Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zone-Spoofing Fixed for IE 7 Home Users

Posted by Zonk on from the i-can-sleep-better-tonight dept.

BeanBunny writes "The IE 7 dev team has essentially removed the intranet zone for Home users, resulting in a Web browser that is effectively invulnerable to a zone-spoofing attack. This security feature does not exist, however, on any installation that is part of a managed network. It also does not exist if you manually change the permissions on your Internet zone. However, in Windows Vista, both zones will be run in a 'protected mode,' something that allegedly prevents the invisible installation of code."

10 of 115 comments (clear)

  1. Essentially... allegedly... I smell BS. by Ruff_ilb · · Score: 3, Insightful

    The OP doesn't seem too sure of this new security ploy - I don't know how they plan to implement this, but I think claiming to have a completely secure way of doing things doesn't help your security in the long run. Immune to today's typical attack, maybe, but if/when vista takes over as the OS of choice for most computers, its vulnerablilities will be found and exploited. I remember how SP2 was supposed to be some sort of security godsend, and when I first tried to install it it BSOD'd my computer every startup until I reformatted & reinstalled windows. That's slightly off topic, but it's an example of how good-intentioned 'security' fixes can do little more than break something that's been manually secured in the first place.

    --
    http://www.TheGamerNation.com/Forums
  2. Hmmm.. by slashes · · Score: 3, Insightful

    Sounds like a good start for IE7. If vista comes around, I still won't use IE7 anyway. It's reputation is tarnished and no matter what Microsoft does, it won't bring back us Firefox, Opera, Safari and etc users.

    If I was Microsoft, I'd implent IE competely away from shell and work with it individualy. I think it'll solve the majority of the problems.

  3. Why do we need zones? by Anonymous Coward · · Score: 4, Insightful

    I still fail to understand why IE needs zones at all. If the security settings were less complicated and more reasonable, this wouldn't be a problem. Instead of trusted/intranet/internet, etc... why not a 'whitelist' and 'blacklist.' Simple and easy. Zones are complicated and confusing for most users, and many people end up setting the internet zone to low security so they can access their favorite Java/Flash/JS/ActiveX-addled whiz-bang website anyway.

  4. Re:How about... by wyckedone · · Score: 2, Insightful

    This is an attempt at fixing a hole. Zone-spoofing is a threat and MS realized that. It may not be the best fix but it is a start.

  5. Formula for Posting by Lee_in_KC · · Score: 2, Insightful

    {Rhetorical question}

    {Admit you don't know anything about what you are about to talk about but think your way is better}

    {Slam Microsoft}

    Does that about cover it? I think I can rig up some rotating cookies to accrue good karma here if I can just get curl to work in Cygwin correctly. :-)

    Seriously though, IE is the browser MANY companies choose and need to use so I think changes to improve security are good, doesn;t everyone else? If you want to contribute get on the Beta team. If you just want to complain, well, nevermind I guess you are in the right place.

  6. Re:Code signing will finally be more effective by mpapet · · Score: 2, Insightful

    Hmmm,

    Maybe you fix one or two weaknesses, but there's so many others in windows it amounts to broken anyway. All this security blathering by MS is part of their "security" media message. What happens when Longwait gets here? More of the same.

    Code signing has it's own troubles, the biggest of which is the PHB or consumer that doesn't know or care.

    Who's the signer and how much will they charge? Annually? You squelch innovation as the entry barrier into the desktop just got raised. Not to mention if you make something the signer doesn't want to endorse.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  7. Always Trust Content From This Provider by Nom+du+Keyboard · · Score: 4, Insightful
    Always trust content from this provider.

    Everyone should know that checkbox well -- and leave it alone and unchecked.

    But where is the Never trust content from this provider ever again checkbox? The one I want to check every time I go to a site (all seemingly signed by the same certificate provider) that tries to install the 24-hour Time Manager, or You Must Click Yes to View This Site's Content when all trying to do is get out of a site I hadn't wanted in the first place.

    That's what I want my browser to offer me -- along with an inability for any web-site to affect my browser's basic functioning, like disabling the right mouse key. When is that patch coming?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  8. Misleading article title ? by Chaffar · · Score: 2, Insightful
    Microsoft To Beef Up Internet Explorer 7 Security

    Shouldn't it be something along the lines of "Microsoft removes yet another feature that proved to be a security threat"? It's not like they added a new security measure that beefs up Internet security. They just disabled the intranet zone, not too different than that feature that doesn't let you access /programfiles/ or /windows/ from the local network (dunno if you can circumvent that, but it is what happened to me by default)->(I think it's from SP2), which IMO is extremely annoying, because it makes me HAVE to change rooms to copy something from those folders.

    Ah, spin doctors, you never cease to amaze me...

  9. My idea by Spy+der+Mann · · Score: 2, Insightful

    1) add to the file system the origin of the file, like an "evil bit". Local (0) = good, internet (1) = bad. Let's call this the "unsafe" bit.

    2) Files created by scripts / java applets / your internet browser will ALWAYS have their "unsafe" bit set to 1. Copying files (even with floppies) will also copy their internet bit.

    3) Never execute files with the "internet bit" set to one.

    So what about executables installed from the internet? You set their internet bit to 0. But here's the catch: They CANNOT set or unset other files' unsafe bits, that's something only the admin can do, with a program by the operating system.

    4) applets / scripts / etc cannot read or write files with the "internet bit" set to 0. They can only alter "internet" files.

    This will allow applets or scripts to use caches, etc, but they can't make a script and later tell windows shell to run it. This will trigger a security warning, and possibly ban the originating applet / script.

    Perhaps adding another bit "operating_system / user program" might improve this even further. os programs can create and alter os or user files, but a user program cannot modify an os file.

    Of course, this is only an idea, and i really haven't thought how viable it is.

  10. Re:Vista is taking a page from *nix by I'm+Don+Giovanni · · Score: 3, Insightful

    Actually, in Vista, the default user account is non-admin, and IE7 runs in a mode even more limited than that.

    Slowly but surely MS is learning a few good tricks from the Linux crowd.

    Please get over yourself. The "Linux crowd" didn't invent the security system that's in Linux. If MS is learning from anyone, it's from the Unix crowd, which Microsoft itself is a part of, having created Xenix in the late 80's. But essentially, MS is learning from its own problems, which were created by migrating its userbase from a single-user no-security system (DOS, Win3.x, Win 9x) to a multi-user system with security (NT and its decendents). During this migration, the default accounts have been admin because that's what they were (essentially) in Win9x. In order to keep Win9x programs working, the default accounts in NT have been admin. This is changing with Vista, and has nothing to do with "learning" from Linux.

    --
    -- "I never gave these stories much credence." - HAL 9000