- This topic has 0 replies, 1 voice, and was last updated 5 years, 9 months ago by
.
-
Posts
-
-
The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Information Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What does Object Caching do?
In previous versions of Windows Server 2003 with InternetExplorer, some Web pages could access objects cached from
another Web site. In Windows Server 2003 Service Pack 1,a referenceto an object is no longer accessible when the user
navigates to a new domain.
Who does this feature apply to?
Web developers should review this featureand plan to adopt changes to their Web site.
Application developers should review this featureand plan to adopt changes in their applications.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
None.Existing functionality has been extended.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Security context is invalidated upon navigation to a different domain
Detailed description
For Windows Server 2003 Service Pack 1, thereis now a new security context on all scriptable objects so thataccess to cached
objects (except for ActiveX controls) is blocked. In addition to blocking access when navigating across domains,access is also
blocked when navigating within thesame domain. (In this context,a domain is defined as a fully qualified domain name, or
FQDN.) A referenceto an object is no longer accessibleafter thecontext has changed dueto navigation.
Why is this change important? What threats does it help mitigate?
Prior to InternetExplorer 5.5, navigations across HTML pages (or to subframes) purged instances of MSHTML, which is the
Microsoft HTML parsing and rendering engine.With theInternetExplorer 5.5 NativeFrames architecture,an instance of
MSHTML lives across navigations.This introduced a new class of vulnerabilities, because objects could becached across
navigations. If an object can becached and provideaccess to thecontents of a Web pagefrom another domain, thereis a
cross-domain hole.
Onceyou can get to properties on theinner document, script outside of a page’s domain can access thecontents of an inner
page.This is a violation of theInternetExplorer cross-domain security model.
For example,you can usethis method to createscripts that listen to events or content in another frame, such as credit card
numbers or other sensitive data that is typed in the other frame.
What works differently? Are there any dependencies?
In thosefew classes that don’talready havethem, four more bytes areadded for thecached markup.Thereshould be no
noticeableimpact on speed.
How do I resolve these issues?
For most of theseclasses of vulnerabilities, InternetExplorer 5 would havecrashed, so theapplication compatibility risk of
resolving theexploit should besmall. Other applications might need to beaddressed on a case by case basis.
What settings are added or changed in Windows Server 2003 Service Pack 1?
InternetExplorer Object Caching
Setting
name
Location Previous
default
value
Default
value
Possible
values
IExplore.exe
Explorer.exe
HKEY_LOCAL_MACHINE (or Current User)\Software\Microsoft \Internet
Explorer\Main \FeatureControl \FEATURE_OBJECT_CACHING
None 1 0 – Off
1 – On
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
If your application is attempting to usea cached object,you mightencounter Access Denied errors. In this instanceyou must
recachethe object beforeyou access it using a script.
In thefollowing example, thesecurity context is invalidated when the designMode property is set on a document object.
Broken scriptexample
var d = myFrame.document;
d.designMode = “On”;
d.open(); <-------------------------causes permission denied error Fixed scriptexample var d = myFrame.document; d.designMode = "On"; d = myFrame.document; // re-establish pointer to document object. d.open(); Also, when you comparethevalues of thetwo frame.frames properties of an object, theresults may beincorrect, or thevalues may not beretained.This is becausetheframes object is now wrapped with a security wrapper.When the object caching featureis enabled, this security wrapper is applied.Therefore,access to all cached objects is blocked.This can causetheframes object comparison to return falseeven though theframes areequal.To resolvethis problem,you can usethefollowing method to comparethevalue of theframes: a.name == parent.frames[1].frames.name
-
- You must be logged in to reply to this topic.