IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Jereck — Tue, 10 Feb 2009 01:20:12 GMT

Please, give an option (Internet Settings, Advanced tab) to allow advanced users to have the "Disregard and continue" directly visible.

Everyday I have to use "unsafe websites" like web-based VPN, secured with SSL certificates issued by my customers' organisations.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

AlexGl [MSFT] — Tue, 10 Feb 2009 01:34:08 GMT

@Jereck: It sounds like you're referring to the invalid/expired/self-signed certificate warning page. That page is still the same. The changes I described only apply to the SmartScreen Filter warning page.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

8675309 — Tue, 10 Feb 2009 01:48:16 GMT

why was protect mode for ie7 removed from default for trusted sites

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

frymaster — Tue, 10 Feb 2009 02:03:00 GMT

"Everyday I have to use "unsafe websites" like web-based VPN, secured with SSL certificates issued by my customers' organisations."

In that situation I'd install the certificates in your trusted certificate store. Otherwise you can't tell the difference between an untrusted certificate (self-signed by the customer) and an untrusted certificate (because of a man-in-the-middle attack)

re: IE8 RC installer compatibility

WindowsFanboy — Tue, 10 Feb 2009 05:29:46 GMT

IE 8 RC1 doesn't show a progress bar during installation with many third-party themes (ones where the progress bar is solid instead of segmented). Here's an example theme:

http://tornado5.deviantart.com/art/Ambient-111330562

Maybe you can change the installer so that the progress bar will go all the way across once, instead of a few segments going across many times.

Thanks!

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Rob Parsons — Tue, 10 Feb 2009 10:31:22 GMT

Hi,

Using XP SP3/IE8 RC1 virtual image.

(Don't do this with your production machines)

I just whent to funwebproducts.com and I was amazed to find that I could continue to the Cursor Mainier installation page

http://cursormania.smileycentral.com/download/install_ie_sp2.jhtml?product=cursormania&subdir=cm&bOrganic=false&utmCall=%3Cscript+src%3D%27http%3A%2F%2Futm.cursormania.com%2F__utm.js%27+type%3D%27text%2Fjavascript%27%3E%3C%2Fscript%3E&hasVistaInstall=false&countryCode=AU&vpartner=ZCzfw001YYAU&ac=0&partner=ZCzfw001&srd=false&spu=false&isEnglishBrowser=true&w=c&isPortugese=false&bucket=YY&isVista=false&isIE7=false&isEnglish=true&ref=null&akamaiUrl=http%3A%2F%2Fak.exe.imgfarm.com&coreProduct=cursormania&isSpanish=false&brname=MyWebSearch&bCookiesEnabled=false&abandonUrl=http%3A%2F%2Fwww.funwebproducts.com%2Fpopunder.html&spk=hJe8WpS0ZAjNxeQ3iEVJTv6ESd3JsfwZP6fsW5oZFUIqnlYTDY3hrK7ZFU7Iqdg5J0zS5ohrCB92nDHOzSibNrPaEqnf37A8

- This page installs the MyWebSearch toolbar as a downloaded ActiveX component, circumventing the unsafe download prompts (Smart Screen Filter is turned on). Only the ActiveX Download Info bar appears.

Setting a killbit for the ActiveX UID will not work as a COM Toolbar is actually installed which has a differnt CLSID.

Their products may not be considered as Malware (by some, but they do use a Search Hook hijack that over-rides the built-in IE SearchHook), but I certainly feel that they are abusive of IE and considerable degrade its performance.

Funwebproducts and cursormania are domains that are included in the SpywareBlaster.com's Untrusted Sites entries, but apparently not in the MS Smart Screen Filter database.

I would like you to give the funwebproducts site some thought, and consider how the Smart Screen Filter and the unsafe download prompt can be applied to the installation of downloaded ActiveX controls.

I know that Funwebproducts may have strong commercial relationships with reputable vendors, but perhaps you can use the threat of including their sites in the Safe Screen Filter database as an incentive for them to improve thier products and remove their browser hijacks.

Regards. Rob ^_^

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

travis — Tue, 10 Feb 2009 16:27:21 GMT

@Rob Parsons - Here, Here!

There should be no way that ANYTHING can install itself just by viewing a website. It doesn't matter if it is the coolest software ever, installing without consent is disgusting and should be blocked (read the browser should never have allowed this behavior in the first place).

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

steppres — Tue, 10 Feb 2009 17:08:43 GMT

Of the 3 browser anti-phishing implementations I've used (IE8, Opera and Firefox 3), this is the best. Both Opera and Firefox have a direct link displayed that takes the user to the flagged site. IE8's use of a hidden info box is a great idea that will protect and educate users. Bravo IE8 team, you've really turned Internet Explorer around!

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

EricLaw [MSFT] — Tue, 10 Feb 2009 19:13:42 GMT

@Rob Parsons: SmartScreen will block (completely, with no override prompt) installation of malicious ActiveX controls.

@Travis: I think you're overlooking the fact that nothing "installs itself." The user must manually choose to install the FunWebProduct in order for the tool to be installed. IIRC, the FunWebProduct has an accurate disclosure that explains what it does and an uninstaller that completely reverts its behavior, suggesting that it doesn't meet the definition of malware.

Obviously, Microsoft cannot just go around blocking software that we personally don't care for-- there are specific criteria around what will and will not be blocked. Please see http://www.microsoft.com/windows/products/winfamily/defender/analysis.mspx for further detail.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

hAl — Tue, 10 Feb 2009 19:50:41 GMT

@EricLaw

<nblockquotequote>the FunWebProduct has an accurate disclosure that explains what it does</blockquote>

Check how this download page is exactly obscuring that disclosure info by blurring it into a background:

http://cursormania.smileycentral.com/download/index.jhtml?partner=ZCzfw001&ac=0

These notorious scammers are some of the the worst kind of malware creators in the world and they definitly violate several of the rules on the page that you provide.

If those are not blocked then frankly smartfilter is not doing its job

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

PA — Tue, 10 Feb 2009 20:07:57 GMT

To further discourage people from clicking the "disregard and download unsafe file

(recommended)" link button and make a expand button to view that linked button instead. Instead of 1 click user now have to do two click.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

EricLaw [MSFT] — Tue, 10 Feb 2009 21:31:15 GMT

@hAl: The page that actually launches the install has a much more clear link to the EULA and privacy policy. As outlined on the Defender page, there are many different types of potentially unwanted and malicious software.

The SmartScreen filter is designed to block malicious software according to specific criteria. SmartScreen blocks fake AV products, greeting card trojans, and myriad other types of malware.

"Potentially unwanted software" which does not meet the "malicious software" bar (because it does not misrepresent itself, has a clear privacy policy/license agreement, can be fully uninstalled, etc) will not be blocked by SmartScreen. Users who do not agree with the practices and policies for such software should simply not install it.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Vilius — Tue, 10 Feb 2009 22:41:38 GMT

Eric, on the one hand I agree with you that software that has clear policy etc. should not be blocked. BUT on the other hand I agree with hAl that IE should do SOMETHING before user installs that kind of software. I would suggest showing the user a prompt with big exclamation mark that this software was found unwanted by most users and he should REALLY consider before installing it. SmartFilter should really make users SMARTER :)

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

hAl — Tue, 10 Feb 2009 23:22:07 GMT

@EricLaw

The page I showed the link to was clearly deceptive on purpose.

Obscuring infromation on what the software does was no coincidence and it clearly deceptive.

I read the Microsoft page you listed and the cursormania software qualifies on several of the items listed on that page. (as probably all funwebpructs.com junk software does)

If standards at MS for smartscreen filter are so low that cursormania is not considered malware than the filter is useless. I have seen trojans that do less harm to peoples computers than this rubbish.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Frank — Tue, 10 Feb 2009 23:50:18 GMT

hal-- "no coincidence."

sez you... and maybe it's not... but your opinion doesn't matter in courtroom, which is where things like this end up.

don't believe me? google for "Blue Mountain Arts junk mail lawsuit" or see //news.zdnet.com/2100-9595_22-101167.html?legacy=zdnn

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Sage — Wed, 11 Feb 2009 01:55:37 GMT

MS sure has low standards. FunWebProducts is clearly deceptive and does unwanted things to any Windows OS but you won't block it? I can't believe what I'm reading from a MSFT employee.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Will — Wed, 11 Feb 2009 11:47:11 GMT

I'd say block it too!

If your users are asking you to block it, screw the "standards" and keep your users happy. ;)

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Rob Parsons — Wed, 11 Feb 2009 14:55:50 GMT

FunWebProducts - Seems like I started a bar fight.(unintentional)

Guys & Girls (and Will) - give Eric and MS a brake. The bad guys are continually testing the waters to fend off critisism or denial of credibility of their products. It is a continual catch-up game. Lawers aren't cheap. Politicians are useless.

Eric - MS or somebody needs to review these borderline Addon publishers on a regular basis. It would appear that the latest offerings from FWP now meet the critera to be classed as malware - Group Policy changes are made to block access to the Add/Remove Programs applet making it impossible for novice users to remove their products.

I don't know how you are going to Police sites like this. You can't be always adding or removing them from you listings. Perhaps public or peer opinion may be the best indicator.

I am sad to see that castlecops.com has closed.

The Addons Mangers' "Search for this Addon via defaut Search Provider" could be improved if it used a a dedicated IE Addons database.

FWP hijack the Search Provider and don't incriminate their own products. It takes you directly to their site instead.

Live returns no results.

http://search.live.com/results.aspx?FORM=DNSAS&q=%2522My%2bWeb%2bSearch%2522%2bMWSBAR.DLL

I can see opportunities here for an Addons developer to improve upon what you have done so far. How is HW progressing?

Regards.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

gerald — Wed, 11 Feb 2009 17:58:37 GMT

Indeed.

If an addon/toolbar/program does not have a built in (un-hindered) uninstall that registers in the add/remove programs dialog then IT IS UNFIT for installation, PERIOD.

If Rob Parsons' comments are correct, and the uninstall is blocked, then this software is officially malware.

Every time I read this stuff I am so glad that Firefox is my default browser and where I install my addons.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Oliver — Wed, 11 Feb 2009 18:49:10 GMT

Sage and Will have apparently been living under a rock for the last few decades. Guys, Gooogle for "Microsoft anti-competitive" and learn why it might not be such a bright idea to deliberately block other ppl's non-malicious software, even if lots of ppl want them to.

If Rob can show that Group Policy changes are made (instead of making a bold unproven claim here) I bet that the MS guys will block that junk right away.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Ron — Wed, 11 Feb 2009 18:54:58 GMT

<<I am so glad that Firefox is my default browser>>

you know that firefox has addons that cannot be uninstalled without hunting down obscure config options, right? thats why they provide a step by step list of files and folders to manually mess with: //kb.mozillazine.org/Firefox_:_FAQs_:_Uninstall_Extensions

IE and firefox aren't that different. Don't install junk addons you don't want, and everythings just fine.

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Rob Parsons — Thu, 12 Feb 2009 08:29:05 GMT

FWP - The Add/Remove Programs block turned out to be part of the XP virtual machines original settings.

Use SCF in conjuction with Untrusted sites lists to protect your users and networks.

Just goes to show that security is n-tier. The weakest link is the keyboard nut.

Internet Explorer 8 Final Available Now

IEBlog — Thu, 19 Mar 2009 19:35:18 GMT

Today we’re excited to release the final build of Internet Explorer 8 in 25 languages. IE8 makes what

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Manoj — Tue, 24 Mar 2009 09:25:03 GMT

I open a HTTPS URL in IE8 which uses invalid cert(expired/CA not trusted/subject name mismatch), I get "There is a problem with this website's security certificate" message which gives me option to continue or to close the web page. if I continue, I get the webpage loaded in the browser. if I open a link in this webpage in a new tab or if that webpage opens a pop-up, IE8 is again presenting me the 'There is a problem with cert..' message. this never used to happen in IE7. is this a change in behaviour? or a bug in IE8?

re: IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

EricLaw [MSFT] — Tue, 24 Mar 2009 18:26:14 GMT

@Manoj: This is a limitation introduced by IE8's multiple-process "LCIE" architecture. The user's choice to accept an invalid certificate is not brokered to new processes as they are created for popup windows or new tabs.

We broker most other state (including cookies, HTTP authentication, etc) but unfortunately did not have a chance to fix this corner case.

End to End Trust and Windows 7

Windows Security Blog — Tue, 21 Apr 2009 20:53:14 GMT

I attended Scott Charney’s keynote this morning at RSA – Moving Towards End to End Trust