Welcome to MSDN Blogs Sign in | Join | Help

June 2009 - Posts

Tuesday, June 30, 2009 11:29 PM

The Privacy Impact of Add-ons: New APIs for IE8

By default, when starting a new session using IE8's InPrivate Browsing feature, toolbars and Browser Helper Objects are disabled. This is done to help protect the user's privacy: many toolbars and extensions maintain their own navigation/search/etc history
Posted by EricLaw | 0 Comments
Tuesday, June 30, 2009 9:35 PM

Internet Explorer and Custom HTTP Headers

Someone recently asked me for a list of custom HTTP request and response headers introduced by the IE team over the years. Here's the list I've come up with so far (including a few that were introduced before I joined the team): Request Headers UA-CPU
Posted by EricLaw | 0 Comments
Filed under: ,
Friday, June 26, 2009 7:07 PM

Cool deal: Windows 7 Pre-orders half price for a limited time

Not exactly IE related, although IE8 is included in Windows 7: Until July 11th, Windows 7 upgrade pre-orders are available for half-price . Home Premium is $50, and Professional is $100. -Eric
Posted by EricLaw | 0 Comments
Thursday, June 25, 2009 8:10 PM

Thoughts on Declaring Security Policies

My thoughts about Mozilla's Content Security Policy proposal were just published over on the IEBlog. I actually have quite a bit more to say (at even greater length :-) about declarative security mechanisms, and some more technical feedback specific to
Posted by EricLaw | 2 Comments
Filed under: ,
Monday, June 22, 2009 11:50 PM

User Account Control in Windows 7

It isn't directly related to Internet Explorer, but Mark Russinovich's Inside Windows7 User Account Control article over on TechNet provides an illuminating explanation of why UAC isn't a security boundary, but why it helps protect against malware anyway.
Posted by EricLaw | 0 Comments
Filed under: , ,
Monday, June 22, 2009 5:42 PM

Handling Mixed (HTTPS/HTTPS) Content

Background As we developed Internet Explorer 8, we spent quite a bit of time pondering what to do about IE7’s infamous “Mixed Content” warning prompt: As I noted on the IEBlog four years ago, the mixed content warning occurs when a web developer references
Posted by EricLaw | 24 Comments
Filed under: ,
Friday, June 19, 2009 10:57 PM

WebOCs, popups, and the default browser

Applications which host the WebOC (Web Browser control) may choose to support popups and new windows by hooking the NewWindow3 event and returning in ppDisp a pointer to a new, hidden, non-navigated WebBrowser object or InternetExplorer object. If such
Posted by EricLaw | 1 Comments
Filed under: , , ,
Friday, June 19, 2009 5:55 PM

Windows 7 adds support for TLSv1.1 and TLSv1.2

Windows 7's updated crypto stack (schannel.dll, etc) offers support for TLSv1.1 and TLSv1.2. While disabled by default in IE8 (for compatibility reasons; some legacy sites will fail to connect when the updated TLS version is offered) the new protocol
Posted by EricLaw | 2 Comments
Filed under: ,
Friday, June 19, 2009 5:46 PM

IE8 Problem Reports: ASP.NET Menus show blank/white

Q: My ASP.NET site's menus show as blank/white when my page is rendered in IE8 standards mode. The menus only work if I turn on compatibility view. What's up with that? A: This is actually a standards-compliance bug in the ASP.NET framework. A fix for
Posted by EricLaw | 0 Comments
Filed under: ,
Thursday, June 18, 2009 10:51 PM

Enhanced Security with SEHOP

Windows Vista SP1 introduced an interesting new memory protection known as SEHOP, which works with other memory protection techniques (like DEP/NX , ASLR, etc) to help prevent exploitation of a specific type of memory-related vulnerability known as SEH-overwrite
Posted by EricLaw | 2 Comments
Filed under: ,
Thursday, June 18, 2009 7:55 PM

Good news: Security innovation spreading...

Version 4 of the Safari web browser now supports the HTTPOnly directive for cookies introduced by IE6 SP1. Now, all major browsers support the directive, which can help mitigate the impact of XSS exploits. Safari 4 also now supports the X-FRAME-OPTIONS
Posted by EricLaw | 0 Comments
Filed under:
Wednesday, June 17, 2009 6:54 PM

CSS History Probing, or: "I know where you went last week"

Background One of the interesting attacks which makes the rounds every few years concerns the ability of web pages to use CSS to detect whether or not certain URLs have been visited. Given a sufficiently large set of URLs to probe, a website may be able
Posted by EricLaw | 2 Comments
Filed under: , , ,
Wednesday, June 17, 2009 6:31 PM

Vary with Care

This content was previously published elsewhere . I'm copying it here for broader visibility. About the Vary Response Header As described in the HTTP/1.1 specification ( RFC2616 ), the Vary response header allows a cache to determine if a cached (still
Posted by EricLaw | 8 Comments
Wednesday, June 17, 2009 6:17 PM

HTTP/HTTPS Port-Blocking in WinINET

Internet Explorer (actually, WinINET, the network stack beneath IE) prohibits use of certain ports for HTTP(S) connections. The intent of this blocking is to prevent Cross Service/Protocol Request Forgery attacks. For instance, an attacker could use HTML
Posted by EricLaw | 2 Comments
Filed under: , ,
Wednesday, June 17, 2009 2:29 PM

Building Safer ActiveX controls: DOM Bridging

Over on the BlueHat blog, security researcher Manuel Caballero wrote up an interesting post on how Silverlight avoids exposing unsecured private browser APIs to abuse from RIA content. Anyone building ActiveX controls that take untrusted input should
Posted by EricLaw | 0 Comments
Tuesday, June 16, 2009 7:52 PM

Think of the children!

Another question from the audience today: Q: I like IE8's InPrivate Browsing feature , but I'm worried that it won't let me see what my kids are up to. Can I prevent them from using it? A: Yes. When you enable the Windows Parental Controls feature, or
Posted by EricLaw | 1 Comments
Filed under:
Wednesday, June 10, 2009 12:36 AM

IE Cumulative Update shipped today

The latest IE cumulative update shipped today ; download it from WindowsUpdate when you get a chance. Over on the Security Research and Defense blog , there's an in-depth discussion of the security bug discovered in IE8 at the Pwn2Own contest at CanSecWest
Posted by EricLaw | 0 Comments
Wednesday, June 03, 2009 1:05 AM

Slowing Down: Disabling the Accelerator icon

We've had a few folks write to the IEBlog asking " How can I disable the little blue accelerator icon that appears when text is selected in a HTML page? " For end users, the answer is straightforward: Click Tools > Internet Options > Advanced ,
Posted by EricLaw | 5 Comments
Filed under: , ,
 
Page view tracker