Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Lower Rights' IE 7.0 Coming

Posted by timothy on

blacktop writes "eWeek has official confirmation from a Microsoft vice president that the upcoming Internet Explorer 7.0 browser upgrade will ship with reduced privilege mode turned on by default to help thwart browser-based attacks. In addition to anti-phishing and anti-spoofing features, IE 7.0 will add support for IDN (International Domain Names), built-in RSS and seamless search that will include choices of search providers."

15 of 378 comments (clear)

  1. WHAT?? by to_kallon · · Score: 3, Informative

    "We've re-architected it to defend against exploits," Mangione said

    architect IS NOT a verb!!
    great laugh to start the day though.

    --


    The only way to get rid of a temptation is to yield to it.
    -Oscar Wilde
  2. Re:So basically ... by Dogers · · Score: 4, Informative

    Without the CSS support.

    Marvellous!

    --
    I am a viral sig. Please copy me and help me spread. Thank you.
  3. Re:New Features? by alvinrod · · Score: 3, Informative
    It seems to me that Microsoft is only playing catch up, has invention died over in Redmond?

    Microsoft has largely been playing catchup throughout its entire existance. Before there was ever Windows, there was Apple's OS. Before there was IE, Netscape was king of the browser world. Spam Blocking and Security? Been around for a long time before Microsoft built it in to their products. Almost everywhere you look, Microsoft is trying to make up lost ground. Almost any inovation in computing has been "borrowed" by Microsoft, not created.

    Microsoft made a good product that caught on like wildfire and made computers more accessible to people who weren't able to understand the complexities of computers. Because they have such a large customer base, they can get away with releasing inferior products when it's the only product available.

    I don't mean to sound like I'm trying to start a flame war, but when Microsoft finally gets their product right, and the competition has been doing it for a year or more, it gets under my skin a little bit. Why not just get it right from the start or at least fix more along the way.

  4. Re:They're adding IDN support NOW??? by wheany · · Score: 1, Informative

    Firefox's solution was to turn off international domain names, while Opera's solution was to only allow IDNs on top level domains that have a responsible attitude towards granting domain names.

    So no .coms, nets or orgs.

  5. Re:Appropriate for the largest audience by germanStefan · · Score: 2, Informative
    for once I think this is a good move for microsoft. Programs should not run by default from IE directly from websites. Users should be restricted by default. If they know what they are doing then they can change that in the options. It is not fair to have a grandpa open a page and get bombarded with spyware. Thus if by default he is prevented to execute programs then he will have less problems. Until now I have just installed Firefox and told them to use that. I will probably also do so in the future, even if IE 7 fixes security issues.

    However, this might be sad for us geeks as we may have to work harder for our easily earned 20 an hour fixing computers from their spyware woes. It was an easy and fun run while it lasted, but it's probably for the better. Now that people down the street can use their computers, they may have more interesting jobs for us to do.

  6. Re:Is it worth the switch? by NutscrapeSucks · · Score: 2, Informative

    > let Firefox/Opera do all the R&D and find out what the "must-haves"

    Interesting argument because it took Mozilla Firefox & Opera about 5 years to match the functionality of Internet Explorer 5.0. Things like CSS support and a solid DHTML implementation are "must-haves" and IE had them long before anyone else. (of course since then it's been surpassed).

    If MS starts taking the development of IE seriously, they could easily lap the competition again. Starting a standards-fight with a monopoly is dangerous business, because there's a huge number of standards and implementing them all can be very expensive. Imagine a future "W3C checklist" where MS has twice as many ticks as Mozilla. It certainly could be possible.

    --
    Whenever I hear the word 'Innovation', I reach for my pistol.
  7. Re:Will only work if ActiveX is disabled by defaul by Ath · · Score: 2, Informative
    The conundrum is that so many sites now require ActiveX that if IE were to ship with it disabled, Joe Sixpack's favorite websites wouldn't work.

    I am not trolling here, but exactly which mainstream sites (which I assume you meant by "Joe SixPack") rely on ActiveX? In my personal experience, the vast majority of websites I have visited now work perfectly fine in Firefox and Safari. It seems a lot of sites of moved to the slightly-less-annoying Flash-based interfaces if they want to do some things.

    Porn sites seem to be the exception, but primarily to install spyware. Err ... I mean ... this is what I have heard.

    I think we can all agree there is almost no technical reason to use ActiveX versus other solutions which are both more secure and less tied to only one platform. The driving force between more standards-based web development is not, however, a concern out of security but more out of the increasing desire to support mobile devices.

  8. 30%, Try 80% by blazerw11 · · Score: 5, Informative

    Here are just a few references pointing out the real percentage of computers infected with spyware:
    80%
    8 out of 10
    88%
    Or, just search it.
    So, 5 years to admit to the problem as it was 3-ish years ago.

    --
    A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
  9. Re:Re-architected it? by PiMuNu · · Score: 3, Informative

    Had to have been ;-)

  10. Re:Will only work if ActiveX is disabled by defaul by br0ck · · Score: 2, Informative

    the big ActiveX offenders (Yahoo) would fix themselves up

    Any site attempting to use "AJAX" is now a big offender because XMLHttpRequest is implemented as an ActiveX control in IE. For example, turn off ActiveX and try using Google Maps in IE and you get.. "ActiveX is not enabled in your browser. If your browser is Internet Explorer, you must have ActiveX enabled to use Google Maps."

  11. It's customary to identify source, even in humour by Petersko · · Score: 4, Informative

    Yep, it's funny. But it's Bill Watterson. Give credit where credit is due.

  12. Re:They're adding IDN support NOW??? by Gerv · · Score: 2, Informative

    "Firefox's solution was to turn off international domain names"

    This is incorrect. We turned them off while working on a long-term fix, which is basically the same thing as Opera's.

  13. Re:So basically ... by Jere+H · · Score: 2, Informative

    Business problems come from the companies writing software for Windows. For example, at my work, auto update is turned off so that Service Pack 2 will not install. This is necessary because it breaks our old CRM software (Open Systems Accounting Software).
    The new system we are migrating to (Epicor Vantage) uses Crystal Reports, and it doesn't work right with Service Pack 2 either, and the support people tell us that they don't support Crystal Reports on SP2.

  14. Re:Will only work if ActiveX is disabled by defaul by Anonymous Coward · · Score: 1, Informative

    The problem is that most sites are coded for a variety of browser and use the browsers User Agent to determine how to display that site.
    Visit it with Firefox and your browser will run an entirely different set of instructions than would be ran when using IE.

    On another note, last I new scripts can't read picture files at all so quite obfuscating those damned images with scribbly crap so they can barely be read by a human.

  15. Re:Enhanced Security mode or Restricted User mode? by Foolhardy · · Score: 2, Informative

    The article is light on technical details, but it does sound like the Enhanced Security mode of WS2003. Running IE as a seperate user with less privileges is better, but that wouldn't work in a multi-user environment. Every user would have the same access to a shared profile for storing bookmarks, saved forms and the like. There is a more elegant solution: restricted tokens.

    Restricted tokens are a feature available in Windows 2000 and later that allows any user to create a new process with less privileges than they have normally. You can delete SIDs, so that they can't be used to grant access, delete privileges, and create a list of restricting SIDs. "When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access checks allow the requested access rights." (from the above link)

    I've been running Internet Explorer, Mozilla, Winamp and a few other things with restricted SIDs for quite a while now. I delete the Administrators group, all privileges and restrict them to a narrow set of SIDs. I give them access to my profile, but are explicitly denied access to all the Run keys in the registry, and My Documents. The program jobprc can be used to create restricted tokens and job objects.
    You can also create a process with a restricted token with the Protect My Computer option of RunAs, albeit with less control.

    I created a VM and TRIED to get infected while logged on as an admin using a restricted token. Nothing got through.

    It would be great if Microsoft took better advantage of restricted tokens by running certain things (like IE) with them by default.