IE Security: Past, Present, and Future Tony Chor Group Program Manager Rob Franco Lead Program Manager Internet Explorer Microsoft Corporation.

Slides:



Advertisements
Similar presentations
IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Advertisements

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.
Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.
Browser Comparisons Internet Explorer 8 & 9, Chrome 11 and Firefox 4 Security, Privacy, Add-ons & Convenience.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Configuring Windows Internet Explorer 7 Security Lesson 5.
Lesson 4: Web Browsing.
Case Study: Building a More Secure Browser in IE7 Rob Franco, Lead Program Manager Internet Explorer Security FUNL03.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Information for Developers Windows XP Service Pack 2 Information for Developers.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
Internet Explorer 7 Security Features Steve Lamb Technical Security Microsoft Ltd
Windows XP Service Pack 2 and the Microsoft Virtual Machine: Developer Implications Rudi Larno Developer & Platform Group Microsoft BeLux.
Security Flaws in Windows XP Service Pack 2 CSE /14/04 By: Saeed Abu Nimeh.
Norman SecureSurf Protect your users when surfing the Internet.
Internet Explorer Opportunities For Partners Margaret Cobb Product Manager IE Group Microsoft Corporation.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Internet Explorer Today & Tomorrow Margaret Cobb Internet Explorer Product Manager Windows Client Group microsoft.com Microsoft Corporation.
2. Introduction to the Visual Studio.NET IDE 2. Introduction to the Visual Studio.NET IDE Ch2 – Deitel’s Book.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
Cyra Richardson Microsoft Corporation Internet Explorer 7.
Microsoft ® Official Course Module 9 Configuring Applications.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Data Security.
1 What’s New In Internet Explorer 7? Chris Wilson PRS203 Group Program Manager, IE Platform & Security Microsoft Corporation.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
Information for Developers Windows XP Service Pack 2 Information for Developers Tony Goodhew Product manager Developer Division Microsoft Corp
2 New Security Bulletins and AdvisoriesNew Security Bulletins and Advisories –1 New Security Advisory –1 New Critical Bulletin –1 New Moderate Bulletin.
Securing Web Applications. IE 7 significantly reduced attack surface against the browser and local machine…
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.
COMPREHENSIVE Windows Tutorial 5 Protecting Your Computer.
®® Microsoft Windows 7 Windows Tutorial 5 Protecting Your Computer.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Security Development Lifecycle: Changing the Software Development Process to build in Security from the start Eric Bidstrup Ellen Cram Kowalczyk Security.
2. Introduction to the Visual Studio.NET IDE. Chapter Outline Overview of the Visual Studio.NET IDE Overview of the Visual Studio.NET IDE Menu Bar and.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Using Internet Explorer 7.0 to Access Cisco Unity 5.0(1) Web Interfaces Unity 5.0(1)
Mark Aslett Microsoft Introduction to Application Compatibility.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
Module 5: Configuring Internet Explorer and Supporting Applications.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.
11 MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY Chapter 12.
2 Microsoft Confidential3 The Microsoft Web Platform is the software of choice when building web solutions or applications for your business, large.
Internet Explorer 7 Updated Advice for the NHS 04 February 2008 Version 1.3.
Return to the PC Security web page Lesson 4: Increasing Web Browser Security.
Securing Tomorrow’s World Microsoft Security Roadmap Ed Gibson & Steve Lamb Microsoft Ltd.
ITMT Windows 7 Configuration Chapter 7 – Working with Applications.
Security Development Lifecycle. Microsoft SDL 概觀 The SDL is composed of proven security practices It works in development organizations regardless of.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Pete LePage Product Manager Internet Explorer Team.
Windows Tutorial 5 Protecting Your Computer
ArcGIS for Server Security: Advanced
BUILD SECURE PRODUCTS AND SERVICES
TMG Client Protection 6NPS – Session 7.
MICROSOFT OUTLOOK and Outlook service Provider
Microsoft FrontPage 2003 Illustrated Complete
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
Myths About Web Application Security That You Need To Ignore.
Enterprise Mode Overview
Introduction to the Desktop Version of CIMSpy/CIMdesk (V 2.3)
Dongwhan Kim Annie Zhao Steven Lawrance
Windows Vista Inside Out
Using Software Restriction Policies
Chapter 9: Configuring Internet Explorer
Presentation transcript:

IE Security: Past, Present, and Future Tony Chor Group Program Manager Rob Franco Lead Program Manager Internet Explorer Microsoft Corporation

About this presentation PastPresent Guiding principles for IE Security The Security Development Lifecycle (SDL) Future High level browser threat model How IE7 addresses the threats

Past Compatibility and features trumped security Users fooled into making bad trust decisions Malware installed via architectural flaws Powerful extensibility misused Security seen as a servicing problem Adversarial relationship with community

Past “I suggest dumping Microsoft’s Internet Explorer Web browser, which has a history of security breaches.” Walt Mossberg Wall Street Journal September 2004

Present: IE is back! IE team reborn 24 months ago Improved security response IE 6.0 for Windows XP SP2 New versions Engaging the community Security is integral to our engineering practices

Present: Guiding principles The web must be safe Reduce attack surface Build defense-in-depth Secure by default Enable users to make smarter choices The web must be useful App compat and site compat are critical Corporate IT has different needs from consumers Partner with the community

Engineering Excellence Security Development Lifecycle Security Response Center Community feedback Improved quality of updates & tools Security Development Lifecycle

IE Security: Present “The assumption that Internet Explorer is easier to exploit is a common misconception…Internet Explorer has become quite tough, and it is very difficult to find vulnerabilities in it.” Security Focus Newsletter May 12, 2005

Future: IE 7 SDL-driven security strategy Dynamic protection against fraud User control over extensibility Architectural enhancements against malware Proactive engagement with community

Threat Model: Browser Data Flow Diagram Outbound:URLs HTTP requests Auth & cookie data Inbound:URLsHTMLScript Non-IE files

User Interface IEFrame Network request layer Page RenderingWinINet URLMon Browser Helper Objects Toolbars Mimefilters MSHTML ActiveX Script Engine BinaryBehaviors Threat Model: Internet Explorer Architecture

Sample Threats: Site spoofs user User lowers security settings Buffer overrun Threat Model: User Interface Layer

In this demo, you will see how IE 7: Uses a phishing filter to dynamically protect users from fraud Warns users about unsafe settings Demo: User Interface Mitigations

Sample Threats: URL parsed incorrectly Buffer overrun Threat Model: Network Request Layer

Threat Model: Network Request Layer Unified URL Parsing Problem: URLs passed as strings may be parsed inconsistently through the stack Special characters complicate URL parsing iURI is IE’s single URL parsing object Canonicalizes URLs targeting RFC 3986 IE passes the pre-parsed object through the stack  iURI available to ISVs

Sample Threats ActiveX controls misused Page Access rules fail Unsafe access defaults Page Redirects Buffer overrun Threat Model: Page Rendering Layer

Problem: ActiveX controls can expose dangerous functions and security bugs to any page on the web Solution: Pre-installed ActiveX controls will prompt on first use the same as downloaded controls Users can run in Add-ons disabled mode to shut off more extensions like BHOs “This move is worth praise.” Joe Wilcox, Jupiter Research, September 13, 2005 Threat Model: Page Rendering Layer ActiveX Opt-in

Problem: Hackers use script protocols to run domain- less script javascript:alert(document.body.innerHTML)Solution: Migrate the script protocol to run as script in the originating page Threat Model: Page Rendering Layer Cross Domain Security

Problem: Attacker finds a place where the parser does not check for size of an argument Solutions: Automated code review tools Safe memory APIs Fuzz testing  These tools are part of Visual Studio 2005 Threat Model: General Prevent Buffer Overruns

IExplore.exe Install an ActiveX control Change Settings, Download a Picture Cache Web contentExploit can install MALWARE Admin-Rights Access User-Rights Access Temp Internet Files HKLM Program Files HKCU My Documents Startup Folder Untrusted files & settings Threat Model: General EOP: Today

Protected Mode IE Protected Mode IE Install an ActiveX control Change settings, Save a picture Integrity Control Broker Process Redirected settings & files Compat Redirector Cache Web content Admin-Rights Access User-Rights Access Temp Internet Files HKLM HKCR Program Files HKCU My Documents Startup Folder Untrusted files & settings Threat Model: General EOP: Protected Mode Broker Process

Demo: Protected Mode IE In this demo, you will see how IE 7: Runs with restrictions to prevent exploits from installing malware on users’ systems Keeps the web useful Still allows users to download files or change settings Allows Intranet sites to run without restrictions

IE Security: Future “If all Windows users were running Vista [with IE7], the Internet would be a much safer place.” Larry Seltzer eWeek July 29, 2005

Internet Explorer 7.0 Win reviews and the popular vote Improving Trustworthy Browsing Amazing Everyday Browsing Good Web Developer Platform Release dates Windows Vista: 2 nd half of 2006 Windows XP SP2, Windows Server 2003 SP1, x64: TBD Status Beta 1 released in June Beta 2 Preview in October Beta 2 later this year

Resources Books Writing Secure Code Second Edition Michael Howard and David LeBlanc Threat Modeling Frank Swiderski and Window Snyder Visual Studio 2005

Conclusion We’ve come a long way. We have a long way to go. We’d like your help Test IE 7 for security and compatibility Give us feedback – we’re listening!

Q&A Your quotes? Your thoughts? Your questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.