IE Security talk at Hack in the Box


The information published in this post is now out-of-date and one or more links are invalid.

—IEBlog Editor, 21 August 2012

As some of you have noted in the comments, I will be doing a keynote presentation at the Hack in the Box conference in Kuala Lumpur, Malaysia on September 28. The title of my presentation is “Internet Explorer Security Past, Present, and Future”. I’ll be talking about the kinds of threats we’ve seen, how we started to address them in Windows XP SP2, and our plans to go even further in protecting users in IE 7. I will also be demonstrating IE 7 on Windows Vista including features not available in beta 1, such as Protected Mode (the feature formerly known as Low Rights IE). I hope my talk will be useful and interesting for the attendees. If you have specific things you’d like me to address on IE security (so, not “when are you going to have full CSS 2.1 support?”), I’m happy to take suggestions.

I’m looking forward to the conference and visiting Kuala Lumpur for the first time; I’d also love any recommendations on things to do or see in KL (especially food related activities!).

See you at HITB!

Thanks,
 Tony Chor

Comments (52)

  1. Anonymous says:

    (so, not “when are you going to have full CSS 2.1 support?”)

    obviously, were not gonna have it, so I believe mostly everyone has lost any kind of hope.

  2. Anonymous says:

    If you are staying in the heart of KL city, do have a stroll down Petaling Street at night. Taste the local delights and enjoy the hustle of activities at one of the busiest night market in KL. Don’t forget to pick up a copy of Windows Vista Beta 1 CD for RM5 (USD 1.30) 😉

  3. Anonymous says:

    Well, why did you have to implement ActiveX in IE? A web browser is a program that can show content from all around the world, written by anyone, and the author may often be unknown.

    So when browsers therefore obviously need strict security measures to protect the users from dangers of the web, why did you implement ActiveX, to a web browser? You have combined a web browser with a (lite) application API, which should be kept entirely different. (For instance, consider a separate program for running .htas).

    Now you need to do your best creating security zones, "low rights IE" (I’m not sure what that is but sounds related) and phishing warnings, just to keep unaware users from allowing the browser to give a webpage access to ActiveX controls. So please explain why you added ActiveX to IE?

  4. Anonymous says:

    @Steve: I don’t want to rain on your parade but IE7 will not fully support CSS2, from a previous post: "I want to be clear that our intent is to build a platform that fully complies with […] CSS 2 […] I think we will make a lot of progress against that in IE7…"

    @Jeffrey: give them some slack. If you really thought IE7 would support CSS2 100% you were kidding yourself, not in this short timeframe. I believe not one browser supports it 100% correctly so at least they’re going in the right direction (finally…)

  5. Anonymous says:

    Can we see an example of the Anti-Phisher in action? How do I know it even works?

  6. Anonymous says:

    What I always hated was the allow all or deny all behavior of Active X controls. You either allow them all, or you don’t have any. Also, if you turn them off, you always get these annoying dialogs saying the page isn’t going to display properly. I have no clue how things are now since I haven’t used IE in a while.

  7. Anonymous says:

    Re: Anti-X

    There’s been a gold bar since XP SP2. You have to approve the Active X control before it can run. It is on a per control basis.

  8. Anonymous says:

    Just to add to that… from SP2 onwards you could also disable existing controls in the ‘Manage Add-ons’ window – a big step forwards

  9. Anonymous says:

    Re: Tomasz Dudziak

    >On unix-like systems all it can damage is

    >home directory so Netscape/Mozilla plugins

    >aren’t so dangerous there as ActiveX is.

    Agreed. Lord knows that the home directory is the least important directory on a computer. *face-rolls-eyes*

  10. Anonymous says:

    Actually, here is something that I’d *really* like Microsoft to explain. This is by far the most important thing Microsoft should explain. Why are you refusing to provide these security enhancing features to other versions of Windows? I don’t know how many businesses still run Windows 2000, many schools still run Windows 98, and with IE7 you’re basically denying them all the new added security. To me, for Microsoft to keep user’s trust, they should give a very compelling reason why there is not going to be an upgrade available for pre-XP SP2. And, indeed, why the SP2 fixes are also not available for other versions.

    Though I have every intention of using IE7 on my XP machines, I also have every intention of installing Firefox on all my non-XP machines. That’s something I honestly never thought I’d say since I believe IE to be a superior browser. However, it seems like Microsoft has decided to ignore those of us who aren’t running XP/2003/Vista and has not given any reason why.

  11. Anonymous says:

    The IE team talking at a hacker con!!

    Please tell me this is a joke, why whould they even let you guys speak, and what would you talk about.

    : OMG guys, look we got a browser that doesn’t run with administrative rights. Look at out massive inovation.

    : Look, we’ve also copied the anti-phishing idea right from netcraft. Yeah I know it’s lame, and pretty useless because it’s not enabled by default. But hey, at least we can read our sever logs and see were people get their pron from (there’s the real hack 😉 )

    But joking aside, what will you talk about. IE 7 is better than IE6, but there’s still nothing new that other people don’t have.

  12. Anonymous says:

    @Fletcher: That’s not the point. The point is that by the default setup on IE/Win, the browser has access to anything it wants. On top of that there is an API ActiveX that allows any website to do whatever it wants with your system if it can become ‘trusted’ or get around some popup (which many users ignore).

    As far as running as Administrator, that’s Window’s fault, not IE’s (and running as Administrator is *really* bad, think like as in boot.ini bad, or worse), but in order to make other browsers as vunerable as IE (via plugins), you have to go and take the effort

  13. Anonymous says:

    Codemaster, it has been said before. Windows 2000 is leaving (or has left?) support. It’s an unsupported OS before IE7 comes out. That’s why it isn’t coming out for it. 2003 has superseded 2000 (it even has a service pack out now).

    See the lifecycle they posted before at http://blogs.msdn.com/ie/archive/2005/03/29/403513.aspx

    The 9x releases are generally unsupported but I think the big deal is that they are DOS based. A DOS based OS cannot be made secure by 21st century standards. Think about the concept of Administrators on a Win98 box.

  14. Anonymous says:

    Alan,

    You say

    > The point is that by the default setup on IE/Win, the browser has access to anything it wants.

    What are you talking about? This is so much BS. If you aren’t running as administrator, IE doesn’t have access to "anything it wants."

  15. Anonymous says:

    I’m looking forward to the new release(s) of IE and Winders, things look great. I have nothing to whine about since I’ve yet to make anything better 🙂

  16. Anonymous says:

    No, Alan, this isn’t a joke. I’m definitely presenting at HITB.

    I’ll certainly talk about how the work we’re doing in IE 7 will help provide defense-in-depth against buffer overflows (this is on top of the exhaustive code reviews we’re doing and runs with our static code analysis tools PREfix and PREfast). I’ll also talk about how we intend to continue to offer the value of ActiveX controls while offering more protection against ActiveX-based exploits. I’ll also demo the new Phishing Filter.

    CH Lim, thanks for the tips on KL. I love night markets and will definitely check out Petaling Street, but I already have a copy of Windows Vista beta 1! 🙂

  17. Anonymous says:

    Hello,

    I am awaiting for years a referrers filtering possibility in IE without third party software, like proxo, webwasher or some FWs add on,etc…, like in Opera for instance.

    Why does MS refuse to implement it.

    Best regards,



    JacK WinVI x86 MVP Security

  18. Anonymous says:

    Pete: Your example of buffer overflow is also incorrect. Buffer Overflow (or ‘Overrun’) refers to when a string of text has a designated amount of memory to be stored in, but instead the string ‘Overflows’ into memory it shouldn’t be using. This means that someone could inject malicious machine code and thus comprimise the system. This fault is caused by software writers not checking to see if the string entered is too big for the memory allocated.

  19. Anonymous says:

    I spend quite a bit of time recently, trying to get a website working on a "low rights" computer – it had ActiveX turned off, so the usual Ajax methods did not work. Will there be a native XMLHttpRequest object in IE, or will I need to stick with my IFrames workaround? (for reference, http://verens.com/index.php?s=activex)

  20. Anonymous says:

    Great question Kae. Seems with the current trends in web dev that this would be important. I am hoping that IE 7 will include a native version as well that is code exact to all the other browsers implementation.

    Fair call that MS pioneered the method but I think this is one they should swallow their pride with in comming into line with the others.

  21. Anonymous says:

    *Sigh* I find it truly amazing how many people cannot read!

    "I’ll be talking about the kinds of threats we’ve seen, how we started to address them in Windows XP SP2"

    See how he says he’ll be talking about the security in XP SP2? What came with XP SP2? The IE6 update. Hence, my comment was 100% applicable.

    "Maybe those people running Windows 2000 should get a current OS?"

    We aren’t all as rich as you. I have 8 machines I need to upgrade. I don’t have the money to go out and buy several copies of XP. Not to mention some of the hardware isn’t exactly up to par with XP requirements. If you’d like to send me a check for $5000 or so so that I may do this, I’ll gladly accept. And as I also mentioned, sometimes upgrades don’t work. There is the old "don’t fix what ain’t broke" addage. If the systme works fine, many companies shy away from upgrading it for fear that it will leave them in worse shape than they are now. I don’t know how many times I’ve heard people say "You’re upgrading Windows??? That’s crazy, do a clean install."

  22. Anonymous says:

    Re: Jere and Xepol, we will talk about ActiveX and other extensions, thanks for the feedback

    Re: Brant, it’s a good idea for us to help folks understand the process that goes into a security update, thanks

    Re: codemastr and Fiery Kitsune, we’re working on posts with more information about how Phishing Filter will ensure privacy and we’ll get it to you on the blog

    Re: Xepol and James D, we treat social engineering as a type of threat. Phishing is one of the fronts we’re fighting on.

    Re: Dominic Self, I’m glad you like manage-addons! Thank you!

    Re: Tomasz Dudziak and Fletcher, I hear you unlimited access to the system is a threat. User Account Protection and IE Protected Mode will help with this.

  23. Anonymous says:

    @codemaster,

    come on now, do you see firefox backporting 1.06 fixes into 1.0 or even earlier, do you see linux 2.6.* backported to 1.*, or apache, or apple or ………

    ms provides critical updates to IE on w2k but it does not nor should not provide all of the features in ie7 for the same reasons the products above don’t back port everything either

  24. Anonymous says:

    @Codemaster

    > There is the old "don’t fix what ain’t broke" addage. If the systme works fine, many companies shy away from upgrading it for fear that it will leave them in worse shape than they are now. I don’t know how many times I’ve heard people say "You’re upgrading Windows??? That’s crazy, do a clean install."

    Then surely sir you would not want to install all of these new "security" features on Windows 2000 for fear of breaking the system eh? You can’t have it both ways pal

  25. ieblog says:

    Codemastr – We aren’t abandoning Windows 2000. We fully intend to keep Windows 2000 secure through the end of its life (which, by the way, is scheduled for 2010). We believe we can keep Windows 2000 users secure with regular security updates, like we’ve been doing on all our Windows platforms for the past few years. No, we’re not bringing IE 7 to Windows 2000, but that doesn’t mean that Windows 2000 is insecure.

    Fiery & Codemastr – an anti-phishing blog post? Not a bad idea. We’ll see what we can do. I’ve seen from the comments on this blog that lots of folks are anxious to hear about it.

    -Christopher [MSFT]

  26. Anonymous says:

    "Then surely sir you would not want to install all of these new "security" features on Windows 2000 for fear of breaking the system eh? You can’t have it both ways pal"

    You can argue linguistic semantics all you like, I’m telling you how it is because I’ve seen it with my own eyes. If you can’t see the difference between installing a security update for IE and upgrading an entire OS, well then I can’t really say much more.

    Christopher:

    "No, we’re not bringing IE 7 to Windows 2000, but that doesn’t mean that Windows 2000 is insecure."

    That’s fine. What I’m asking is, I’d like someone from Microsoft to explain to the users *why* IE 7 isn’t necessary to keep older OSes secure. Meaning if you’re touting all of these new security features of IE7 (which I value a great deal), I’d just like to know why MS feels they are not necessary to secure pre-XP systems. Is it simply not possible for IE7 to be made compatible with pre-XP (same with IE6 SP2)? Or was it just a decision that was made? I’m just looking for an explanation. I’m sure I’m not the only IE user wondering this so I think it’s a good topic for a security conference.

  27. Bruce Morgan [MSFT] says:

    A phrase I like to use is "all things are possible with software, but not all things are practical". We decided, based on quite a bit of consideration and research, that it was not practical for us to build IE7 to be compatible with Win2K. We’ve covered that topic before previously on the blog.

    IE7 relies on new features in Windows Vista as well as numerous core changes made for XPSP2 that were brought to Win2K3 SP1 and then to Windows Vista. We won’t have "low rights IE" on XP, but I think we’ll have all the other features.

    IMHO, the most secure way to browse the Internet will be IE7 on Windows Vista. I don’t believe that IE6 on XPSP2 is "insecure", but it won’t be "as secure" as IE7 once IE7 releases.

  28. Anonymous says:

    But does something like the phishing philter rely on the OS? Could it perhaps be implemented as an add-on to IE6 for Win2k somewhere down the line? 2010 is still quite far away.

  29. Anonymous says:

    "IMHO, the most secure way to browse the Internet will be IE7 on Windows Vista. I don’t believe that IE6 on XPSP2 is "insecure", but it won’t be "as secure" as IE7 once IE7 releases."

    Ok, I can understand where you are coming from here, but is IE6 on pre-XPSP2 "insecure"? Meaning the one that doesn’t have popup protection, doesn’t have the ActiveX confirmations, etc. I don’t see why users on XPSP2 wouldn’t upgrade to IE7, so I think that point is moot. The question I’m asking is, what is being done to keep the people who are stuck running IE6 on *pre-XPSP2* secure? As Fiery said, are any of the features going to be rolled into an upgrade for pre-IE6SP2? In addition to the anti phishing, my guess is that the popup blocker from SP2 also doesn’t rely on any special OS changes, so couldn’t that be done as well?

    I’m not suggesting that you rewrite the OSes to work with the new IE (I understand stuff like the "Block/Unblock" will require OS changes), that would be insane and a waste of time. I’m talking about backporting those features that *don’t* rely on OS changes. As I said, at this point I can’t really see why an IE user on pre-XPSP2 would stick with IE, pretty much you’ve said "the browser you have now is the browser you’re stuck with." No new security, no new standard support (which will be a nightmare to web developers since it means they still have to deal with IE kludges for the hundreds of thousands of users who will be stuck with IE6), etc.

  30. Bruce Morgan [MSFT] says:

    Much of the deeper security mitigations on IE6 for XPSP2 rely on a host of changes in IE6 and the rest of the OS. Things like recompiling everything with the /GS flag, a thorough code review and TMA process for all the binaries, etc. IE6, as a platform component in the OS, went through that process.

    The ActiveX confirmations are in IE6 for Win2K – there not quite a visible as the information bar of IE XPSP2. There’s no popup blocker, but that’s feature is less about security and more about avoiding user annoyance. Plus there are plenty of 3rd party popup blockers that work with IE on Win2K. Features like application execution prevention (safe a file from the web, execute it from the shell , and you’ll get a safety warning) require changes "outside" IE – in the shell, in the rest of the OS, etc.

    There’s actually a pretty small subset of things that are in the intersection of "IE6 features" and "don’t rely on changes elsewhere in the OS". This is why IE6 for XPSP2 came in a service pack, and why that service pack is huge. IE7 is in the same situation, although there are more features like the phishing feature that could be more easily backported.

    We could have decided to do some Frankenbuild of Win2K OS bits with IE7 platform bits and IE7 features (minus ones based on XPSP2 or Vista changes), maybe port a few more things, etc. Then it’s not really IE7 anymore – it’s a confusing subset of IE7. That’s part of why we decided it just wasn’t practical to bring IE7 to Win2K.

    I think it’s worth repeating that Win2K and IE6 will still get security updates as descibed in the lifecycle policy.

  31. Anonymous says:

    Bruce, did you ever consider having a message board for IE discussion? Sure the newsgroups are nice but they are showing their disorganization.

    I know you guys won’t even consider something like phpBB or Invision, but how about something closed-source like Lithium?

  32. Anonymous says:

    Why don’t you open a bug tracking web page for IE7? I’d suggest Bugzilla but that may be taking it too far.

  33. Anonymous says:

    when are you going to have full CSS 2.1 support?

    (Sorry, could not resist)…

  34. Anonymous says:

    Is it physically possible to program and backport the non-OS-reliant security features in IE7 to Windows 2000?

    I mean, if you really wanted to, and had the time+money+human resources available, could features like the phishing filter be put on 2000?

  35. Anonymous says:

    Speaking of security, before visiting Malaysia you may want to check out the State Department’s online travel advisories…

    http://travel.state.gov/travel/cis_pa_tw/pa/pa_1164.html

    This Public Announcement reiterates the Department of State’s ongoing concern about the safety of American citizens, especially those contemplating travel along the east coast of the Malaysian state of Sabah and overland travel into southern Thailand. The Department of State strongly urges American citizens to defer all non-essential travel to Eastern Sabah’s coastal areas and offshore islands.

  36. Anonymous says:

    I thought we were talking about IE7, not IE6. IE7 isn’t a security update is it? It’s a full browser update. If Windows 2000 is in extended support for only security updates, it wouldn’t get IE7.

    Seems simple enough to me. Maybe those people running Windows 2000 should get a current OS?

  37. Anonymous says:

    Robert, perhaps you should have read that URL. It clearly says Windows 2000 will remain in extended support through 2010. According to the site it says security updates will be provided. IE6 SP2 was, as far as I can tell, only a security update (I haven’t heard of any non-security related features). Hence, Microsoft has some other reason.

    I’d simply like THEM to explain why. I don’t think that’s a huge request. I just want to know why they’ve decided to ignore security for OSes that are still run by hundreds of thousands of people.

  38. Anonymous says:

    Re: Xepol

    > Downloading and installing any application being it

    > activeX or the latest screen saver with naked pics

    > of the female of the moment comes with the inherient

    > problem – you are running someone else’s code on your

    > computer, it has full access.

    Yes – and it should *not* have full access. On unix-like systems all it can damage is home directory so Netscape/Mozilla plugins aren’t so dangerous there as ActiveX is.

  39. Anonymous says:

    Re:Brant

    Having worked at Microsoft, seeing you say that "..the biggest thing to improve my confidence in Microsoft was being able to see the process behind things" makes me doubt you actually interned there at all. Ugh, the horrors.

    Re: Pete

    I dont’t think Xepol was defining that as a "Buffer Overflow", but rather that no matter how many real issues (Buffer Overflow) that IE fixes with itself, there will always be a stupid user that puts themselves at risk because they don’t know what they’re doing when they click without paying attention.

  40. Anonymous says:

    Re: Xepol

    "MS’s real problems all stem from buffer overflows."

    I see you using the term buffer overflow several times in your post, I’m not sure you understand what it means. The situation you describe is that a user is running a script or an executable by clicking OK on a dialog. No exploiting has occurred. The user just ran untrusted code as "root". No unsafe string copy is to blame there, the user told the shell to execute the script.

    If the user is not in a root shell, they can do less damage. That is the whole point of LUA and Protected Mode IE. User X can click OK to run whatever he wants, but the shell will disallow the parts that require higher privelege (e.g. system file hacking, installing toolbars).

  41. Anonymous says:

    I’d like someone to give a VERY detailed description of how Microsoft is going to ensure user privacy with the new anti-phishing feature. Meaning, I think it is important to assure users that new security features won’t be more of a security risk than the problem they are fixing.

  42. Anonymous says:

    While interning at MS this summer, the biggest thing to improve my confidence in Microsoft was being able to see the process behind things. Show the audience what happens when you get a security report. Show them what you do to prevent the type of security report ever again. Things along those lines are the best.

  43. Anonymous says:

    Jeffrey wrote:

    >>>>(so, not “when are you going to have full CSS 2.1 support?”)

    >>obviously, were not gonna have it, so I believe mostly everyone has lost any kind of hope.

    If you insist on following your off-topic tangent, here’s a summary of the official word previously given by the Microsoft guys:

    1. IE7 will ship with full CSS2 support (thank God, and yay IE team!)

    2. IE will be updated to support CSS2.1 (hopefully within a reasonable timeframe) after the standard is finally Recommended.

  44. Xepol says:

    Jere : Don’t be foolish. ActiveX is no different than netscape plugins. In fact, most of the internet depends on it for content. ActiveX actually went further and allowed for code-signing from the get go (making it more secure than netscape plugins).

    No, having active-x isn’t the problem. Poorly written ActiveX controls are the problem (the fact that so many of the come from MS themselves is just a seriously agrevating factor). The zones let you bypass the code signing, so actually they are a sign of security, not the lack thereof.

    Downloading and installing any application being it activeX or the latest screen saver with naked pics of the female of the moment comes with the inherient problem – you are running someone else’s code on your computer, it has full access. You have to be able to trust the code or else evil things can and frequently do happen.

    MS’s real problems all stem from buffer overflows. Phishing isn’t a code problem, it is social engineering, and it happens all the time WITHOUT MS being involved (no, that wasn’t IT who just you just supplied your username and password to!). MS might be able to help with phishing, but people are inheriently stupid (review the whole I love you story for details), so it will never EVER be enough.

    It doesn’t matter how many buffer-overflows you fix, someone will eventually decide that even tho they had seen 20 suspicious emails tagged I love you, the one they just got from their industry mailing list MUST be legitmate, open it and run the attachment.

    I’ve yet to hear a believable explanation (even from a linux fanatic) on how MS could be the cause of this kind of stupidity.

    (You would not believe how many machines I have had to clean viruses off because the "operator" just clicks OK on every dialog they see without reading it because it gets in their way. In spite of repeated lectures on that, they form my most active contigient of return business. PEBKAC indeed!)

  45. Anonymous says:

    Could you be so kind as to add the addEventListener() and the XMLHttpRequest() Javascript functions,

    This shouldn’t be difficult cause they already exist for IE (under a different name) but this will really help peoples scripts to just work in IE + it will help to minimize the amount of browser detection & hacks needed per script.

    If you do this you will make me very happy 🙂 thnx

  46. Anonymous says:

    Hi,

    I’m little concerned about the Phishing Filter.

    How many time all IE 7 users should wait until a "Pishing Site" appears as "reported" by IE 7 ?

  47. As some of you have noted in the comments, I will be doing a keynote presentation at the Hack in the Box conference in Kuala Lumpur, Malaysia on September 28. The title of my presentation is “Internet Explorer Security Past, Present, and Future”. I’l

Skip to main content