Hi, I’m John Bedworth, the Development Manager for
Internet Explorer Security. I wanted to address some of the excellent questions
that came up in the feedback to Rob Franco’s “Clarifying Low-Rights IE” post.
How is “low-rights” IE
different than, in XP, running as a regular (limited) user? At home, I use a
limited user account–is there anything about low-rights IE that is different
than my situation?
The primary difference is that IE 7 on Longhorn
will be running with fewer rights than a limited user. As a limited user, you
are still able to write to a part of the registry known as the “user hive” or
HKCU, as well as the My Documents folder, etc. With these permissions, it is
possible to write to parts of the system that contain sensitive user information
and application configuration information. In practice, even a limited user
needs access to write to these areas. For example, without these permissions, it
would be impossible to put a file in a predictable location on the hard drive,
change an application’s configuration settings, or to put an application in the
user’s Startup folder. However, IE does not generally need the ability to do
these things. This is what Low Rights IE is all about.
“As a result, even if a
malicious site attacks a vulnerability in IE, the site’s code won’t have enough
privileges to install software, copy files to Startup folder, or hijack the
settings for the browser’s homepage or search provider.”
Firefox and other modern browsers have it from scratch. What’s innovative in
This is important to understand, so I’m going to
try to be very clear. Defense in depth means that we have to assume that every
application has at least some potential for vulnerability that could allow 3rd
party binary code to run within its process. In a traditional system, this code
would execute and run
with the user’s full permissions and if attacked, could do anything the user is capable of
This is true on any Operating System and
application running today. The advantage IE 7’s users are going to have on
Longhorn is that IE 7 will run with a more restricted set of permissions than
even the lowest privileged user account. If IE 7 doesn’t have rights to install
software, copy files, or change settings, exploit code running inside that
process can not do these things either. This is very different from what you
get with applications that run with the full user’s permissions today – “other
modern browsers” included.
As the team continues to develop the Low Rights IE
feature, you can expect to see more technical posts that explain how other
applications can take advantage of the new functionality in Longhorn to provide
a more secure user experience. I can candidly say that the hardest part of
doing this right is maintaining the balance between security and compatibility.
We want to share what we learn along the way to help other developers implement
a security model using the least possible permissions necessary while still
providing users with a usable product.