Security and Compatibility with IE7

re: Security and Compatibility with IE7

Adam — Wed, 15 Feb 2006 04:07:02 GMT

Why google adsense always come up as a suspicious site?

re: Security and Compatibility with IE7

Christopher Vaughan [MSFT] — Wed, 15 Feb 2006 06:48:53 GMT

All - sorry it wasn't more clear, if you're running IE6SP1 or Windows XP (SP1 or SP2), you're not vulnerable. Only users still running IE 5.01 on Windows 2000 SP4 need apply this update.

IE7 is also not affected.

-Christopher

re: Security and Compatibility with IE7

Zian — Wed, 15 Feb 2006 07:05:48 GMT

Great work!

re: Security and Compatibility with IE7

Mitchel Tyrell — Wed, 15 Feb 2006 07:21:10 GMT

Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode.

re: Security and Compatibility with IE7

bryce schaufelberger — Wed, 15 Feb 2006 08:10:00 GMT

hi why is ie7 when you type a email and make a mistake there is a flaw in there that when you type make a mistake on webbase email like hotmail i got it does not delete the word you have to put the mouse on the letter to clear it see for you self try it can that be fixed

re: Security and Compatibility with IE7

game kid — Wed, 15 Feb 2006 08:21:17 GMT

"Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode."

I second that. Then the spyware thingy can check for signs of suspiciousness before all hell breaks loose. Sadly, all hell can still break loose with an ActiveX.

re: Security and Compatibility with IE7

game kid — Wed, 15 Feb 2006 08:22:42 GMT

Or why not restrict file reads/writes from an ActiveX to once every second? That way, any chaos can be slowed down...

re: Security and Compatibility with IE7

adrianotiger — Wed, 15 Feb 2006 11:49:54 GMT

I can understand that you want more security for your IE. But please, please allow to see the image I want to upload on the internet! I can't write document.all['imageobject'].src = this.value on an input object!
The source from the image is the path in the internet + imagefile name. It should be path to the image + imagefile name!

re: Security and Compatibility with IE7

Max C — Wed, 15 Feb 2006 12:06:02 GMT

"If you distribute software over the internet, you should sign your code with a valid code signing certificate."

Presumably this statement does not apply to .NET controls hosted in IE? Or at least not to those that don't require any additional trust than the standard internet zone? (It's a bit worrying to see all this news about changes without any mention of .NET controls... but they do still work in the beta so I'm keeping my fingers crossed!)

re: Security and Compatibility with IE7

Paul — Wed, 15 Feb 2006 14:00:45 GMT

I really do appreciate the ActiveX Opt-In Improvement.
Could we get an Internet Zone Ajax-Maniac Opt-In feature as well? Just an information bar like: “This Webpage sucks: It's associated with more than 1000 lines of script. Click here to enable/continue script execution for this page.” ;-)

MogBlog » Security and Compatibility with IE7

MogBlog » Security and Compatibility with IE7 — Wed, 15 Feb 2006 14:29:26 GMT

PingBack from http://dancmorgan.wordpress.com/2006/02/15/security-and-compatibility-with-ie7/

re: Security and Compatibility with IE7

kL — Wed, 15 Feb 2006 15:11:01 GMT

Does InfoCard store private keys on user's computer? If attacker gains access to user's drive, can he steal his InfoCard identity?

re: Security and Compatibility with IE7

PatriotB — Wed, 15 Feb 2006 18:17:40 GMT

"Or why not restrict file reads/writes from an ActiveX to once every second? That way, any chaos can be slowed down..."

Any idea on how this would be accomplished? ActiveX code is just regular program code that gets called from within the iexplore.exe process. There wouldn't be a reliable way to know whether a given file I/O is caused by an ActiveX control or a different part of IE.

re: Security and Compatibility with IE7

cooperpx — Wed, 15 Feb 2006 19:13:27 GMT

Can you guys please update this page ...

http://msdn.microsoft.com/ie/releasenotes/default.aspx

... to report that Digest Authentication continually prompts for credentials (whatever the real reason)?

- going nuts here without any feedback

re: Security and Compatibility with IE7

jace — Wed, 15 Feb 2006 20:59:08 GMT

Thawte personal email certs won't download in IE 7.

When selecting these options (star (*) by the selected item)

X.509 Format Certificates

For an X.509 certificate, please choose your software from the list below:

Netscape Communicator or Messenger
*Microsoft Internet Explorer, Outlook and Outlook Express
Lotus Notes R5
OperaSoftware Browser
C2Net SafePassage Web Proxy

I get the following message:

Form Processing Error

An error occurred while we were processing your form. Usually this means that one of the values you submitted in your form was invalid, or you did not put a value in a required field. Please check the error message below, and then review your submission.

The actual error given was:

Version 7 of MSIE does not support these certificates.

Kind regards,

thawte
it's a trust thing

re: Security and Compatibility with IE7

Blacksun06 — Wed, 15 Feb 2006 22:40:41 GMT

Bill Gates talked at RSA about "higher assurance" ssl certificates for website.

Only "higher assurance ssl website cert" would trigger the "green URL bar"
in IE 7.

Could anybody from Microsoft or external specialists explain to me:
- what would be the differences with current ssl website certificates at the
X509 cert fields level ?
- what would be the difference at website identification level ?
- what will be included inside the certificate fields to express that
difference ?
- would emission of "higher assurance" certificates be limited to
certification authorities that comes by default with windows/IE and are
updated via windows update ?

regards,

Fred

re: Security and Compatibility with IE7

Blacksun06 — Wed, 15 Feb 2006 22:42:29 GMT

Some questions and request to the IE 7 product management.

I saw strange differences between IE 7 beta 1 and IE 7 beta 2 when clicking
on the "SSL lock" (the one just on the right of the URL bar).

In IE 7 beta 1: Displayed certificate information summary seem logical to
me: it indicate the CN of the certification authority that did issue the ssl
website certificate. This is inline with the "issued by" display when you
double click on a certificate in earlier versions of the "view certificate
details"

IE 7 beta 1 displayed text is "SSL secure (128 bits) you should send
confidential information only if you trust the organization listed
what is a certificate ?
Certificate information followed by :
- the "O=" information of the website ssl cert
- the "C=" infromation of the website ssl cert
Website certification provided by : CN field of the X509 certificate of the
issuing CA.

In IE 7 beta 2, everything seems to have changed, clicking on the "SSL lock"
(the one just on the right of the URL bar), I have:
Secure connection
"O=" field of the issuing CA has identified this site as
CN of the website ssl cert
Owner unverified
Location unverified.

Limited information about this website is available. You should send
confidential information only if you trust this website.
What is a certificate.

Question 1: It took a long time to educate customer/users to check the
"issued by" field of the certificate details (= CN of the issuing CA cert),
why now change the field identifying a Certification authority to the "O= "
field ?

I would like to stress that I think the IE 7 beta 1 "security message" is
better because it relies on several years of education to customer and users
for a lot of companies offering services on the internet and remains inline
with past versions of windows and IE making easier the understanding for
customer....simplicity in security communication to users is of primary
importance here...

Question 2: what is owner in this security message ? what is location in
this security message ? to which X509 website and issuing certificate field
does this correspond ? What is "security semantics and policies" around these
items ?

any clarifications and brainstorm around this more than welcome

greetings

re: Security and Compatibility with IE7

Dave Bacher — Thu, 16 Feb 2006 00:57:21 GMT

Re: Restricting ActiveX controls

There was a comment above about "how can you restrict ActiveX controls," and the answer is application level security.

The problem with ActiveX can be correctly resolved by the IE team, if they actually care to implement it.

At module load time, every ActiveX control is assigned a HLIBRARY. Given a return address on a call stack, I can determine what module is invoking a routine. Based on that information, I can add a Windows XP group to the current effective permission set, which in turn allows me to restrict all file, installer, etc. access to the machine.

This is how tools like DEP work on processors that don't support it -- Microsoft looks to see if the caller is a data segment, which it knows by the address. It would be just as easy to have a quick-dirty check based on the module handle.

Compatibility bug

download accelerator incompatible — Thu, 16 Feb 2006 01:58:32 GMT

Here is the problem. I have Download Accelerator Plus 8.0 from Speedbit. Unfortunately, it sometimes intercepts files that are meant for a webpage in IE7. As soon as that happens, IE7 crashes. That's a bug in IE 7.0.5296.0 with DAP 8.0.4.1. I am running WinXP 5.1 with SP2 on an Athlon XP 2800 with (1/2)GB DDR memory on an AsRock K7VT4A+ motherboard.

re: Security and Compatibility with IE7

codemastr — Thu, 16 Feb 2006 02:35:08 GMT

Since InfoCards seem to be part of winfx, does that mean they are Vista only?

re: Security and Compatibility with IE7

Dean Harding — Thu, 16 Feb 2006 08:41:59 GMT

Dave Bacher: You can't trust the return address on the call stack, it's fairly easy to fake. For a good explanation, see:

http://blogs.msdn.com/oldnewthing/archive/2004/01/01/47042.aspx

And that's not how software-enfored DEP works at all. All software-enforced DEP does is, before a structure exception handler is dispatched, it checks that the SEH address is registered in the function table in the image. It doesn't check anything on the stack at all.

re: Security and Compatibility with IE7

Ralf — Thu, 16 Feb 2006 12:35:52 GMT

Clicking on the "SSL lock":
You only show the certificate - that is not enough!
Please show additional:
* What kind of public/private key algorithm do you use for the session? What is the key length?
* What kind of symmetic key algorithm do you use? What is the key length?

re: Security and Compatibility with IE7

Fred — Thu, 16 Feb 2006 20:14:04 GMT

Hello,

On microsoft.public.internetexplorer.general, Eric Lawrence indicated that in the final IE 7 release, the IE 7 SSL Security report will
show the name of the root (the trust provider), and the Subject.CN.

Do you know what is meant by the "name of the root", is this the CN of the root CA ? Is it the "O" of the root CA, some other part of the DN or the complete DN of the root CA?

On the same newsgroup, he says "In the case of an enhanced validation cert, IE 7 show the SubjectO, SubjectC, SubjectS, SubjectL".

What will happen if subject S and subject L are not inside the website ssl cert ? Does this have some specific impact on the user experience with the "ssl security report"? For exemple, if "L=" is not present, would "location unknown" be displayed to the user screen as I saw it during one of my IE 7 beta tests, even if the country C= would be present in the website certificate.

As you know, "State" doesn't exist in Europe and I don't think L is very used
either. Besides this, in Europe, the laws are identical in one country. This means
basically that the legal value of the CP is determined by the laws of the country of the certification authority, a "location unknown" would be too strong if L or S would be missing, but the country (C=) would be specified in the CA root and website ssl certificates.

Last but not least, what is so specific about the Enhanced Validation cert ? What is inside
or outside the cert that makes it recognized by IE 7 as "enhanced" (special field, special certificate policies OIDs,...)?

Any help/hints greatly appreciated.

regards

Fred

re: Security and Compatibility with IE7

streaky — Fri, 17 Feb 2006 02:06:37 GMT

'"ActiveX opt-in" will disable most ActiveX controls on the system. If your ActiveX control needs to be enabled by default, we have put together a set of ActiveX best practices to help you understand how to make it safe enough to be used on the internet and enable it for use with IE7.'

Wait, am I reading this correctly? Did somebody finally get the message?

re: Security and Compatibility with IE7

EricLaw [MSFT] — Sat, 18 Feb 2006 09:48:55 GMT

"Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode."

This is already available to anyone who wants it. See here: http://msdn.microsoft.com/library/default.asp?url=/workshop/security/antivirus/reference/ifaces/iofficeantivirus/iofficeantivirus.asp

Location bar always on

James — Sun, 19 Feb 2006 16:37:47 GMT

The location bar should be displayed only when the popup window comes from another domain.

re: Security and Compatibility with IE7

Tim — Wed, 22 Feb 2006 16:46:05 GMT

Sounds great! I just hope it won't become too expensive. Small companies or group projects will probably have a need for a security certificates as well.

(Off-topic: is there a "due date" by which I should have submitted the bugs I found in the IE7 public preview? I'd like to know approximately how much time I have, I want to be as thorough as possible, but careful as well.)

re: Security and Compatibility with IE7

Wil — Thu, 23 Feb 2006 19:02:43 GMT

Hey,

What happened to protected mode in Vista Feb. CPT. In IE 7 it no longer shows protected mode in the status bar in IE. It's just "Internet" .

Any ideas?

cya,

Will

re: Security and Compatibility with IE7

Slugsie — Thu, 23 Feb 2006 20:05:07 GMT

I've found the security on the current beta to be pretty good, it's caught all the phishing sites I've tried, and it's blocked a lot of 'naughty stuff'.

I do have one request however, could the 'padlock' be moved to the other end of the address bar? The reason I ask is that I run at a high res (1600x1200) and the padlock can be a long way from the address, and it's less obvious. It would also be nice if the address bar changed colour (like Firefox does).

re: Security and Compatibility with IE7

Naga — Mon, 27 Feb 2006 02:37:00 GMT

Hi,
Recently I upgraded my IE 6 browser to IE7, after upgrade when I tried to log into Wells fargo (www.wellsfargo.com) site and it did not allowed me past the login screen, displaying that mine is an unsupported browser.
I understand that IE7 is still a beta version and may not be tested and supported by Wells fargo as its supported browser.
Is there a way I can still use my IE6 that I used to have in my computer before this IE7 upgrade.
Now I remain strandled to download one of the free browsers that Wellsfargo supports.I really donot want to download any web browser other than IE, please advise me as how I can still log into the sites that support IE6 but not IE7.
URGENT!

Thanks
Naga

re: Security and Compatibility with IE7

Joseph — Mon, 27 Feb 2006 06:49:38 GMT

I am using IE7 on Vista Feb CTP and I cannot get an IPSec cert for my machine through the normal Windows CA. I go to the page to make the request and it sits forever at "Downloading ActiveX Control..". I have added the site to my trusted site list but still no change. Any ideas how to get past this? Without this I can't take Vista on the road.
Thanks,
Joseph

re: Security and Compatibility with IE7

Mitch 74 — Mon, 27 Feb 2006 17:42:39 GMT

About 'compatibility'...
I have here (www.moneyshop-credit.com) a site that displays correctly in IE6, Firefox, Opera, Konqueror, Safari... Pretty much any browser, EXCEPT IE7b2 - and that is due to IE7 ignoring CSS in:
- min-width,
- max-width,
- width: auto.
Now, the latter was supposedly fixed in IE7b2, as said in http://blogs.msdn.com/ie/archive/2005/07/29/445242.aspx
Looks to me like it isn't as of IE 7.0.5296.0...
So, alright, this is not security-related, but I find strange that a supposedly fixed bug... isn't.

Application Compatibility Logging In IE7

IEBlog — Mon, 27 Feb 2006 21:42:02 GMT

As Rob pointed out in his last blog post on security and compatibility in IE7, one of the biggest challenges...

Safety First at Mix06

IEBlog — Tue, 21 Mar 2006 03:25:14 GMT

I’m really excited for my talk tomorrow here at Mix06. This conference feels more like a party than work....

Reset Internet Explorer Settings

IEBlog — Mon, 12 Jun 2006 22:05:51 GMT

Hello, we are Durga and Bala, from the IE IDC team. We would like to describe to you, a new feature in...

IE7 to become your befault browser - by default

David Overton's Blog — Thu, 27 Jul 2006 06:27:04 GMT

I read about this internally yesterday and then on the blog posts today - IE7 will become part of the

IE7 to be distributed via Automatic Updates! » Dee’s-Planet! Blog

IE7 to be distributed via Automatic Updates! » Dee’s-Planet! Blog — Sat, 19 Aug 2006 23:33:07 GMT

PingBack from http://www.roks.xmgfree.com/blog/2006/08/19/ie7-to-be-distributed-via-automatic-updates/

The Praveen » Blog Archive » Internet Explorer 7 for Windows XP Available Now

The Praveen » Blog Archive » Internet Explorer 7 for Windows XP Available Now — Thu, 19 Oct 2006 07:33:32 GMT

PingBack from http://www.thepraveen.com/internet-explorer-7-for-windows-xp-available-now/

Blog Posible » Blog Archive » Ya ha llegado internet explorer 7 para Windows XP

Thu, 19 Oct 2006 09:50:51 GMT

PingBack from http://www.webposible.com/blog/?p=268

Church Geek Links 10-19-06 « UberChurchTech

Church Geek Links 10-19-06 « UberChurchTech — Thu, 19 Oct 2006 12:51:21 GMT

PingBack from http://uberchurchtech.wordpress.com/2006/10/19/church-geek-links-10-19-06/

Virtual Solutions Network - VSNetwork.co.uk · Internet Explorer 7 Final Released Today

Thu, 19 Oct 2006 13:01:39 GMT

PingBack from http://www.vsnetwork.co.uk/2006/10/18/internet-explorer-7-final-released-today.html

Internet Explorer 7 for Windows XP Available Now « Just [invaleed]

Internet Explorer 7 for Windows XP Available Now « Just [invaleed] — Thu, 19 Oct 2006 13:39:03 GMT

PingBack from http://invaleed.wordpress.com/2006/10/19/internet-explorer-7-for-windows-xp-available-now/

Internet Explorer 7 Released! For Windows XP and Windows Server 2003. « Amarjeet Rai’s Blog

Thu, 19 Oct 2006 16:49:37 GMT

PingBack from http://arai.wordpress.com/2006/10/19/internet-explorer-7-released-for-windows-xp-and-windows-server-2003/

IE 7 Released · Style Grind

IE 7 Released · Style Grind — Sat, 21 Oct 2006 18:54:44 GMT

PingBack from http://stylegrind.com/ie-7-released/

Internet Explorer 7 for Windows XP Available Now « E.Krishna Kumar’s Weblog

Internet Explorer 7 for Windows XP Available Now « E.Krishna Kumar’s Weblog — Sun, 22 Oct 2006 17:19:01 GMT

PingBack from http://ekrishnakumar.wordpress.com/2006/10/22/internet-explorer-7-for-windows-xp-available-now/

Internet Explorer 7 released : Jason Ruyle

Internet Explorer 7 released : Jason Ruyle — Mon, 23 Oct 2006 21:03:07 GMT

PingBack from http://www.jasonruyle.com/2006/10/18/internet-explorer-7-released/

invalid.web.id » Blog Archive » Internet Explorer 7 for Windows XP Available Now

Tue, 13 Mar 2007 12:03:14 GMT

PingBack from http://invalid.web.id/?p=140

IE7 is out of the door, Move along Firefox? | Jordan Ostreff's Place

IE7 is out of the door, Move along Firefox? | Jordan Ostreff's Place — Tue, 16 Jun 2009 17:36:09 GMT

PingBack from http://www.ostreff.info/?p=415

IEBlog Security and Compatibility with IE7 | fix my credit

IEBlog Security and Compatibility with IE7 | fix my credit — Wed, 17 Jun 2009 04:59:41 GMT

PingBack from http://fixmycrediteasily.info/story.php?id=1630