What’s the Deal with IE7+?

ie7 So I've been wanting to do a post on this for a bit now. What’s with that + at the end of IE7 in Vista? To answer this question, we’re going to go deep!

Most people when they think of IE7 in XP and Vista are similar, and while most of the time that is the case there is in fact a difference.

Security

Everyone knows that Vista is a more secure version of Windows, but what I’m interested in is explaining how. A good example of this can be brought out in IE7+. Vista introduces Protected Mode which takes advantage of a new Windows security feature called Mandatory Integrity Control (MIC). A MIC is a classification of an object running within the context of a local session. You can think of this as a classification of trust. There are four basic integrity levels (IL).

  1. Low
  2. Medium
  3. High
  4. System

Most user objects run with a Medium IL, and if it’s an elevated process then it would be a High IL. System as you might guess is reserved for those special functions. The one we’re going to be focusing though is the Low IL. When you run IE7 on Vista, the default mode is in protected mode which indicates that the actual processes IE is running have an IL of low. Processes cannot break the barrier (except for very limited, secured API calls) of different IL’s. For example, a process of low IL cannot interact with a process of a medium IL.How does this help? Well a good portion of the attack vectors for malware come in the form of web browser based vulnerabilities. If the browser does get compromised, its ability to affect other processes is greatly limited.

IE7 vs FF Want to know an interesting tidbit? Firefox doesn’t take advantage of IL’s as of 3.0.3. As you can see in the screenshot above, Firefox is running at an IL of medium. This means that contrary to popular belief, when a FF vulnerability is exploited by malware it has the capability to interact with pretty much the entire user context. Not good.

So a question that some IT guys might ask is: How do I get to run a process with a lower IL than medium? Very easy actually!

psexec screenshot

Although you can’t run an application in low IL with standard Windows tools, SysInternals has a tool called PSExec. Used with the –l flag followed by the application and it will run in a lower IL context.

Want some more info on MIC and IL’s? MSDN is a good start, and also Mark Russinovich has a great post on using PSExec and security boundaries.