Security and Compatibility with IE7


One of the biggest challenges in making software more secure is maintaining compatibility with the existing functionality that customers depend on.  We’re here at the RSA security conference in Silicon Valley to work with other software and security professionals to meet our customers’ expectations for safety and compatibility. While we have taken a great deal of care to preserve compatibility, the new security features in Internet Explorer 7 do change the way platform works and only testing with your products can gauge the impact and investment you may need to make to be fully compatible with IE7.

For the IE7 Beta preview for XP SP2, we prepared preview documentation and a preliminary compatibility tool to help developers analyze and address the most difficult compatibility and security problems posed by IE7 for web sites and browser extensions. More documentation will follow for other security features, but we are releasing the documents for the most challenging security features first. This will give you the maximum time for testing and remediation of any issues you find.

One or more of the security enhancements in IE7 may require an update in your code. The most notable changes include:

  • “Protected Mode” for Windows Vista will run Internet Explorer with restrictions that help prevent attackers from using vulnerabilities to install malware or otherwise damage a user’s system. At the same time, Protected Mode restricts Internet Explorer itself and will restrict extensions run in Internet Explorer. It is possible that that you will need to update your extension to be compatible with Protected Mode.
  • “ActiveX opt-in” will disable most ActiveX controls on the system. If your ActiveX control needs to be enabled by default, we have put together a set of ActiveX best practices to help you understand how to make it safe enough to be used on the internet and enable it for use with IE7.
  • IE7 has more secure defaults for SSL. IE7 will disable SSLv2, enable TLSv1, block non-secure http content in secure https pages, and block navigation to sites that have SSL certificate errors.
  • We rebuilt critical code paths for URL parsing and Cross Domain security using new best practices for secure software development. Your website or application may need to be updated if it relies on a non-standard URL syntax. The compatibility tool will help you test for these problems.
  • We have retired a number of rarely-used legacy features from the product to reduce attack surface. The removal of these features may require you to update your website or your application. Please refer to the IE7 Beta preview release notes for the list of removed features.

Besides ensuring compatibility, Website Developers and Software Developers can take advantage of IE’s security features to help users feel more confident while they browse your site or download your code:

  • IE7 includes an enhanced experience for sites that include upcoming higher assurance SSL certificates including the lock icon with a green filled address bar. Along with other browsers, the Certificate authority industry is working with us towards a tougher SSL standard for the enhanced experience. This past Sunday and Monday, we met to work on the standard with the American Bar Association here in San Jose. The certificate authorities who coolaborated with us this weekend include Geotrust, Verisign, Identrus, Comodo, Cybertrust, Go Daddy and X-Ramp.  To see what the experience will be like, you can try out the enhanced experience by downloading a test root certificate and then visiting our demo site using IE7 Beta 2 Preview. If you think your site should have this experience, contact your certificate authority to learn about their plans to offer higher assurance SSL certificates that will be recognized by the IE7 address bar.
  • In the upcoming Beta 2 release, IE7 will let users sign into web sites using visual “InfoCards” rather than passwords.  This eliminates a number of common attacks because when no password is typed, there is none to be stolen (and none to forget).  The “InfoCard” system uses certificates to make it harder for imposter sites to pass themselves off as genuine.
  • IE7 checks the signatures on downloaded programs such as ActiveX controls and executables to make it easy for customers to identify your code. If you distribute software over the internet, you should sign your code with a valid code signing certificate.

We’ve already had the chance to work with engineers from companies like Adobe, Real Networks and many others. We found that our colleagues at these other companies are just as passionate about security as we are. We hope you’ll take this opportunity to work with us towards a safer experience for our mutual customers. We look forward to your feedback during this process and getting to know you better along the way!

 – Rob Franco

Comments (49)

  1. Adam says:

    Why google adsense always come up as a suspicious site?

  2. All – sorry it wasn’t more clear, if you’re running IE6SP1 or Windows XP (SP1 or SP2), you’re not vulnerable. Only users still running IE 5.01 on Windows 2000 SP4 need apply this update.

    IE7 is also not affected.

    -Christopher

  3. Zian says:

    Great work!

  4. Mitchel Tyrell says:

    Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode.

  5. bryce schaufelberger says:

    hi why is ie7 when you type a email and make a mistake there is a flaw in there that when you type make a mistake on webbase email like hotmail i got it does not delete the word you have to put the mouse on the letter to clear it see for you self try it can that be fixed

  6. game kid says:

    "Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode."

    I second that.  Then the spyware thingy can check for signs of suspiciousness before all hell breaks loose.  Sadly, all hell can still break loose with an ActiveX.

  7. game kid says:

    Or why not restrict file reads/writes from an ActiveX to once every second?  That way, any chaos can be slowed down…

  8. adrianotiger says:

    I can understand that you want more security for your IE. But please, please allow to see the image I want to upload on the internet! I can’t write document.all[‘imageobject’].src = this.value on an input object!

    The source from the image is the path in the internet + imagefile name. It should be path to the image + imagefile name!

  9. Max C says:

    "If you distribute software over the internet, you should sign your code with a valid code signing certificate."

    Presumably this statement does not apply to .NET controls hosted in IE?  Or at least not to those that don’t require any additional trust than the standard internet zone?  (It’s a bit worrying to see all this news about changes without any mention of .NET controls… but they do still work in the beta so I’m keeping my fingers crossed!)

  10. Paul says:

    I really do appreciate the ActiveX Opt-In Improvement.

    Could we get an Internet Zone Ajax-Maniac Opt-In feature as well? Just an information bar like: “This Webpage sucks: It’s associated with more than 1000 lines of script. Click here to enable/continue script execution for this page.” 😉

  11. kL says:

    Does InfoCard store private keys on user’s computer? If attacker gains access to user’s drive, can he steal his InfoCard identity?

  12. PatriotB says:

    "Or why not restrict file reads/writes from an ActiveX to once every second?  That way, any chaos can be slowed down…"

    Any idea on how this would be accomplished?  ActiveX code is just regular program code that gets called from within the iexplore.exe process.  There wouldn’t be a reliable way to know whether a given file I/O is caused by an ActiveX control or a different part of IE.

  13. cooperpx says:

    Can you guys please update this page …

    http://msdn.microsoft.com/ie/releasenotes/default.aspx

    … to report that Digest Authentication continually prompts for credentials (whatever the real reason)?

    – going nuts here without any feedback

  14. jace says:

    Thawte personal email certs won’t download in IE 7.

    When selecting these options (star (*) by the selected item)

    X.509 Format Certificates

    For an X.509 certificate, please choose your software from the list below:

     Netscape Communicator or Messenger

    *Microsoft Internet Explorer, Outlook and Outlook Express

    Lotus Notes R5

    OperaSoftware Browser

    C2Net SafePassage Web Proxy

    I get the following message:

    Form Processing Error

    An error occurred while we were processing your form. Usually this means that one of the values you submitted in your form was invalid, or you did not put a value in a required field. Please check the error message below, and then review your submission.

    The actual error given was:

    Version 7 of MSIE does not support these certificates.

    Kind regards,

    thawte

    it’s a trust thing

  15. Blacksun06 says:

    Bill Gates talked at RSA about "higher assurance" ssl certificates for website.

    Only "higher assurance ssl website cert" would trigger the "green URL bar"

    in IE 7.

    Could anybody from Microsoft or external specialists explain to me:

    – what would be the differences with current ssl website certificates at the

    X509 cert fields level ?

    – what would be the difference at website identification level ?

    – what will be included inside the certificate fields to express that

    difference ?

    – would emission of "higher assurance" certificates be limited to

    certification authorities that comes by default with windows/IE and are

    updated via windows update ?  

    regards,

    Fred

  16. Blacksun06 says:

    Some questions and request to the IE 7 product management.

    I saw strange differences between IE 7 beta 1 and IE 7 beta 2 when clicking

    on the "SSL lock" (the one just on the right of the URL bar).

    In IE 7 beta 1: Displayed certificate information summary seem logical to

    me: it indicate the CN of the certification authority that did issue the ssl

    website certificate. This is inline with the "issued by" display when you

    double click on a certificate in earlier versions of the "view certificate

    details"

    IE 7 beta 1 displayed text is "SSL secure (128 bits) you should send

    confidential information only if you trust the organization listed

    what is a certificate ?

    Certificate information followed by :

    – the "O=" information of the website ssl cert

    – the "C=" infromation of the website ssl cert

    Website certification provided by : CN field of the X509 certificate of the

    issuing CA.

    In IE 7 beta 2, everything seems to have changed, clicking on the "SSL lock"

    (the one just on the right of the URL bar), I have:

    Secure connection

    "O=" field of the issuing CA has identified this site as

    CN of the website ssl cert

    Owner unverified

    Location unverified.

    Limited information about this website is available. You should send

    confidential information only if you trust this website.

    What is a certificate.

    Question 1:  It took a long time to educate customer/users to check the

    "issued by" field of the certificate details (= CN of the issuing CA cert),

    why now change the field identifying a Certification authority to the "O= "

    field ?

    I would like to stress that I think the IE 7 beta 1 "security message" is

    better because it relies on several years of education to customer and users

    for a lot of companies offering services on the internet and remains inline

    with past versions of windows and IE making easier the understanding for

    customer….simplicity in security communication to users is of primary

    importance here…

    Question 2: what is owner in this security message ? what is location in

    this security message ? to which X509 website and issuing certificate field

    does this correspond ? What is "security semantics and policies" around these

    items ?

    any clarifications and brainstorm around this more than welcome

    greetings

  17. Dave Bacher says:

    Re: Restricting ActiveX controls

    There was a comment above about "how can you restrict ActiveX controls," and the answer is application level security.

    The problem with ActiveX can be correctly resolved by the IE team, if they actually care to implement it.

    At module load time, every ActiveX control is assigned a HLIBRARY.  Given a return address on a call stack, I can determine what module is invoking a routine.  Based on that information, I can add a Windows XP group to the current effective permission set, which in turn allows me to restrict all file, installer, etc. access to the machine.

    This is how tools like DEP work on processors that don’t support it — Microsoft looks to see if the caller is a data segment, which it knows by the address.  It would be just as easy to have a quick-dirty check based on the module handle.

  18. download accelerator incompatible says:

    Here is the problem. I have Download Accelerator Plus 8.0 from Speedbit. Unfortunately, it sometimes intercepts files that are meant for a webpage in IE7. As soon as that happens, IE7 crashes. That’s a bug in IE 7.0.5296.0 with DAP 8.0.4.1. I am running WinXP 5.1 with SP2 on an Athlon XP 2800 with (1/2)GB DDR memory on an AsRock K7VT4A+ motherboard.

  19. codemastr says:

    Since InfoCards seem to be part of winfx, does that mean they are Vista only?

  20. Dean Harding says:

    Dave Bacher: You can’t trust the return address on the call stack, it’s fairly easy to fake. For a good explanation, see:

    http://blogs.msdn.com/oldnewthing/archive/2004/01/01/47042.aspx

    And that’s not how software-enfored DEP works at all. All software-enforced DEP does is, before a structure exception handler is dispatched, it checks that the SEH address is registered in the function table in the image. It doesn’t check anything on the stack at all.

  21. Ralf says:

    Clicking on the "SSL lock":

    You only show the certificate – that is not enough!

    Please show additional:

    * What kind of public/private key algorithm do you use for the session? What is the key length?

    * What kind of symmetic key algorithm do you use? What is the key length?

  22. Fred says:

    Hello,

    On microsoft.public.internetexplorer.general, Eric Lawrence indicated that in the final IE 7 release, the IE 7  SSL Security report will

    show the name of the root (the trust provider), and the Subject.CN.

    Do you know what is meant by the "name of the root", is this the CN of the root CA ? Is it the "O" of the root CA, some other part of the DN or the complete DN of the root CA?

    On the same newsgroup, he says "In the case of an enhanced validation cert,  IE 7 show the SubjectO, SubjectC, SubjectS, SubjectL".

    What will happen if subject S and subject L are not inside the website ssl cert ? Does this have some specific impact on the user experience with the "ssl security report"? For exemple, if "L=" is not present, would "location unknown" be displayed to the user screen as I saw it during one of my IE 7 beta tests, even if the country C= would be present in the website certificate.

    As you know, "State" doesn’t exist in Europe and I don’t think L is very used

    either. Besides this, in Europe, the laws are identical in one country. This means

    basically that the legal value of the CP is determined by the laws of the country of the certification authority, a "location unknown" would be too strong if L or S would be missing, but the country (C=) would be specified in the CA root and website ssl certificates.

    Last but not least, what is so specific about the Enhanced Validation cert ? What is inside

    or outside the cert that makes it recognized by IE 7 as "enhanced"  (special field, special certificate policies OIDs,…)?

    Any help/hints greatly appreciated.

    regards

    Fred

  23. streaky says:

    ‘"ActiveX opt-in" will disable most ActiveX controls on the system. If your ActiveX control needs to be enabled by default, we have put together a set of ActiveX best practices to help you understand how to make it safe enough to be used on the internet and enable it for use with IE7.’

    Wait, am I reading this correctly? Did somebody finally get the message?

  24. EricLaw [MSFT] says:

    "Rob, could you have IE send anti-spyware programs a notification after an ActiveX control is downloaded but before it is installed. That seems like a decent way to protect users on XP who cannot depend on protected mode."

    This is already available to anyone who wants it.  See here: http://msdn.microsoft.com/library/default.asp?url=/workshop/security/antivirus/reference/ifaces/iofficeantivirus/iofficeantivirus.asp

  25. James says:

    The location bar should be displayed only when the popup window comes from another domain.

  26. Tim says:

    Sounds great! I just hope it won’t become too expensive. Small companies or group projects will probably have a need for a security certificates as well.

    (Off-topic: is there a "due date" by which I should have submitted the bugs I found in the IE7 public preview? I’d like to know approximately how much time I have, I want to be as thorough as possible, but careful as well.)

  27. Wil says:

    Hey,

    What happened to protected mode in Vista Feb. CPT. In IE 7 it no longer shows protected mode in the status bar in IE. It’s just "Internet" .

    Any ideas?

    cya,

    Will

  28. Slugsie says:

    I’ve found the security on the current beta to be pretty good, it’s caught all the phishing sites I’ve tried, and it’s blocked a lot of ‘naughty stuff’.

    I do have one request however, could the ‘padlock’ be moved to the other end of the address bar? The reason I ask is that I run at a high res (1600×1200) and the padlock can be a long way from the address, and it’s less obvious. It would also be nice if the address bar changed colour (like Firefox does).

  29. Naga says:

    Hi,

    Recently I upgraded my IE 6 browser to IE7, after upgrade when I tried to log into Wells fargo (www.wellsfargo.com) site and it did not allowed me past the login screen, displaying that mine is an unsupported browser.

    I understand that IE7 is still a beta version and may not be tested and supported by Wells fargo as its supported browser.

    Is there a way I can still use my IE6 that I used to have in my computer before this IE7 upgrade.

    Now I remain strandled to download one of the free browsers that Wellsfargo supports.I really donot want to download any web browser other than IE, please advise me as how I can still log into the sites that support IE6 but not IE7.

    URGENT!

    Thanks

    Naga

  30. Joseph says:

    I am using IE7 on Vista Feb CTP and I cannot get an IPSec cert for my machine through the normal Windows CA.  I go to the page to make the request and it sits forever at "Downloading ActiveX Control..".  I have added the site to my trusted site list but still no change.  Any ideas how to get past this?  Without this I can’t take Vista on the road.

    Thanks,

    Joseph

  31. Mitch 74 says:

    About ‘compatibility’…

    I have here (www.moneyshop-credit.com) a site that displays correctly in IE6, Firefox, Opera, Konqueror, Safari… Pretty much any browser, EXCEPT IE7b2 – and that is due to IE7 ignoring CSS in:

    – min-width,

    – max-width,

    – width: auto.

    Now, the latter was supposedly fixed in IE7b2, as said in http://blogs.msdn.com/ie/archive/2005/07/29/445242.aspx

    Looks to me like it isn’t as of IE 7.0.5296.0…

    So, alright, this is not security-related, but I find strange that a supposedly fixed bug… isn’t.

  32. IEBlog says:

    As Rob pointed out in his last blog post on security and compatibility in IE7, one of the biggest challenges…

  33. IEBlog says:

    I’m really excited for my talk tomorrow here at Mix06. This conference feels more like a party than work….

  34. IEBlog says:

    Hello, we are Durga and Bala, from the IE IDC team. We would like to describe to you, a new feature in…

  35. I read about this internally yesterday and then on the blog posts today – IE7 will become part of the

Skip to main content