logging in or signing up IE7 Vistassa Sharck Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 449 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: June 16, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Windows Vista and IE7: Windows Vista and IE7 Juhani Vuorio ISV Developer Evangelist Microsoft Oy juhani.vuorio@microsoft.com Agenda: Agenda Secure and Trustworthy Browsing: Malicious web pages often install malware or modify files by exploiting buffer overruns or other critical security exploits in IE or add-ons Solution: Protected Mode (Vista) Eliminates silent install of malicious code Protects registry, file system from silent malware installs Does NOT prevent running Win32 code Only available on Windows Vista Secure and Trustworthy Browsing Integrity Levels and policy: Integrity Levels and policy Integrity levels defined by Security IDs (SIDs) The RID defines the integrity level Primary integrity levels Low S-1-16-4096 (0x1000) Medium S-1-16-8192 (0x2000) High S-1-16-12288 (0x3000) System S-1-16-16384 (0x4000) Integrity level policies associated with generic access rights No-Write-Up - means lower IL process cannot modify higher IL object No-Read-Up – prevents lower IL process from having generic read No-Execute-Up – prevents lower IL process generic execute access Default policy is No-Write-Up Process Integrity Level: Process Integrity Level Security token in every process is assigned an integrity level Examples of assigned levels: Low Protected-mode IE, and processes started by PM IE Medium Standard user processes, non-elevated admin Accessibility processes run at slightly above Medium High Elevated Administrator processes System Local System and local Service processes Process usually inherits the IL of its parent If an executable file has an explicit IL, process will have an IL that is the minimum of parent’s and file’s Processes can also be created at an explicit IL (e.g. elevation) Ways to view a process’ integrity level Command: Whoami /all Sysinternals Process Explorer and AccessChk (http://www.microsoft.com/technet/sysinternals/default.mspx) Integrity Levels and User Interface: Integrity Levels and User Interface The Windows subsystem also honors integrity levels with UIPI Lower IL process cannot send window messages to a window of a higher IL app based on filter Certain read-type messages are allowed past filter and can be sent to the higher IL windows process Higher IL process can register additional messages that pass filter (ChangeWindowMessageFilter) Lower IP process cannot install hooks Prevents 'shatter' attacks Object Versus Process Accesses: Object Versus Process Accesses Medium IL Process High Medium Low High Medium Low Read Write Low IL Process Processes Objects Protected-Mode Internet Explorer: Protected-Mode Internet Explorer Problem: 'drive-by-download' malware uses buffer overflows and other vulnerabilities in IE, IE extensions, and ActiveX controls to compromise the user Modifies behavior of user’s account Installs malware Solution: IE 7 on Vista uses integrity and UIPI to isolate IE from the user’s other processes, windows and settings Runs IE at Low IL Also called Low-Rights IE (LoRIE) Objects that must be writeable by IE are set to Low IL e.g.: Temporary Internet Files Cookies Recycle Bin Various Registry keys, including ones under HKCU\Software\Microsoft\Internet Explorer Saving Content in Protected-Mode IE: Saving Content in Protected-Mode IE IE promotes explicitly downloaded content to Medium Makes it equivalent to the user’s other data and code Prevents malware from tampering with it IE running at low can’t do that itself Downloads first to a Low directory Asks IEUser.exe, which runs at Medium IL, to promote: IExplore.exe (Low) IEUser.exe (Medium) IEShowFileSaveDialog IESaveFile IE7 in Protected Mode is “least privileged”: IE7 in Protected Mode is 'least privileged' Integrity Control and UIPI IEUser.exe Admin-Rights Access User-Rights Access Temp Internet Files HKLM HKCR Program Files HKCU My Documents Startup Folder Untrusted files andamp; settings IEInstall.exe Tools: Tools Application Compatibility Manager Internet Explorer Compatibility Test Tool IE7 Readiness toolkit Internet Explorer Compatibility Test Tool: Internet Explorer Compatibility Test Tool Monitors web application testing in real time Notification appears in IE7 Windows XP / Windows Server 2003: LMZL Mime Handling Windows Restrictions Zone Elevation Binary Behaviors Object Caching ActiveX Blocking Popup Blocking Download Blocking CURL - Centralized URL Parsing International Domain Names (IDN) Support SSL XDom Barrier Manage Add-ons Anti-Phishing Cross Frame navigation CSS fixes Windows Vista – all of the above, plus: Internet Explorer Protected Mode Data can be saved and viewed locally, and can be uploaded to the ACT server to include in compatibility evaluation 12 IE7 Readiness Toolkit: IE7 Readiness Toolkit Web developer toolbar – IE6+ Rich tool set for exploring DHTML and CSS ExpressionFinder Identifies CSS hacks Fiddler HTTP monitor http://blogs.msdn.com/IE/ IE 7 Readiness Toolkit: Dev Toolbar Features Explore Web Page DOM Locate page elements Selectively clear cache and cookies Validate HTML, CSS, RSS Use full featured ruler to help arrange content Disable/Enable CSS parsing Color Picker Fiddler (http://www.fiddlertool.com/Fiddler/help/log.asp) Easy to use tool to monitor HTTP traffic Set Traffic Breakpoints And Fiddle with incoming or outgoing data IE 7 Readiness Toolkit Compatibility (1) : Compatibility (1) User Agent Strings and Browser Detection Accounts for 1/3 of compatibility problems Base your version-testing on andgt;=, NOT = Overflow Use min-height/width or correct box size andlt;?xmlandgt; prolog doesn’t prevent strict mode in IE7, which affects the CSS Box Model andlt;?xml version='1.0'?andgt; andlt;!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'DTD/xhtml1-strict.dtd'andgt; Compatibility (3)Fix CSS Hacks: Rely on parser bugs and/or not yet implemented features * html (Target: IE only) _height:50px; (Target: IE only) height/**/: 300px; (Target: Everyone but IE) html andgt; body (Target: Everyone but IE) Ideally no workarounds are needed – but reality intrudes If you use CSS hacks – only target already-obsoleted UAs Know in what browser version your hack will stop working IE Alternative: Conditional Comments to target browser versions andlt;!--[if lte IE 6]andgt; andlt;link rel='stylesheet' type='text/css' href='iestyles.css' /andgt; andlt;![endif]--andgt; Compatibility (3) Fix CSS Hacks Compatibility (2)Fixing “Broken” Work Arounds: Compatibility (2) Fixing 'Broken' Work Arounds Most famous CSS Filter break: the Holly hack * html {height:1%;} Used to force 'Has Layout' IE internal data structure – still exists in IE7 Responsible for sizing and positioning itself Article produced in cooperation with WASP1 What can you do? IE6 and below: Use of Holly hack is ok IE7 (if needed): conditional comments + zoom:1; 1http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ietechcol/cols/dnexpie/expie20050831.asp Changes in IE7Adding the most requested features: Fixed inconsistencies with the W3C specs Enable :hover on all elements not just on andlt;aandgt; Background-attachment: fixed on all elements Improved andlt;objectandgt; fallback Added standards features (CSS 2/HTML 4) Fixed positioning support Min/Max-Width/Height support Selectors: first-child, adjacent, attribute, child CSS 3 attribute selectors: prefix, suffix and substring Changes in IE7 Adding the most requested features IE7 and CSShttp://www.positioniseverything.net/explorer.html: IE7 and CSS http://www.positioniseverything.net/explorer.html Questions?: Questions? You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
IE7 Vistassa Sharck Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 449 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: June 16, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Windows Vista and IE7: Windows Vista and IE7 Juhani Vuorio ISV Developer Evangelist Microsoft Oy juhani.vuorio@microsoft.com Agenda: Agenda Secure and Trustworthy Browsing: Malicious web pages often install malware or modify files by exploiting buffer overruns or other critical security exploits in IE or add-ons Solution: Protected Mode (Vista) Eliminates silent install of malicious code Protects registry, file system from silent malware installs Does NOT prevent running Win32 code Only available on Windows Vista Secure and Trustworthy Browsing Integrity Levels and policy: Integrity Levels and policy Integrity levels defined by Security IDs (SIDs) The RID defines the integrity level Primary integrity levels Low S-1-16-4096 (0x1000) Medium S-1-16-8192 (0x2000) High S-1-16-12288 (0x3000) System S-1-16-16384 (0x4000) Integrity level policies associated with generic access rights No-Write-Up - means lower IL process cannot modify higher IL object No-Read-Up – prevents lower IL process from having generic read No-Execute-Up – prevents lower IL process generic execute access Default policy is No-Write-Up Process Integrity Level: Process Integrity Level Security token in every process is assigned an integrity level Examples of assigned levels: Low Protected-mode IE, and processes started by PM IE Medium Standard user processes, non-elevated admin Accessibility processes run at slightly above Medium High Elevated Administrator processes System Local System and local Service processes Process usually inherits the IL of its parent If an executable file has an explicit IL, process will have an IL that is the minimum of parent’s and file’s Processes can also be created at an explicit IL (e.g. elevation) Ways to view a process’ integrity level Command: Whoami /all Sysinternals Process Explorer and AccessChk (http://www.microsoft.com/technet/sysinternals/default.mspx) Integrity Levels and User Interface: Integrity Levels and User Interface The Windows subsystem also honors integrity levels with UIPI Lower IL process cannot send window messages to a window of a higher IL app based on filter Certain read-type messages are allowed past filter and can be sent to the higher IL windows process Higher IL process can register additional messages that pass filter (ChangeWindowMessageFilter) Lower IP process cannot install hooks Prevents 'shatter' attacks Object Versus Process Accesses: Object Versus Process Accesses Medium IL Process High Medium Low High Medium Low Read Write Low IL Process Processes Objects Protected-Mode Internet Explorer: Protected-Mode Internet Explorer Problem: 'drive-by-download' malware uses buffer overflows and other vulnerabilities in IE, IE extensions, and ActiveX controls to compromise the user Modifies behavior of user’s account Installs malware Solution: IE 7 on Vista uses integrity and UIPI to isolate IE from the user’s other processes, windows and settings Runs IE at Low IL Also called Low-Rights IE (LoRIE) Objects that must be writeable by IE are set to Low IL e.g.: Temporary Internet Files Cookies Recycle Bin Various Registry keys, including ones under HKCU\Software\Microsoft\Internet Explorer Saving Content in Protected-Mode IE: Saving Content in Protected-Mode IE IE promotes explicitly downloaded content to Medium Makes it equivalent to the user’s other data and code Prevents malware from tampering with it IE running at low can’t do that itself Downloads first to a Low directory Asks IEUser.exe, which runs at Medium IL, to promote: IExplore.exe (Low) IEUser.exe (Medium) IEShowFileSaveDialog IESaveFile IE7 in Protected Mode is “least privileged”: IE7 in Protected Mode is 'least privileged' Integrity Control and UIPI IEUser.exe Admin-Rights Access User-Rights Access Temp Internet Files HKLM HKCR Program Files HKCU My Documents Startup Folder Untrusted files andamp; settings IEInstall.exe Tools: Tools Application Compatibility Manager Internet Explorer Compatibility Test Tool IE7 Readiness toolkit Internet Explorer Compatibility Test Tool: Internet Explorer Compatibility Test Tool Monitors web application testing in real time Notification appears in IE7 Windows XP / Windows Server 2003: LMZL Mime Handling Windows Restrictions Zone Elevation Binary Behaviors Object Caching ActiveX Blocking Popup Blocking Download Blocking CURL - Centralized URL Parsing International Domain Names (IDN) Support SSL XDom Barrier Manage Add-ons Anti-Phishing Cross Frame navigation CSS fixes Windows Vista – all of the above, plus: Internet Explorer Protected Mode Data can be saved and viewed locally, and can be uploaded to the ACT server to include in compatibility evaluation 12 IE7 Readiness Toolkit: IE7 Readiness Toolkit Web developer toolbar – IE6+ Rich tool set for exploring DHTML and CSS ExpressionFinder Identifies CSS hacks Fiddler HTTP monitor http://blogs.msdn.com/IE/ IE 7 Readiness Toolkit: Dev Toolbar Features Explore Web Page DOM Locate page elements Selectively clear cache and cookies Validate HTML, CSS, RSS Use full featured ruler to help arrange content Disable/Enable CSS parsing Color Picker Fiddler (http://www.fiddlertool.com/Fiddler/help/log.asp) Easy to use tool to monitor HTTP traffic Set Traffic Breakpoints And Fiddle with incoming or outgoing data IE 7 Readiness Toolkit Compatibility (1) : Compatibility (1) User Agent Strings and Browser Detection Accounts for 1/3 of compatibility problems Base your version-testing on andgt;=, NOT = Overflow Use min-height/width or correct box size andlt;?xmlandgt; prolog doesn’t prevent strict mode in IE7, which affects the CSS Box Model andlt;?xml version='1.0'?andgt; andlt;!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'DTD/xhtml1-strict.dtd'andgt; Compatibility (3)Fix CSS Hacks: Rely on parser bugs and/or not yet implemented features * html (Target: IE only) _height:50px; (Target: IE only) height/**/: 300px; (Target: Everyone but IE) html andgt; body (Target: Everyone but IE) Ideally no workarounds are needed – but reality intrudes If you use CSS hacks – only target already-obsoleted UAs Know in what browser version your hack will stop working IE Alternative: Conditional Comments to target browser versions andlt;!--[if lte IE 6]andgt; andlt;link rel='stylesheet' type='text/css' href='iestyles.css' /andgt; andlt;![endif]--andgt; Compatibility (3) Fix CSS Hacks Compatibility (2)Fixing “Broken” Work Arounds: Compatibility (2) Fixing 'Broken' Work Arounds Most famous CSS Filter break: the Holly hack * html {height:1%;} Used to force 'Has Layout' IE internal data structure – still exists in IE7 Responsible for sizing and positioning itself Article produced in cooperation with WASP1 What can you do? IE6 and below: Use of Holly hack is ok IE7 (if needed): conditional comments + zoom:1; 1http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ietechcol/cols/dnexpie/expie20050831.asp Changes in IE7Adding the most requested features: Fixed inconsistencies with the W3C specs Enable :hover on all elements not just on andlt;aandgt; Background-attachment: fixed on all elements Improved andlt;objectandgt; fallback Added standards features (CSS 2/HTML 4) Fixed positioning support Min/Max-Width/Height support Selectors: first-child, adjacent, attribute, child CSS 3 attribute selectors: prefix, suffix and substring Changes in IE7 Adding the most requested features IE7 and CSShttp://www.positioniseverything.net/explorer.html: IE7 and CSS http://www.positioniseverything.net/explorer.html Questions?: Questions?