Understanding Enhanced Protected Mode

Last week, Andy Zeigler announced the introduction of Enhanced Protected Mode (EPM) over on the IEBlog. In today’s post, I’d like to provide further technical details about EPM to help security researchers, IT professionals, enthusiasts, and developers better understand how this feature works and what impact it may have on scenarios they care about. Internet…


Authenticode and Weak Certificate Chains

Recently, someone attempted to download a deprecated version of the Windows Script debugger. This tool was used to debug scripts prior to the introduction of more powerful, modern tools like those that are built into IE8 and later. The user emailed me when they encountered a very surprising outcome: After clicking the Run button, the…


Sharpen the Saw

Gather round, young’ins, Grandpa Eric is going to tell you a story. Back in the old days, when I started writing software, programmers’ utilities were sold in boxes in retail stores. You’d plunk down your 149 bucks or whatever (in cash, kids, this was before credit cards got popular) and you’d get your cardboard box…


Detecting Captive Network Portals

Over on SuperUser, there’s a great explanation of how Windows determines whether a newly-connected network has a proper Internet connection, or whether the user should open a browser to login or click through a Terms of Use agreement. The general idea is that Windows will attempt to download a webpage from a well-known URL, and…


Misbehaving HTTPS Servers impair TLS 1.1 and TLS 1.2

Back in the summer of 2009, I blogged about Windows 7’s new support for TLS 1.1 and TLS 1.2. These new protocols are disabled by default, but can be enabled using Group Policy or the Advanced Tab of the Internet Control Panel: Some adventurous Internet Explorer users have found that if they enable these new…


IE9 No-Reboot Setup and the Windows Restart Manager

On Windows 7, Internet Explorer 9 can often be installed without rebooting the system. In cases where a system restart is required, either the system lacks one of the required prerequisites (so IE Setup is forced to install it and reboot) or a running program or service is holding one of Internet Explorer’s binaries and…


In-Place Shell Navigation with the WebBrowser Control on Windows 7

Because the WebBrowser Control (WebOC) can be used to display a wide range of content (HTML, Office Documents, PDFs, the local file-system, etc) it is often integrated into applications as a somewhat generic object hosting surface. For Windows 7, a small change was made that will impact applications that use the WebOC to allow the…


Understanding Certificate Name Mismatches

Recently, I received a query from the Windows Mobile team– they had observed that visiting https://gmail.com triggers a certificate name mismatch error on IEMobile, but doesn’t seem to trigger any error on Windows 7 when using the desktop versions of Internet Explorer or Firefox. Now, long-time readers know that I love a good mystery, so…


Troubleshooting Authentication with Fiddler

Over the last few weeks, I’ve been exchanging mail with a webmaster (Vladimir) in Russia who reported that his customers were having problems using IE8 on Windows 7 to log into his website. His site uses HTTP Basic Authentication, so users are prompted to enter their credentials using the following dialog: I asked the webmaster to…


Getting the Server’s Certificate Chain from WinINET

Over the last few years, a number of folks have lamented that there’s no good way to get the server’s complete certificate chain from a WinINET HTTP response. That has changed with the release of the new WinINET shipping in Windows 7 / IE8.  INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT is a new flag you can pass to InternetQueryOption to grab the server’s certificate chain….