Slashdot Mirror
Zone-Spoofing Fixed for IE 7 Home Users
BeanBunny writes "The IE 7 dev team has essentially removed the intranet zone for Home users, resulting in a Web browser that is effectively invulnerable to a zone-spoofing attack. This security feature does not exist, however, on any installation that is part of a managed network. It also does not exist if you manually change the permissions on your Internet zone. However, in Windows Vista, both zones will be run in a 'protected mode,' something that allegedly prevents the invisible installation of code."
Everybody will be safe and secure, except of course for every single business in the known world?
Protected mode sounds kind of like the security wrappers Firefox Deer Park places around extensions.
You must have zone spoofed your way in.
No browser is safer that IE if you prevent it from accessing a network!
You just got troll'd!
The OP doesn't seem too sure of this new security ploy - I don't know how they plan to implement this, but I think claiming to have a completely secure way of doing things doesn't help your security in the long run. Immune to today's typical attack, maybe, but if/when vista takes over as the OS of choice for most computers, its vulnerablilities will be found and exploited. I remember how SP2 was supposed to be some sort of security godsend, and when I first tried to install it it BSOD'd my computer every startup until I reformatted & reinstalled windows. That's slightly off topic, but it's an example of how good-intentioned 'security' fixes can do little more than break something that's been manually secured in the first place.
http://www.TheGamerNation.com/Forums
I like this move. Code signing of Active X controls will be more effective, since all code will have to signed before execution. Plus I.E. 7 has capability to create Whitelist of certain trusted signers, and reject everything else. See Do you Code Sign ??? for more details.
Consensus is good, but informed dictatorship is better
Sounds like a good start for IE7. If vista comes around, I still won't use IE7 anyway. It's reputation is tarnished and no matter what Microsoft does, it won't bring back us Firefox, Opera, Safari and etc users.
If I was Microsoft, I'd implent IE competely away from shell and work with it individualy. I think it'll solve the majority of the problems.
IE7 is supposed to run in a fully protected mode by default. The protected mode is similar to a non-root user in *nix so that non-admin user programs do not have access to modify system files or settings. This is supposed to prevent spyware/adware that hooks into Windows processes and keep something one user may install from affecting other users of the system.
Slowly but surely MS is learning a few good tricks from the Linux crowd.
I still fail to understand why IE needs zones at all. If the security settings were less complicated and more reasonable, this wouldn't be a problem. Instead of trusted/intranet/internet, etc... why not a 'whitelist' and 'blacklist.' Simple and easy. Zones are complicated and confusing for most users, and many people end up setting the internet zone to low security so they can access their favorite Java/Flash/JS/ActiveX-addled whiz-bang website anyway.
But will it have a huge memory leak like Firefox does?
But where is the innovation?
I'll be honest, I haven't followed the Vista track that closely, but I have yet to hear of any evolutional or even revolutional features that I can look forward to. I read the slashdots and the diggs of the internet so, are these sources too Google and Apple happy to report on the Windows front? Or is there simply nothing to report?
Other than Metro and their attempts at making their OS work like Tiger, what is left?
Don't say security.
- what is the definition of simultanagnosia?! I've been meaning to look it up!
How about they just fix the damned holes instead?
This is about as bad as putting duct tape over the rusted out holes in an old car: "see, its all better now"
---- Booth was a patriot ----
{Rhetorical question}
{Admit you don't know anything about what you are about to talk about but think your way is better}
{Slam Microsoft}
Does that about cover it? I think I can rig up some rotating cookies to accrue good karma here if I can just get curl to work in Cygwin correctly. :-)
Seriously though, IE is the browser MANY companies choose and need to use so I think changes to improve security are good, doesn;t everyone else? If you want to contribute get on the Beta team. If you just want to complain, well, nevermind I guess you are in the right place.
The funny thing is all corporate networks that have no windows domain fully deployed yet will be in big trouble, unless the admins deploy some extra security policy that switches back intranet sites to the local zone. Otherwise no activeX, stuff will get broken, etc...
(from the IE blog: only pc;'s connected to a domain will have a local zone enabled)
Looks more like a ploy to force all corporate users to move to active directory asap...
I'll be honest, I haven't followed the Vista track that closely, but I have yet to hear of any evolutional or even revolutional features that I can look forward to.
I don't think Slashdot is the best place to ask this question on, as you'll no doubt get the "no, Vista is reskinned XP".
Personally, I don't think an evolutionary OS have to be "innovative", just better. Goes for Linux just as it goes for Vista.
Anyway, here's an Vista edition comparison and here's a more detailed list of planned features.
Beware: In C++, your friends can see your privates!
Everyone should know that checkbox well -- and leave it alone and unchecked.
But where is the Never trust content from this provider ever again checkbox? The one I want to check every time I go to a site (all seemingly signed by the same certificate provider) that tries to install the 24-hour Time Manager, or You Must Click Yes to View This Site's Content when all trying to do is get out of a site I hadn't wanted in the first place.
That's what I want my browser to offer me -- along with an inability for any web-site to affect my browser's basic functioning, like disabling the right mouse key. When is that patch coming?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
This posted to a site where every incremental improvement in an OS app still in Beta gets trumpeted like the Second Coming and the True Believers recompile their kernel every night.
Shouldn't it be something along the lines of "Microsoft removes yet another feature that proved to be a security threat"? It's not like they added a new security measure that beefs up Internet security. They just disabled the intranet zone, not too different than that feature that doesn't let you access /programfiles/ or /windows/ from the local network (dunno if you can circumvent that, but it is what happened to me by default)->(I think it's from SP2), which IMO is extremely annoying, because it makes me HAVE to change rooms to copy something from those folders.
Ah, spin doctors, you never cease to amaze me...
...for users to figure out. Its all "Internet" as far as they can figure out: Very few can define let alone know what a "Local Intranet" is or rarely have a reason to browse there (most home users have 1 maybe 2 machines which don't usually host web pages + hardware with Web Control interfaces). Both "Trusted Sites" and "Restricted Sites" are backwards concepts because you don't know if a "new site" is trustworthy or not till you get there which at that point maybe too late.
Very few home users can understand what these groupings mean let alone use them in a defensive manner that isn't intrusive. To make matters worse, its all optional (except for the "Internet" zone which is "all sites that don't fall into the other categories).
Since a user can easily be mislead or goof up the configuration it should be abandoned. You either can perform a function while browsing or you can't. Trying to place web sites into buckets its a chore the user doesn't like nor do they understand where dubious people will end up tricking them anyway.
I thought they already did this years ago...
http://ftp.pcworld.com/pub/screencams/mscement2.g
This space unintentionally left blank.
In this case, "zone" is used by Microsoft marketing to mean one thing, and by DNS to mean something else. A DNS "zone" is a particular inherited slice of domain - a group of machines under the same management. An MS "zone" is a set of domains or sites that the user categorizes in the same level of trust. Those are completely different things.
So when Microsoft marketing says a "zone spoofing" attack is thwarted for home users, which "zone" do they mean? To the rest of us, zone spoofing is a DOS attack on a target using DNS servers as unknowing dupes. You spoof the address of the target in a query (claiming you're the target), then the DNS servers respond to the target with a boatload of data. If the target is itself a DNS server, that can create additional attack vectors on the clients, opening the time window for race conditions as the clients time out looking for a DNS server.
What this really is is the IE7 team saying "These 'zone' thingies are stupid enough, but a home intranet zone is really superfluous". It's Window dressing. The dev team didn't fix anything, they just turned off a feature that people didn't use.
Ironically, home networks are really taking off, as more people buy firewall-router-switch combos and use multiple computers at home. Not many home users maintain web sites inside their network, and those who do have them probably don't put ActiveX crap on them.
In short, this is not duct tape. It's taking off your hubcaps so no one steals them.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Windows Vista will be pretty much what an OS should be, a big block of running processes that cannot be touched my outside code. Every application you install on Vista will be run on something like a virtual OS, running on top of the vista core. Honestly, i detest anti-microsoft villains, and you may critisize such points of view but i don't care. Ignorance is Arrogance.
1) add to the file system the origin of the file, like an "evil bit". Local (0) = good, internet (1) = bad. Let's call this the "unsafe" bit.
2) Files created by scripts / java applets / your internet browser will ALWAYS have their "unsafe" bit set to 1. Copying files (even with floppies) will also copy their internet bit.
3) Never execute files with the "internet bit" set to one.
So what about executables installed from the internet? You set their internet bit to 0. But here's the catch: They CANNOT set or unset other files' unsafe bits, that's something only the admin can do, with a program by the operating system.
4) applets / scripts / etc cannot read or write files with the "internet bit" set to 0. They can only alter "internet" files.
This will allow applets or scripts to use caches, etc, but they can't make a script and later tell windows shell to run it. This will trigger a security warning, and possibly ban the originating applet / script.
Perhaps adding another bit "operating_system / user program" might improve this even further. os programs can create and alter os or user files, but a user program cannot modify an os file.
Of course, this is only an idea, and i really haven't thought how viable it is.
I held the trunk on my old '77 Buick Century on with duct tape for almost 2 years you insensitive clod!
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Hey, MS took out a feature! If they continue to do this, they might actually become secure...
Of course when it's actually secure, it'll be because MS took out program execution as a feature.
(Announcer: Windows Bottomless Canyon, our most secure operating system yet. It's completely inveunerable to all forms of security risk. When you want to watch your mouse pointer move around the screen, but don't want the gaping security holes in Linux, look no further than Microsoft. (Program execution plugin may add risks over base (mouse move only) package. Security claim unproven. Suggested retail price $399.99))
"Fight for lost causes. You may discover they weren't."
All of the snide remarks in this thread indicate that most of you hate any improvement in IE for fear of losing some of your anti-M$ ammo. Deep down in your hearts, you WANT IE to be insecure, you WANT Windows to be insecure, you WANT Vista to bomb, just like you LOVED Win9x crashes. The fact is, Microsoft is addressing their security problems, just as they did their stability problems, and that scares you guys to death.
You lost your stability argument, and slowly but surely, you're losing your security argument (the last major security outbreak happened back in 2003, and things will only get worse for you in Vista, where the default accounts are non-admin). Face the facts that you're going to have to find another argument ("free, as in beer", I suspect).
-- "I never gave these stories much credence." - HAL 9000
I started developing in "protected mode" more than 20 years ago when I got my first 80286 box. What took them so long to get on board?
You'll probably be modded troll even though what you said is every bit true.
Lol and particularly funny is how these same zealots turn around and fawn over IBM and Google. I mean come on, IBM?!?!! So what if they are now supporting Linux!!!
How quickly these nooblets seem to forget history. Don't feel bad penguin lovers: when Microsoft is no longer such a juicy target, you will still have Apple to kick around to make you feel better about yourselves.
Not really... I'm very happy with my *nix box and I haven't actually cared for whatever M$ has done lately for security, and I bet a lot of other *nix and Mac users don't give a damn whether Windows ever becomes secure. What you're accusing us is for rooting (ro0ting?) for the underdog, which last time I checked WASN'T a crime.
You lost your stability argument
I disagree. Windows is still more unstable than Linux, doesn't require restarts everytime you change fonts.you're losing your security argument
Yes, that's why we rushed to go download the Sony ro0tkit remover. Or cared when yet another IE flaw was revealed.Face the facts that you're going to have to find another argument
We'll worry about that when the time comes. For now, and IMHO for a while things aren't getting MUCH better for Windows. Better, yes, but not enough.Some people write to TV channels to complain about the programs they run. Some people change the channel. A lot of us were unhappy with Windows, and took matters into our own hands. Also, many people turned away from M$ because of OSS, so it's also a matter of principle as well as dissatisfaction with Windows.
So, obviously, when M$ commits a blunder, we'll always be on the corner rubbing our hands and snickering, the same way children point and laugh at the poor kid who tripped and fell in the mud puddle, instead of helping him get up. Everytime M$ fvcks up,it makes us happier of the effort we put to turn away from Windows (because it does take a substantial time investment, even for the best).Personally I run soley Windows systems except my firewall and on all of my Windows boxes I'm still required to reboot every few days becuase of OS instability. None of my windows boxes is allowed to run longer then a week because of these problems. My linux based firewall has been running since a power outage a few weeks back and before that its been since I moved a more then a year ago. Servers at my work that run windows are rebooted once a week, linux and unix servers are rebooted on rare occasions. I'm not trying to troll but stability is still being improved in windows and has years to go before it is up to unix/linux standards.
The fact is, Microsoft is addressing their security problems, just as they did their stability problems
No, the fact is you paid your hard earned money for a product that still doesn't work. How many Windows licences do you own? (Fool me once, shame on you. Fool me twice shame on me).
Whats telling is the sheer fact that Windows was designed to help Microsoft, not you, doesn't even enter into your thought process.
Keep using windows, most of us don't care.
Comment removed based on user account deletion
Judging from screenshots and info: the ability to control audio volume per application from the OS. It's as if every app now has its own dedicated Master channel that the OS then mixes together for output.
I've been wanting that for years due to certain apps that think they are divine and simply take over/mute my global Master/Wave channel when they feel like it (AIM and Winamp, I'm looking at you!). In Windows Vista, those intolerant apps will not be able to take over.
Lazy app writers who simply use the global channels instead of opening a per-app one should be shot...but with Vista they can continue to be lazy.
IE 7 on Vista will run in sandbox that isn't really like anything out there today. (That I know of, anyway.) Even if you're an admin user, IE 7 is contained in such a way that it is not able to access anything outside of its sandbox without explicit permission.
This helps even when non-admins are running IE 7 because it doesn't just prevent system changes (like adding a program to the startup folder), it also prevents changes to anything outside of the sandbox... including files that the non-admin user has full access to.
They accomplish this by using the concept of a broker which IE 7 has to ask to do pretty much anything to the local system, independant of the privledges of the user running the browser. Want to save a file to your desktop? IE 7 must first ask the broker for permission. When the broker gets this request it then asks the user using a dialog. If the user approves, the broker then gets the appropriate information from IE 7 and saves the file for IE 7. At no point does the IE 7 process have access to the desktop or any of the users files.
The net effect is isolating all dangerous code in the broker, which is far simpler and easier to audit and debug than IE 7, thereby decreasing the attack surface dramatically.
For a detailed description of all this, check out the channel 9 video about it.
That's pretty much what I was going to say. I used Linux for about 6 years, installing and using everything form slackware 3 (on floppies) to Mandrake 10.
KDE's ioslaves was an innovative idea; being able to slot in a CD, browse to a virtual mp3 folder and drag 'n' drop the mp3s to the hard drive, thus triggering the ripping of them? Inspired.
I can't think of anything else that was truly innovative. Lots of good stuff, sure, but nothing that wasn't an incremental improvement on the status quo.
It's official. Most of you are morons.
the last major security outbreak happened back in 2003
r wards outbreak happened in 2003.
Hahahahahahahaha (x1000)
The last catastophic, taking-down-millions-of-systems, DoSing-the-Internet, making-headlines-all-over-the-world-for-days-afte
Several major outbreaks have happened this year, Zobot for one. The only thing that saved the day was the uptake in XP installs; otherwise, we would have had another Code Red on our hands.
Incremental improvement. A good thing for Microsoft, a good thing for average users, a good thing for the internet, yes. But "slowly but surely, you're losing your security argument"? Call me when a million Linux webservers get infected. Call me when desktop Linux starts spreading automatically executed worm code.
Most importantly, call me when Linux sees as many viruses and/or outbreaks as its marketshare would imply. Not the almsot nonexistent numbers we see today. That always seems to be the argument, that it's a marketshare thing. So just keep in touch, and let me know when 5% (or whatever Linux is at) of viruses/worms/spyware is targetted at, and infecting, Linux. Then you might actually have a point.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
They've made some neat changes, and the details are here:
http://channel9.msdn.com/tags/Windows+Vista
The Slashdots and the Diggs are too Apple and Linux happy.
"Deep down in your hearts, you WANT IE to be insecure, you WANT Windows to be insecure, you WANT Vista to bomb, just like you LOVED Win9x crashes."
Of course. This is why they wills till go on and on about the "blue screen of death" long after ti became an extremely rare occurance. They need things to stay the same because OSS can't match the rate at which a large company can bring resources to bear.
They will contineu to tell stories about old versions of Windows and comfort themselves with superiority that no longer exists.
--> Fight tyranny and repression.... read
Neither Finder nor Nautilus provide web access. Konqueror is more of a suite of programs (file manager + web browser), but it's also far more secure than IE.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'