More details on Protected Mode IE in Windows Vista

Hello, I’m Marc Silbey, a Program Manager focused on IE security. I’m back from my honeymoon and I want to follow-up to Rob’s last post on IE7 Security by providing you with more detail on Protected Mode’s compatibility features and by telling you about a related workaround to a known issue in the first Community Technology Preview (CTP) build of Windows Vista.

As Rob mentioned, Protected Mode helps to eliminate the silent install of malicious code through Windows Vista’s User Account Protection (UAP) technology by blocking writes outside of the Temporary Internet Files (TIF) folder. Protected Mode also leverages UAP’s User Interface Privilege Isolation (UIPI) to help prevent Window messages from being sent to higher privilege processes.

For this release, security is our number one priority and preserving compatibility is a close second priority. To maintain compatibility, Protected Mode launches broker processes at the user and admin privilege levels to accomplish elevated operations like saving web pages and installing ActiveX controls through UAP’s Application Info Service (AIS).

User Account Protection is enabled in the Windows Vista CTP build, but Protected Mode work is not done yet and hence users are unable to install ActiveX controls in the default configuration. To solve this problem, the following procedure can be used to temporarily elevate IE’s permissions:

  1. Start IE with elevated permissions: click Start, point to All Programs, right-click IE, and then select Run Elevated.
  2. Perform the ActiveX installation.
  3. Exit the current instance of IE.
  4. Start a new instance of IE normally (without Administrator permissions).

Protected Mode also includes compatibility features which allow most add-ons to continue running unaffected and which provides impacted add-ons with feasible implementation options. For example, a compatibility layer automatically redirects file writes to the TIF, a new SaveAs API prompts the user with a File Save dialog thus allowing add-ons to write outside of the TIF, and the User-level broker provides a way for add-ons to bypass Protected Mode for certain secured API calls given user consent. 

For more details on Protected Mode including a demo of how Protected Mode helps protect users, check out our Channel9 Interview of Rob Franco and Robert Gu, lead developer for Protected Mode.

I look forward to writing more on this topic in the coming months and to reading your feedback on Protected Mode.

 – Marc

Comments (34)

  1. Venu Anuganti says:

    Nice one Marc…keep updating us with good info

  2. CornedBee says:

    You say it uses Vista’s UAP. Does that mean that protected mode will not be available in XP?

  3. Rosyna says:

    Does "Run As Elevated" require that the user enter their user account password before they can continue?

    Or will it require it to install ActiveX controls?

    I’d hate for the final version of Vista to make it so users feel they’ll have a better experience when running IE in elevated mode.

  4. ieblog says:

    Corned Bee, Dean’s post from the other day states, about Protected Mode:

    "Because the foundation work to make this possible is in Windows Vista, this feature is not available on the XP version of IE7."

    Al Billings [MSFT]

  5. Anonymous says:

    Rosyna presents a valid point, that is users ALWAYS, or being driven to the point to, using IE in elevated mode.

    Even Windows 2000 users still have a glimmer of hope by using least privilege, and creating a shortcut to Run As IE when elevated privileges are needed.

    Speaking of XP, when can we expect an XP SP2 release of IE7? All you need to do is add tabs and the phishing filter and other minor things, but we won’t be seeing all this in IE7 for XP so I thought we would expect a sooner release.

  6. Anonymous says:

    It was about time that NT had ACLs on USER objects, hell, it’s even possible to kill some badly coded interactive services by finding one of their windows and sending a WM_QUIT! That definitely should not be allowed.

  7. ieblog says:

    Rosyna: Yes, but you missed the point of Marc’s post- running IE elevated to install an ActiveX control is just temporary in the CTP build of Windows Vista. It won’t be that way at RTM.

    Redxii: Users in Windows Vista won’t need to run in elevated mode. That’s the point of Protected Mode, and all the work we’re doing to make it functional. And, even if they do, IE still won’t have all the priveleges of the user they’re running it as (see previous blog posts). As for your question, "when can we expect an XP SP2 release of IE7," well Beta 1 is already out. Folks who are on the Windows Vista beta have access. If your question is "when is a public beta" well– you’ll just have to wait for now. I don’t believe there’s been any public date released yet.

    -Christopher [MSFT]

  8. Anonymous says:

    Chris, you and your buddies at Microsoft do realize that the IE7 and Vista beta are widely available over the internet… Stop acting like they aren’t.

  9. Anonymous says:

    i’m having a HUGE problem with IE Explorer and nothing is working. Whenever I open it it’s fine, but the second I try to switch to a new page other than my homepage it just brings up that "IE needs to shut down" error message. If im taking a direct link (like when i open Yahoo messanger and it tells me i have mail and i click the read my messages link) it’s fine mostly, until i try to go away from anything to do with that site. I’ve tried everything. i have IE 6 and there is no option to uninstall so i can re install. I’ve done spybot and adaware to see if i have a conflicting spyware application. i’ve tried resetting my defaults in IE. I’ve typed sfc /scannow in run. i’ve searched the Microsoft website and NOTHING anyone tells me to do works. can you help me? if so, email me back or leave a comment on my xanga site or something. i would so appreciate it cuz i’m going nuts.

  10. Anonymous says:

    Sounds really cool.

    Is there going to be any chance of blocking downloads by detected MIME in group policy. I know that this would help LOADS of organisations out.

    You already have the technology, now give us the control. 🙂



  11. Anonymous says:

    <<the IE7 and Vista beta are widely available over the internet… Stop acting like they aren’t. >>

    I don’t see anyone acting like the betas aren’t illegally available on Warez sites. But do you expect MS to advocate illegal distribution of any product? Furthermore, what odds are there that a warez’d copy contains some "special surprises" added by the crooks who pirated the code?

  12. Venu Anuganti says:

    Even though its not relavant to post this topic here, though ieblog guys should know about this.

    Here is the latest bugs of IE7 on Vista:

  13. Anonymous says:

    If you’re a legitimate tester, why don’t you just submit the bugs through Connect like you’re supposed to?

  14. Anonymous says:

    Anona, You mention Protected Mode not applying to a host of the WebOC. That’s correct, in Protected mode, the IE process is actually launched with lower privileges so it does not apply to the WebOC. It is possible for any ISV to configure their application to launch with lower privileges. Any app that handles data from the network could be made safer by running with lower privilege. Based on the response I got at the PDC, don’t be surprised if other products also decide to run with least privilege.

    – Rob Franco [MSFT]

  15. Anonymous says:

    <<Lately I’ve been documenting how adware is installed on machines by exploiting security hole. Will the Protected Mode stop this?>>

    Generally, staying up-to-date on patches will completely block this. But yes, Protected mode is explicitly designed to be a defense-in-depth measure that would mitigate exploit of a vulnerability even if a patch was not available. The exploit code will not even have user-permissions, and hence will not be able to register itself or copy its files to the local system.

  16. Anonymous says:

    Lately I’ve been documenting how adware is installed on machines by exploiting security hole. Here’s an example:

    Will the Protected Mode stop this?

  17. Anonymous says:

    While you are at it, explaining how the new security will ease the life of everyone, don’t forget to explain the differences with the web control hosting : in C9 it was said none of the UAP applies. Ouch! It means that it virtually kills Maxthon(ex MYIE2), AvantBrowser, and even all RSS readers using IE as their rendering back-end.

    What I mean by kill? It will take a few months to raise the awareness that those are now left behind and second class products.

    What about that? If that’s true, gotta like be a web control hosting ISV…

  18. Anonymous says:

    Developers! Developers! Developers! Developers! Developers! Developers! Developers! Developers! Developers! Developers! Developers! Developers! Developers! Developers! Developers!


  19. Hej,

    Det finns mycket att skriva om Internet Explorer 7. I denna post t&#228;nkta jag bara n&#228;mna den viktigaste…

  20. One of the big concerns of anyone considering moving to Windows Vista is “How many of my applications