So I've been wanting to do a post on this for a bit now. What’s with that + at the end of IE7 in Vista? To answer this question, we’re going to go deep!
Most people when they think of IE7 in XP and Vista are similar, and while most of the time that is the case there is in fact a difference.
Everyone knows that Vista is a more secure version of Windows, but what I’m interested in is explaining how. A good example of this can be brought out in IE7+. Vista introduces Protected Mode which takes advantage of a new Windows security feature called Mandatory Integrity Control (MIC). A MIC is a classification of an object running within the context of a local session. You can think of this as a classification of trust. There are four basic integrity levels (IL).
Most user objects run with a Medium IL, and if it’s an elevated process then it would be a High IL. System as you might guess is reserved for those special functions. The one we’re going to be focusing though is the Low IL. When you run IE7 on Vista, the default mode is in protected mode which indicates that the actual processes IE is running have an IL of low. Processes cannot break the barrier (except for very limited, secured API calls) of different IL’s. For example, a process of low IL cannot interact with a process of a medium IL.How does this help? Well a good portion of the attack vectors for malware come in the form of web browser based vulnerabilities. If the browser does get compromised, its ability to affect other processes is greatly limited.
Want to know an interesting tidbit? Firefox doesn’t take advantage of IL’s as of 3.0.3. As you can see in the screenshot above, Firefox is running at an IL of medium. This means that contrary to popular belief, when a FF vulnerability is exploited by malware it has the capability to interact with pretty much the entire user context. Not good.
So a question that some IT guys might ask is: How do I get to run a process with a lower IL than medium? Very easy actually!
Although you can’t run an application in low IL with standard Windows tools, SysInternals has a tool called PSExec. Used with the –l flag followed by the application and it will run in a lower IL context.