Finding Security Compatibility Issues in Internet Explorer 7

  • Article

Tariq Sharif
Microsoft Corporation

January 31, 2006

Introduction

Internet Explorer 7 (IE7) on Windows Vista, Windows XP Service Pack 2, and Windows 2003 Service Pack 1 will have many new security features which can cause compatibility issues for some Web applications and sites. Application compatibility logging in IE7 is designed to help IT professionals evaluate changes in behavior of Web applications and Web sites caused by the new security features in IE7 and test for compatibility when upgrading to IE7. Microsoft is planning to release an official toolkit to find compatibility issues and a pre-release version is expected during the second quarter of 2006. A temporary toolkit allows developers and IT professionals to begin testing application compatibility with IE7. When IE7's security features block content, this toolkit describes why the content was blocked. This toolkit is for temporary use only and will stop working when the pre-release toolkit is released, which is expected some time during the second quarter of 2006.

What Gets Logged?

Many things are logged to the Windows Event Viewer when Application Compatibility Logging is active. This section describes the compatibility items that are logged and the type of information logged for each item.

URL Parsing

To help stop exploits that involve fooling IE with an malformed URL, IE7 will parse URLs and make sure they meets RFC guidelines. IE7 will log certain URL information in the following two situations.

  1. When a URL construction fails because the URL entered (or that the browser is being asked to navigate to) does not conform to RFC guidelines. In such failures, IE will log the following information.

    • The URL that failed to create.
    • The reason the URL creation failed.

    The following are the reasons a URL creation might fail:

    • 0x800c000e - The URL failed security validation.
    • 0x800c0002 - The URL is syntactically invalid.
    • 0x8007007b - The host name is invalid according to IDN rules.
    • 0x80070057 - The URL is invalid.
    • 0x8007000e - There isn't enough memory to process the URL.

  2. When a URL created or parsed in IE7 is different than it is in IE6, both versions of the URL will be logged.

HTTPS Security Improvements

A log will be created if IE7 encounters a problem with a web site's certificate. IE will log the URL whose certificate had a problem and note what kind of problem was encountered.

The following are some problems a certificate might have that IE will log.

  • 12037 - Certificate date is invalid.
  • 12038 - Certificate is invalid, name and domain mismatch.
  • 12045 - Certificate authority is invalid.
  • 12055 - Any combination of top 3 errors.
  • 12057 - Failed to do revocation check.
  • 12170 - Certificate is revoked.

For more information, please see HTTPS Security Improvements in Internet Explorer 7.

Internationalized Domain Naming

IE7 supports internationalized domain names (IDN). IE will create a log each time a domain name is changed to a punycode hostname and will log the hostname. For more information, see Internationalized Domain Naming Support in Internet Explorer 7

Cross-Domain Barrier - Script URL Blocking

IE7 has invested heavily in blocking cross-domain script execution. IE7 will block a script URL if there is a threat. When a script URL is blocked IE7 will log both the URL that was calling the script URL and the script URL itself. A log will be created if any one of the following is true:

  1. There is no target window on which to execute a script.
  2. The target window is not an HTML window.
  3. There is no context associated with a script URL and IE doesn't know where the script URL originated from.
  4. The script URL is too long.
  5. If scripts are prohibited for given security settings.
  6. If a cross-domain access involving script URLs is blocked.

Cross-Domain Barrier - Redirect Mitigation

IE7 will block a redirected navigation in DOM objects if there is a threat of cross-domain exploit. If a redirected navigation is blocked, IE7 will log the URL that was blocked.

ActiveX Opt-In

To reduce the surface area of attacks in Internet Explorer that involve ActiveX controls, a user will have to opt-in to use an ActiveX control for the first time. IE will create a log into Windows Event Viewer when an ActiveX control is blocked and a user needs to enable it. The log will contain the following information, along with the URL of the page where the ActiveX was blocked.

  • GUID (CLSID) of the ActiveX control that was blocked.
  • Publisher of the ActiveX control.
  • Name of the ActiveX control.
  • Reason why it was blocked.

If a control is blocked, the reason will be set to one of the following codes:

  • 0 - Control was blocked for an unknown reason
  • 1 - Control was blocked because it has not been used before
  • 2 - Control was blocked because it is not safe for scripting

For more information, see ActiveX Security: Improvements and Best Practices.

Cross-Domain Frame Navigations

As of version 7, IE blocks navigations when one IE window/frame tries to access and navigate another frame and does not have access to it. When such a navigation is blocked, IE will log the following information:

  • Source URL - The URL of the page that was trying to navigate another frame.
  • Target URL - The URL of the target frame.
  • Target Frame Name - The name of the frame that was being targeted for navigation and was canceled.

CSS Fixes

IE7 offers a much-improved rendering engine due to fixes made for several major CSS issues that developers had been forced to work around with various hacks. IE7 eliminates the need for many of those workarounds and, consequently, any site that employs a workaround might experience some rendering or layout issues. To help developers discover these sites and their workarounds, IE7 will create a log whenever it discovers a workaround that has been rendered unnecessary by the improvements in IE7. The following list shows some of the CSS fixes in IE7.

  • 0 (Star Filter) - Selector String
  • 1 (Strict Comment Filter) - Property Name
  • 2 (Underscore Filter) - Property Name

For more information, see Cascading Style Sheet Compatibility in Internet Explorer 7.

Phishing Filter

For user protection, IE7 introduces a feature called "Phishing Filter." Phishing Filter can block a Web site if the site has been reported as a phishing site, or it can warn users of a site if it has characteristics that are common to phishing Web sites. IE7 will log whether a Web site is reported as being a suspected phishing Web site. If you find that your Web sites are flagged incorrectly as phishing sites you can go to the Tools menu and report that your site is not a phishing Web site. The following is the logging information associated with Phishing Filter

  • 0 - Reported phishing site.
  • 1 - Suspected phishing site.

Protected Mode

On Windows Vista, IE runs at a lower integrity level to protect users against a variety of attacks. Protected mode IE will restrict writes to registry and file systems. IE7 will log information when a write access has been denied or has been virtualized to a different location. The following are details on protected mode logging.

  • ModuleName is the filename that launched the process accessing securable objects.

  • VirtualizationAction indicates the result of the write operation and is one of the following values.

    • InterceptedWrite indicates that the operation was intercepted by the Compatibility Layer.

    • WriteIgnored indicates that the operation was ignored by ProtectedMode because the attempting process is an elevated broker.

    • CreateVirtualCopy indicates that the Compatibility Layer made a copy of the object in the virtual location.

    • CreateNew indicates that the Compatibility Layer created a new object in the virtual location.

  • ObjectType is either File or Registry.

  • APIName specifies the function attempting the operation, for example CreateFile or RegOpenKey.

  • ReqObjectPath is the location of the object the operation object attempted to modify. This is blank for objects that do not have paths.

  • When write operations succeed, NewObjectPath specifies the object that was modified by the operation.

  • APIResult indicates the result returned by the API function attempting the write operation.

  • LastError is the last error received by an API function.

For more information, see Understanding and Working in Protected Mode Internet Explorer

How to Use the Application Compatibility Toolkit

The toolkit will display information when any of the previously mentioned IE7 logs are created.

To enable logging, click on the "Enable Logging" button.

The Enable Logging button

After you enable logging, you will need to start a new IE process for it to start logging. You can filter and select what security feature logging you need to see. You can enable and disable reading logs of individual features by checking and un-checking the check boxes at the bottom of the tool.

Compatibility Logging Options

Once logging is enabled and you hit a security feature, an entry is made into the listview with some relevant information. You can click each entry and find more information in the "More Details" sections of the tool. The following figure shows the entry view.

Compatibility Log Entries

The "Log Reason" Field displays why a log was generated. Date/Time fields tell the time a log was created, and URL field contains the URL of the page that had something blocked. The "More Details" section gives information about why something was blocked and can be mapped back to an error by looking at the tables above. The following graphic shows how those fields look in the tool

Compatibility Log Details

Once you are done looking at the logs you should disable logging by clicking on the Disable Logging button.

While the techniques in this article are designed for use with Internet Explorer 7, application compatibility logging was first introduced as a security improvement to Internet Explorer 6 running under Microsoft Windows XP Service Pack 2 (SP2). For more information, see Understanding Security in Microsoft Internet Explorer 6 in Windows XP SP2.

Downloading the Temporary Application Compatibility Toolkit

A temporary application compatibility toolkit is available for download; please note that because it is a temporary tooklit, it will stop working after May 1, 2006. The official Microsoft Application Compatibility toolkit is expected during the second quarter of 2006.

Enabling Application Compatibility Logging

IE7 does not normally enable compatibility logging. The setting to turn logging on is behind a feature control key. Logging can be turned on either for a user or an individual basis, or by using group policy. For example, to turn logging on for the current user, set the following registry key.

HKEY_CURRENT_USER

SOFTWARE

Microsoft

Windows

Internet Explorer

Main

FeatureControl

  • Feature_Enable_Compat_Logging
    iexplore.exe = (DWORD) 1

Tariq Sharif is a program manager on the Internet Explorer team.