Monday, September 17, 2012

Internet Explorer Protected Mode in Windows 8

Microsoft Introduced Protected Mode in Internet Explorer with Windows Vista in 2006. With Windows 8, Microsoft added Enhanced Protected Mode. Protected Mode aims to keep users safe by restricting what BHOs (Browser Helper Objects, aka browser extensions) and plugins can do inside Internet Explorer.

Protected Mode enabled by default in IE 9


Protected Mode

Before I talk to the changes made in Windows 8, let me explain what Protected Mode does in Internet Explorer versions 7 through 9, especially when it comes to browser extensions. Internet Explorer, along with any extensions and plugins, run with a low integrity. This means that they have limited access to the system: read/write access to the file system, the registry and limited ability to run executables.

Limitations

Internet Explorer extensions have write access to /AppData/LocalLow and a few folders useed by Internet Explorer to store cookies and favorites. Any untrusted application can write to LocalLow without triggering any User Account Control (UAC) violations, including applications deployed with ClickOnce. Zscaler Safe Shopping for Internet Explorer for example, creates a sub-directory in LocalLow to store the list of fake stores.

Extensions can run executables that have a low integrity only. Windows applications have a medium integrity, which means that Internet Explorer cannot run any application without an explicit permission from the user (UAC popup). An extension can therefore only launch an application with a low integrity, which means that it will have limited system access.

Write  access to the registry is also limited. An extension can write to the registry only under HKEY_CURRENT_USER\Software\AppDataLow\Software.

Read access

Protected mode does however give read access to the entire file system. A malicious extension could therefore upload all your important files under My Documents to a malicious server, for example.

Integrity elevation

It is possible to run an executable of a higher integrity by setting up an Integrity Elevation Policy. Basically, an entry is added to the registry to specify which executable should be run by a low integrity process at a higher integrity, without raising a UAC popup. This entry has to be added as an Administrator. It cannot be added from within Internet Explorer.

Windows 8

Windows 8 introduces Enhanced Protected Mode to fill some of the security gaps of the current Protected Mode. The most important change is a limit on read access. Read access to the file system and Registry are more restricted. Unfortunately, this new Protected Mode breaks many existing plugins. Microsoft has therefore decided to turn off Enhanced Protected Mode for Internet Explorer by default. So, by default, Windows 8 and Internet Explorer 10 do not offer any additional protection against data leakage by malicious browser extensions.

The most important take away from this is that Protected Mode still lets lets all extensions read the entire file system and arbitrary applications can be launched silently.

No comments: