Windows - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Windows


Microsoft: Low-Rights IE 7.0 Only for Longhorn



 By: Ryan Naraine
2005-06-09
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Windows story.


Rate This Article:
Poor Best
A key security feature being planned for Microsoft's Internet Explorer 7.0 browser makeover won't be available for the majority of Windows users.

The "low-rights" security feature being planned for Microsofts upcoming Internet Explorer 7.0 makeover will be available only in Longhorn.

"Low-rights IE" is a "defense-in-depth feature" meant to back up and support several security-related browser enhancements, but because it piggybacks on the "least privilege" feature being introduced in Longhorn, it wont be available for any other operating system, said Rob Franco, lead program manager for IE security at Microsoft Corp.

Francos disclosure was made on the IE Blog to clarify statements made by a senior Microsoft executive at the Tech Ed conference earlier this week.

Gordon Mangione, corporate vice president of Microsofts security business and technology unit, said in a Tech Ed strategic briefing on security that IE 7.0 has been rearchitected to defend against browser-based exploits and will ship with reduced-privilege mode turned on by default.

Resource Library:

Read more here about Microsofts plans for a "low-rights" Internet Explorer.

But Franco made it clear that while most IE 7.0 security features will be available for supported operating systems—Windows XP SP2, Windows XP Pro x64 and Windows Server 2003 Service Pack 1—"Low-Rights" will be limited to Longhorn because its based on the new Longhorn security features that make running without Administrator privileges an easy option for users.

That feature, known as LUA (Least-Privilege User Account), lets users run programs with limited user privileges, limiting the damage from malicious code attacks.

"We are using the same Longhorn security infrastructure to limit IE to just enough privileges to browse the Web but not enough to modify user files or settings by default," Franco said.

Even if an attacker attempts to exploit an IE flaw, the code wont have enough privileges to install software, copy files to start-up folder, or hijack the browser home page or search provider settings, he added.

He said the primary goal of low-rights in IE 7.0 is to "restrict the impact of a security vulnerability while maintaining compatibility."

Franco stressed that the reduced-privilege option will not provide a fix for vulnerabilities. "[Its] like the Local Machine Zone Lockdown feature in XP SP2. That lockdown prevents cross-domain vulnerabilities from installing malicious software on users machines," he said.

Additionally, Franco said low-rights IE is not meant to prevent users from downloading and installing software that turns out to be malicious. "Any program that the user downloads and runs will be limited by User Account Protection, unless the user explicitly gives the program Administrator privileges," he said.

"Another issue to clarify is that low-rights IE will not change IE security settings for ActiveX and script as the Enhanced Security Configuration for IE on Windows Server 2003 did. We are considering changes to some default security settings for IE, but that work is separate from low-rights IE and will not impact the user experience in the way that ESC did for Windows Server 2003," Franco added.The new browser also will feature major changes in the way files are executed, as well as new anti-spoofing and anti-phishing technology to let users identify fake scam Web sites.

Click here to learn more about the features in IE 7.0.

Beyond the security improvements, IE 7.0 will add support for IDN (International Domain Names), tabbed browsing, built-in RSS and seamless search that will include choices of search providers. The browser also will improve Web page printing capabilities such as the automatic "fit-to-page" feature.

As previously reported, Microsoft is expected to beef up IE 7.0s security by blocking access to cross-domain scripting, improving the SSL (Secure Sockets Layer) interface and possibly integrating spyware protection via its Windows AntiSpyware service, which is currently in beta.

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.



  Reader Comments: Microsoft: Low-Rights IE 7.0 Only for Longhorn
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Windows Articles          >>> More By Ryan Naraine
 


x}ks㶲*Q3Co{)ْ:-K3dwKEĘ"uHʏd'S'7n7%?f{ScK@7Fw?H9uur56%SEo]"I{C(`RϩIzNڶ? }~mksu;;#|6%߽w *s=NN5K&OxgMlM1eck`p,FcwM5d{9B ~56(CJevw ZwO~Th;⻶eMGaoN w*Nuol9 Q>)*X^P~FD;ǎ5~r 5yf ;U'i3['C5CUVekV6^;s9ȹ׳]z$nRvn8Gd`jI:@*"4nC6S!p55\`p)jHZ6tG,#H>P7sIzV@daS/*! lpa#j)y'CϠE[#Uֶg5]q=ܹcglZENX* ?q7uBazH&5\O, "9˾,ft0e\Ȇ}}RM*AR,הby/^Z,Yp﯍z_{JY4E;'9~`h5v$ YySS^_wD_*0QI- i|/ Z@߯fN{!x[^ ԊhZAAvIna̳| 3+i3*5dNߒ-~k~>F,3SAT4 ̠K`W+eP:n]=]s\u[ݫ9^VSCV=BCj`BӹciueUo~9c!nj dPp9LwjT{dZݣ6I|U8VE~9韝Cj ݖyB_ȻX_wKŗG)H73ǚ -=4ɔSHu t:99~}E'Zf-Mn #dLi|][7p3Z&9T23=MH=k 3!RBʼIK _VPJB-)\D7h+Ԍ$ٛ"Gn;ž_"ʥcp1S{.Ӱuirq~ZoV͉*]XYujZlE?´;\g8n7/-һ5?aUb}PhvZM]qsuTSt*Zl:|5Ճ"T G'&-d`q86ayƔIG?{? aO>)5>'4}t>჎$>hƋCoriXnL,rӇtu4A+GݺzL߳=Wԇ5j`I l"&q}s)к`ya2C?FlEP>X^0 vjq3*~s=w= } wA;k 6G~[>l0sz7N\IQo -2(%E2{ 4.gP)AH =k \99 ޑvZ*&RP*m=!ԑt݁Z*ݕh3aGe-n^ $ d6g2+IMiG0V-&D7r"e.G 7Kቖ&ZlY,*V+WMzڣeXG == 3ܲM҄%Ll;i`1Ґ(eNa9{-A\{t0<Ͱ"̴b֜u4DnN-˘ R g?fz0-qڛ=>5SN`c\n̜07ÚL ~Dg͏Oc @}(N5i :O̗Sڶ\MS]77UBgsNPB/W2 \_&VAB5 6d:ɤPl';oW f4ݤ|r%e{R{`ELE2a5?%ہnP/|ĝR;BZsOsR'g:[[I%7˺EI8J{ۥa]hk%T7Bɶ/^¢xmP2D֑Rkυò=2P}62&C 7 Py\{8`O>7l{`(`\Pe?>2ei[[aՒhxKkʸAnJ栢~g &ʥ Ë;rg@4=&Ho[C=<fRM\?APt @IU5} o _׆K gе3Kwӥa︽.JM*jFd>l 'L[aHz>cTfha8l[:٤ RXȏ%}T5&}cl ԑq,YX6Tȵm60}u瞄( }ZjY<9Ro> < đMTBYaT(l];(12qɝa&1\?@R)Ö1Swhi'T'łЀah"pHEAxZkhpT@U.(L-9Ij1 [ hg [QznSCzϯaRI?IL!2Bsݧ==1g匬  hVBS{ZYUKZTp~W`sϏxO?"5Ϩ8x_p&WXfiY8AK>sn.,|: '012&z@j9Abv6<|0֔R)IdӀL9GVAELˣFppkՃ u;uav9Aخ kqAmY1qW;GPVL` }ѺIPɑ1[D`[ nUESUGKk+^W< OQ# A\=!< &`QtEa:NiEk P{N-~O1"ڿcqa(D p@F]S؇Qgm/RU *~a;:{oR64F@2<"C8\bS>p@d#RaMݜ5m"uy@VIJXhQ_4M.Ш6>YL< ?~{ޖlwn1;pi%u Qby*A!/r]-M:f2/cXhUM+%0}3YhSIlpg#H]Ӟuus|O>=jTco"\$t-n\gr U;I)TYb9Ji?0)6@yZI@j5VJ`Y V8$g^O ~o'a%JI) `zVDZ)~HǞ1}]ܙe>t1G8*z)OTʜYEo(QUmq'F.҄^ߵK\bvvLʲH٭PSV82V6J\)aoA~V0`A#'0K(GgcO7)~ (zC9Km{~>sPU]|T&#UX)TԒP?ITAtyU!n?mVPVW`Zd&{ڜ%\{si0)Q뱋r3["X&DД7Ϩ;Rb kQh>c[,*u[_Iݏ-sga\dz LR(I]2~̮VsA0lg~hy% @$+~{&5/?tŗtK~vR1~B`&ypϒU4*$iyp|hq\3)6MF0Sk cf<72l&zA5q^ڗY0pz!vBZMUc z A0֢ܟ]?vV!ڧ4|yQ$ !rFen1pAZ~j_^퓉eԉ8%4 \(?m[ħ{, /䎑=;SL'M(4iQ-uyjtJ1SB<~d:Y$yYMzJ,RTcD$PKFI39uޜ-Hy9Ym ybXýMی3%[/ ã ,-Y+4$/i\A1;Gp",G7Dp <SJ[L>CT䵤 g[YUHN~D!6OYta^}rWkb~]ȩZU$}ݝ:V08FHS `'#9ʼSsaZ GW ./veNȣ&k{?ɘKԍ A/]s>ͥ=`L̴M\gwhG(V=w9c93 Zt ەg_Bxa1~hSriuyO%i&m_ |1$?[Ѝ>u?y{`o&o=)sǣAg伅q+ћݳ^QW{20}_?H+I㆟ycP]!OKSϑ$٘NBEWU-u+ln(rYpJyOVr;ld+N$c,nP2vA JGs`ȞxqM7bRco}|]& {~ ]ݣPIݣ7뻻~=Ғ(r]&ZD܎pw5Q {qI9.xy?,J`\Ty^f} l$.EB"fFcME[ofO<|nF?iKW7\MGI>rIN!vnY|iiRiԋN#}o$xivFS/ fzm vYG}:mϐuYj[0RV JM(& 8Y7`,;]#oYc]}N x^xHNR]Ti -Xk(]F݃ÄB\ LxcfN H˂.)xt;$Te*#? '6F@ J(BE{ z"ME&[cvWE(6hZzHStBI=w rܮI-Kz ]ZJ7Bl g*x 4!)^f*XsϧJ@wLv4r=.lN@'><l!Y Zf)x/i1#<oQB{[V4 l%si$Zfƍm"iMr3kDNDB* A"L[ާF3mD:M H<[LHN&U#nKalŨe\huRY~g>?:!_Vr^Fc0Bx.5`j\cg;M_rU\7׬9$py:JN+߰q`W {~ˋ/'?=@5.Sj΍ko(j`Ov_ڳKۨ_~~Q}u`2fYӶ뿓$y3f1n9G,C$&Hm)0TC,®fOuswχxq}P"#Do<% Zk^YR+ȈzvbtτƌwFSj9椷 GgTG!RM`}Ũ Oj6j=!`5?Fn&)m'hzBRKo^;G'ܬDM \rGN݀{mQNa)~c,&gC3 YػZƒM)RӰp-|ri?NRUzFaAe2lV-TsZ.Wfg}搯jJEUq)7Nz'}ZpYXk:Rga^1wTҊj9y[{4Ⱥl@Kn链5g0YޯGV$(b؛ ~-=g5OOZAr|{\덆5{t']Lc BXsև5o4 z^KjL6"|tOs'po<|SPʕ=U+%=hpaـjcE~:tdK6ɍ1;"&s'؏pfS'"΀!,E||z['AU}H?Km1u+62sjDl//uh^f甜z~}C@;G}m!L<yS]\ h}1ax ~ANxl0W)΃ [z˘0[ !к|ŧtS!B|1[GB(W9Ĝ#M>SQo_|ySjJs";'pp\pr@KK*2&Bs8翛{__/{=&n%[ք ឰ 5" ,Sۈ( 0װÞ1; >{MR:nCcн(~||v.[/ T6CĊ1gGi>'_@1HܽIK|KET&}fA=`Aa~L­!~Rjs# h_F4`\Xg- .E.kq NpWYN&pj,ywF7`C'[EY|ob{LgA~v\b@Ԑ0(VIB uXRFB(s k$ 3ֆú~6 _F`p3W VjE)OBӁRs]j)q]]{mYVf/c[iBR. ?$-GF쌆=xɾe{$͈ɵ?ѝXF39^&9lIasta{} \MGݪ;ys5-<}_S}e |Q)Xl 5y9šw6u\ «.YN3U94dG0}4y8r|?}Rf}Y QJ/Nib?Ez eӲp:Пxq3/K_9r Χ65A^^Z+!zWU8iz67a\nq4ħiO\#4[E)iFPsFPkF%_/?j63ʻP(GN/o Z#(?Z_~ 9ΠחtrN+2ʡsQd^s/3^_~ O3l83,3{A3Y} π?2 ,?QF3?2O$P3(?(=s 9;..n~f /2޿23 # 埲O}}ʠ_e^eU%:Iʘ!g \8=Rfr ~)A_d_y*%qFy 3YY ~veX^dй\5ː2sܿw2~62A\u[u CFWT=k ϼdmOu^k8VҮ ۸/6h}0^ZE/ޤ\<̂\+gل@CX{#u+ Jݓs+z`~H\]Mb}+|UnE+tVOq&R2#s"qG\%[n3'Og6&y{D4k{HO8=R\z[G$Q=PW].6pqSn$9 5` 3}ҳExvY^]Yj7m!O>YlفGh ߊD,oy e%Hi0\=̨x7JnAm.= `/ϛ6{̧dA]eGӠ[Y"gB8#W@je2 Erһ1*<螩z(J# {0"u`-l>EM++J9wwrDa3="BQ]FTMVYI2ZYrF(RB4|;ӌW)57tSs&\ŠMCao/aKZö`ZG;o=n2djy }d)049Kh7m=ƾw<A[%Gcx-ȷ:g^=FY2&23U{:o\T "esM"o![57Lj1bPS*Wiɑtt[ '$}'r>t瑅ad~kf2te4uk~y^"0~."6|e @ k@SVNΞحB~ϙIqP}vm&Ĵ`Տ⣍A[=0&FFЯ"9݌S*aс(YH>Ոqd@(e6Lm (~%6,wdsSy=y FGg~ -}sO= 94Id`-_9 >⵮rN =citK >x8" "H "s{D|%ЄZsJdB2,'KYݻЄ2"n„HaCm5u;eԦE\kυwspT[ C/~ ?=V@U}C 1,[ԟ1P E]í)^xjA߮ed#ə W B8 ,* Ŋ]3IպWTlsmq퀗r4{ۭtϘHmgX|@ăHv!$KWp|"7ezLU"z̴uDaKN%%}YQ v|.yzhFʪv\JT~7)JҍHqp/>~ElC`A]^|eKB$u FOnC>X[e,s(ŬBSd=)O?5/G[nI\k<>aiЄΧYp멎m,U|JA1^<#&[zZ@c*1|ue|n4~Uf2{M[:o90kn>WQ$ L{yݟ 9@/7A{~ r@bn#O&\f\jӟL.ѮB@vbbqY;g;kMNlB pCQ*Ԯ^x9Na^|ۺ+AўXm|h[d% ^FH‡%!Ҷ\)Vbʥ.Sܟ=Ba҃fHEk,^zeXٻ PshՆG0^qKRl@swS a ٝ˶)E=b농 ѨpSTVD'^m'gymODmE>m+Ѝ5i!igNbkcٰ޳sW=?5z3lvf~wx:YʐLW\,,$[Z']Z!hXrE"ҁ )Q~)'mf fE1[Rjxϒ 19,O)xI1%h3l䣈mAb ?k[=),#wvRL xjeԷFdzUN\Z ^cdKX$֬ LE")ԛa&(z0~ s͹!׆! a+ecPOYVc.GfTzLǫ 52lt* X*!KŬ"D0H'Z:tsh;hsTHهl*~&/Yl{ۺЭTnxm/݉,{ޗg<|;XIx ~'c(FRqO\||8(>v/c3u㚗6~pxޒŠ6=EKB^i B";wl:񞞝?a(XEhw⍿#014[3ˬZY$I#[ob[b$- U.IM)V gqۙ g۰M*d.%rR +EiQ}*' ean%nǝl| n%96G\[ P_&['