused due to an error within the handling of URLs, which may cause IE to view a web site in context of another less secure security zone than intended.

Example:
http://[trusted_site]%2F%20%20%20.[malicious_site]/

Successful exploitation may allow a web page to be displayed in context of another domain e.g. in the "Trusted sites" or "Local intranet" security zones."

re: IE Security Zones

Bruce Morgan [MSFT] — Fri, 28 Jan 2005 21:04:00 GMT

That's not really the same thing. You're describing a zone elevation attack.

re: IE Security Zones

Artist — Fri, 28 Jan 2005 21:30:00 GMT

Nonsense. You could spoof the intranet zone. That is place an aribitray website in the intranet zone.

http://12345%2F[/]%20%20%20.www.attacker.com

IE would read http://12345/ as an intranet zone, yet the content would be www.attacker.com

Precisely the opposite of the claim that a website cannot manipulate which sites are in which security zones.

Check all the demo exploits out there.

re: IE Security Zones

Artist — Fri, 28 Jan 2005 21:41:00 GMT

Let me add, similarly, if you have microsoft.com in the trusted zone, the same would appply i.e.:

http://www.microsoft.com%2F%%20.www.attacker.com

IE would think its pointing to microsoft.com and put www.attacker.com in the trusted zone.

This is old news and verifiable with dozens of demos out there on the sec.lists. (patched now methinks) but older or non patched should still work.

re: IE Security Zones

asd — Sat, 29 Jan 2005 05:22:00 GMT

Will the next version of IE allow users to define additional custom zones?

re: IE Security Zones

Fiery Kitsune — Sat, 29 Jan 2005 07:16:00 GMT

Bruce, you can pick up your jaw, we know you are speechless.

Sorry we had to "pwn" you, but we had to shut you up.

re: IE Security Zones

deadBird — Sat, 29 Jan 2005 12:48:00 GMT

(this coming from a power user)
Perhaps we could, for sites that we frequent, set them in a 'Custom Zone' where we can set those websites to whatever permission we want.

Say for example, I frequently visit a website but it's very spammy/popup-ish. Add this website to my 'custom zone', and I have thus made visiting my site easier. Say I need just ActiveX or just java disabled???

Though of course, this invites exploits so it would be flawed at first almost definately.

re: IE Security Zones

Bruce Morgan [MSFT] — Sat, 29 Jan 2005 17:03:00 GMT

LOL, Kitsune. The additional posts from Artist have nothing to respond to; he's still talking about zone elevation attacks. Further, he talks about "patched now methinks" and unpatched systems.

re: IE Security Zones

Jim — Sat, 29 Jan 2005 20:53:00 GMT

> The additional posts from Artist have nothing to respond to; he's still talking about zone elevation attacks.

What's your point? Mike said: "Of course a website can't manipulate which sites are in which security zones". That's practically the definition of a zone elevation attack.

re: IE Security Zones

Bruce Morgan [MSFT] — Sat, 29 Jan 2005 21:13:00 GMT

The article is discussing to the ability to add or delete URLs and patterns from the various zones.

Taken in that context, the sentence you quoted, Jim, isn't referring to zone elevation attacks.

Nor is the ability to "manipulate which sites are in which security zones" the definition of a zone elevation atack. Bypassing those lists and navigating to a less restricted zone is a better definition of a zone elevation attack.

re: IE Security Zones

Jonathan — Sun, 30 Jan 2005 00:36:00 GMT

asd -- I believe you can programmatically create your own zones, but not via IE itself...

re: IE Security Zones

Alex — Sun, 30 Jan 2005 03:43:00 GMT

I just tried the examples of the flaw with real URLs and couldn't get the effect you describe; if this flaw is not present in the current version of IE then why bring it up at all?

I really don't understand the level of anger directed at IE and it's developers by some Firefox users. Surely if you feel you have a superior product there is no need for such constant bitter attacks?

Finally, it's nice to see some content, that isn't available elsewhere, starting to come through on the IE blog - this was a more valid complaint against previous posts.

re: IE Security Zones

Jim — Tue, 01 Feb 2005 23:03:00 GMT

> Nor is the ability to "manipulate which sites are in which security zones" the definition of a zone elevation atack. Bypassing those lists and navigating to a less restricted zone is a better definition of a zone elevation attack.

That's splitting hairs, IMHO.

> I really don't understand the level of anger directed at IE and it's developers by some Firefox users.

Artist didn't say that he was a Firefox user. Why the finger-pointing at Firefox people?

> Finally, it's nice to see some content, that isn't available elsewhere, starting to come through on the IE blog - this was a more valid complaint against previous posts.

I agree.

re: IE Security Zones

James Day — Thu, 03 Feb 2005 01:04:00 GMT

asd, deadBird, you can already create your own custom security zones if you're comfortable with regedit or programming tools. These custom zones do not show up in the IE user interface. Those with CompuServe's more recent clients installed will find one or perhaps two custom security zones.

The remainder of this documents settings on an a US Windows 98/IE4 test system and may not reflect current locations in more recent OS or browser versions. I'm sure the audience here can update as necessary.

To use such a zone, first create a new numbered Zone in HKEY_CURRENT_USERS\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Zones . Say 5, 6 or 7 if you don't have any custom zones at present.

Once you have such a zone you can use it in HKEY_CURRENT_USERS\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ ZoneMap\ Domains just like the normal zones. To put a while site in custom zone 6, add say msdn.com and as a new dword within named http use the value 6. If you want blogs.msdn.com to have a different value, create a new key blogs below the msdn.com key and put say a dword value 7 there.

If you are doing this programatically you might want to be sure to use the user's current settings and modify those as required, rather than using the IE defaults. A security-conscious end user who notices you not respecting their security needs is unlikely to appreciate unnecessary compromises of their security.

I'm not a Microsoft employee, so don't blame Microsoft for any errors in this post. Note also that this is not using the API described in the post which started this, so remember that nothing here is guaranteed to stay working (or even work today...:)).

re: IE Security Zones

Lostcoder — Wed, 16 Feb 2005 00:56:00 GMT

Hmmm...free antispyware, new IE? Nice bit of news.

re: IE Security Zones

下载 — Wed, 16 Feb 2005 12:12:00 GMT

Thank you I am learning of new things all day! And it is good to know of my RSS already work. I think I need add button of RSS to make this thing clear.
But more work to do!

re: IE Security Zones

Paul — Fri, 18 Feb 2005 19:10:00 GMT

Do modifications to the security zones via IInternetSecurityManager and related interfaces happen in realtime? Or do I have to restart IE?

re: IE Security Zones

deadBird — Sun, 20 Feb 2005 22:54:00 GMT

Thanks James for the post! However I can make an app that'll do that, I'm just gonna hope it's in IE7.

Perhaps tinker with my own settings for a while, unless someone knows of an app that already does this.

re: IE Security Zones

Thomas Lee — Fri, 25 Feb 2005 11:20:00 GMT

Thanks for this post. After reading it, and the comments, I'm now more convinced than ever that the zone concept in IE is not adequate for IE7's brave new world. The issue is that you can not really divide all sites up into a few neat categories. On the internet, there are a variety of sites I trust fully, some I trust a lot (but not fully), oters I trust a bit, while most I dont' trust at all. Some of the ones I partly or fully trust I'll want to allow popups, but others even though I fully trust I don't want popups.

The .NET team did a great job with this - you can in effect define sub-zones, and sub-zones of sub-zones, each with different levels of security.

I'd like to see IE7 adopt something similar, with a configuration editor (to manage configuraions) plus a simple wizard or two.

I'm really looking forward to IE7!

how to automatically add a site to the trusted list

how to automatically add a site to the trusted list — Wed, 02 Jul 2008 12:09:01 GMT

PingBack from http://branden.adultpornostories.com/howtoautomaticallyaddasitetothetrustedlist.html

automatically add a site to the trusted list

automatically add a site to the trusted list — Wed, 02 Jul 2008 18:15:34 GMT

PingBack from http://mariam.sexyadultstories.com/automaticallyaddasitetothetrustedlist.html

how to create a com object using a progid read from config file | keyongtech

how to create a com object using a progid read from config file | keyongtech — Thu, 22 Jan 2009 07:54:29 GMT

PingBack from http://www.keyongtech.com/477735-how-to-create-a-com

vraagje over popups | hilpers

vraagje over popups | hilpers — Fri, 23 Jan 2009 15:40:23 GMT

PingBack from http://www.hilpers.nl/151938-vraagje-over-popups