Flash Player 9 Update
Congratulations Adobe Flash team on shipping the Flash Player 9 update on Tuesday!
This Flash update serves as a model implementation for how browser extensions can work with Protected Mode to keep users safe.
As most of you already know, on Windows Vista, IE7 includes a special feature called Protected Mode where the IE process runs with low privileges. This helps IE significantly reduce the ability of an attack to write, alter or destroy data on the user's machine or to install malicious code. These defenses also limit legitimate actions like saving browser settings, which is why Protected Mode includes broker processes to handle IE’s elevated actions. Similarly, yesterday’s Flash update includes a broker process to handle Flash’s specific elevated actions.
Broker processes are the best way to safely handle elevated actions because they’re built to help contain an attack in the low privilege process. When developing a broker process for your extension, you should always assume that your extension is running in a compromised process. This means you should design your broker as if calls coming from your extension may be hijacked. You can safely handle hijacked calls by validating all input and by asking the user to make a trust decision in UI appropriate scenarios. For example, the IEUser.exe broker launches the Internet Options dialog when it gets a known call from Protected Mode. This prevents the Protected Mode process from silently changing the user’s browser settings such as the homepage or security slider.
Although most extensions are fully functional when running in Protected Mode’s low privilege process, some of these extensions work because Protected Mode’s compatibility layer redirects file and registry writes to a virtual store. We created the compatibility layer to get previously released extensions working. If you haven’t already done so, now is a good time to update your extensions to work with Protected Mode
Many thanks to the Adobe team for their close partnership and hard work in getting a Windows Vista-ready Flash Player 9 out.
Marc Silbey
Program Manager
Comments
Anonymous
November 17, 2006
I would like to add that this update also fixes problems with playing multiple http://www.youtube.com videos in multiple tabs or watching a http://video.google.com video full screen in IE7 on all platforms including Windows XPSP2 and Vista. Thanks Paul and team for the quick response! Scott Graff Program Manager - MicrosoftAnonymous
November 17, 2006
The comment has been removedAnonymous
November 17, 2006
Bogus, as usual. Protected mode only applies to standalone IE, not the web browser control.Anonymous
November 17, 2006
@Mike read this http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp and keep your mouth closed!Anonymous
November 18, 2006
But does this update support 64-bit Internet Explorer?Anonymous
November 18, 2006
Hm, many *.swf files still drop a page error when loaded natively...Anonymous
November 18, 2006
Protected mode does not work if you turn off one off the most annoying things in Vista - UACAnonymous
November 18, 2006
The comment has been removedAnonymous
November 18, 2006
The comment has been removedAnonymous
November 18, 2006
@KevTech UAC is the best Windows Vista feature. Only stupid people like you want disable it.Anonymous
November 18, 2006
The comment has been removedAnonymous
November 19, 2006
The comment has been removedAnonymous
November 19, 2006
The comment has been removedAnonymous
November 19, 2006
The comment has been removedAnonymous
November 20, 2006
The comment has been removedAnonymous
November 20, 2006
I guess Garyk hates Youtube as well...Anonymous
November 20, 2006
The comment has been removedAnonymous
November 20, 2006
The comment has been removedAnonymous
November 20, 2006
The comment has been removedAnonymous
November 20, 2006
KevTech: You can change security policy so that UAC is still on and you get virtualization etc but no nagging prompts. Change User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to Elevate without promptingAnonymous
November 20, 2006
David and James S. I understand your concerns about broker processes and I also want all broker processes to be securely built so they help protect users. Brokers allow us to componentize our code and only allow code that needs higher privileges to get it. For example, Protected Mode does include a few APIs like IEShowSaveFileDialog() that call the IEUser.exe broker process. This API allows browser extensions to save files to the user profile without creating their own broker processes. Similar to why applications running in UAC will create broker processes to gain admin privileges, some browser extensions will need to write their own broker processes to gain user or admin privileges. Windows Update is a good example of a browser extension that needed to create a custom broker process to download and install software from the web. You can read more on broker processes in the UAC tech article here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp End users can control whether a broker is launched through Protected Mode’s elevation dialog displayed here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.aspAnonymous
November 20, 2006
The comment has been removedAnonymous
November 21, 2006
The comment has been removedAnonymous
November 21, 2006
@David, yeah, count me in as one for "scared". This has (typically in the past) often been the issue... if you provide (process/application/site/?) higher privileges you then have to adjust your security defenses, to prepare for new attack vectors on the things with the higher privileges. oh well, time will tell.Anonymous
November 21, 2006
I wonder whether Internet Explorer Developer Toolbar will ever be updated. It is in "beta preview" state from March...Anonymous
November 21, 2006
The comment has been removedAnonymous
November 21, 2006
rc, We are working on an update to the Developer toolbar and hope to make it available in the coming weeks. We have not forgotten it :) Thanks -Dave Massy [MSFT]Anonymous
November 21, 2006
Is it expected behaviour that I had to click "allow" about 20 times while installing it onto 64-bit Vista Ultimate?Anonymous
November 21, 2006
The comment has been removedAnonymous
November 21, 2006
Hi, I made a review of both new versions of IE and Firefox today, could anybody give me feedback on that?Anonymous
November 23, 2006
If Dr. Nic (Rivera?*) posted this article: http://drnicwilliams.com/2006/11/22/debugging-javascript-in-ie7-how-to-clear-your-javascript-cache/ about how the "delete files" options in IE7 doesn't actually delete cached JavaScript?... is this true?... if so, what happened to "Delete Browsing History" solving all my "gift" giving dilemmas? PS Still waiting on the bug tracking site... PS Still waiting on the bug tracking site... PS Still waiting on the bug tracking site...Any Simpson's fan will recall our favorite ethically and intelligence challenged doctor. ;-)
Anonymous
November 23, 2006
The comment has been removedAnonymous
November 23, 2006
The comment has been removedAnonymous
November 24, 2006
The comment has been removedAnonymous
November 24, 2006
The comment has been removedAnonymous
November 24, 2006
Fduch, Seeing as that page consists of XHTML served as text/html, and there is no specification for how user agents should handle such markup save by copying the error handling of other user agents, and seeing further that it fails to even conform to the XHTML specification (31 validation errors, for example), I'd suggest you need to get those responsible to correct the markup /before/ blaming IE. Of course, it might still be slow after they fix the markup, but until that happens you don't know whose fault it is.Anonymous
November 25, 2006
Seriously, please fix this issue of IE stealing focus already. It's unnecessary and annoying.Anonymous
November 26, 2006
"PS Still waiting on the bug tracking site..." -steve_web If I read one of the previous chat transcripts correctly the bug tracker is down while they analyze the current listing to amalgamate similar bugs and prioritize critical updates. Once the planning stage is ready to begin for the next IE iteration the bug tracker will be re-enabled. My advice? Keep all found issues in a log with dates and when the bug tracker is active then submit all at once. Submiting them on the blog isn't doing any good because they will be lost as time passes.Anonymous
November 26, 2006
Tony "the bug tracker is down while they analyze the current listing to amalgamate similar bugs and prioritize critical updates." Rival projects seem to manage to mark duplicates and prioritize bugs without taking down their bug trackers. I grant you Connect may make even basic tasks more hassle than Bugzilla, but it wasn't /that/ bad, surely? "Keep all found issues in a log with dates and when the bug tracker is active then submit all at once." Or perhaps add them to: http://easy-designs.stikipad.com/ie-next-wishlist which is backed by the Web Standards Project: http://www.webstandards.org/2006/11/04/you-can-improve-ie-next/Anonymous
November 26, 2006
IE7 seems to freeze on me alot, same problem like in the beta. Firefox works well. They both have their issuesAnonymous
November 26, 2006
@Benjamin Hawkes-Lewis My only question: Why IE6 works normal/fast on that page and IE7 eats all CPU cycles? I like innovations of IE7, but I see too many degradations from IE6.Anonymous
November 27, 2006
The comment has been removedAnonymous
November 27, 2006
@Benjamin Hawkes-Lewis Why not use the Microsoft backed Wiki? http://channel9.msdn.com/wiki/default.aspx/Channel9.InternetExplorerProgrammingBugsAnonymous
November 27, 2006
I love how this page zooms out. http://jehiah.com/archive/ie-vertical-align-top-vulnerability When I saw even underlines break, I LOLedAnonymous
November 27, 2006
@Aedrin How can you say IE has no bugs if you saw that wiki?Anonymous
November 27, 2006
Fduch, "My only question: Why IE6 works normal/fast on that page and IE7 eats all CPU cycles?" I don't know. Maybe Internet Explorer 6's error handling happens to be better for that particular page than Internet Explorer 7's error handling. I can't see much point in debating the merits of how browsers handle individual bits of broken content. The content itself needs to be fixed, end of story. Aedrin, Ah, /that/ wiki. When you said wiki in a previous thread I'd assumed you meant the old feedback wiki which Microsoft abandoned when Internet Explorer went onto Connect. I'm not entirely persuaded about how "Microsoft backed" it really is, compared even to bug reports on this blog. Why isn't it mentioned in the support section on the main Internet Explorer site? Still, while not by the slightest stretch of the imagination a replacement for the bug tracker, it's better than nothing, I guess. Thanks for the link.Anonymous
November 28, 2006
Yet Another DOM Bug. Scenario: If you have window_a, and popup_window_b (which window_a created) Bug: If you create DOM elements/text nodes on window_a, you can't add them to popup_window_b, you HAVE TO REFERENCE the popup window's document, to both CREATE, and APPEND/INSERT the elements/nodes. PS, I'm not endorsing popups, in the advertising sense, I'm referring to web/browser based applications, where "widgets" of some kind are launched from the main application.Anonymous
November 28, 2006
SO HAS THE IE TEAM FORGOTTEN ABOUT THE IE DEVELOPER TOOLBAR. WHO IS RESPONSIBLE FOR RELEASING THE FINAL STABLE VERSION?Anonymous
November 28, 2006
The comment has been removedAnonymous
November 28, 2006
I don't use developer toolbar, but I use ViewPage add-on (http://viewpage.maxthon.com/, http://viewpage.maxthon.com/VPSetup_1025.exe) steve_web, can you "compare" them? What can IE DevToolbar do?Anonymous
November 28, 2006
@Fduch Sure thing, I'll give it a whirl tonite! I can tell you now though, just looking at the screen shot shows a GUI that is much better looking!Anonymous
November 28, 2006
hehehe I'm waiting for the next blog post to do a little adAnonymous
November 29, 2006
"How can you say IE has no bugs if you saw that wiki?" I wasn't aware I ever claimed that? All I've said is that IE is fine to work with. At least IE doesn't force me to reboot my computer every day. And then they say IE uses up too much memory... Up, down, which way is it? Who knows.Anonymous
November 29, 2006
@Fduch, re:review of ViewPage... It is now a very welcome, permanent addition to my development tools! Live editing? yup!, readable & helpful DOM navigation? yup!, frames support? yup!, easy attribute/style editing? yup! If I have to make any complaints, I would just ask if an "outline" feature would be available, so that one can quickly see nested tables, etc. Otherwise, works as advertised and more! Steve ps I would also consider a revamp of the dialogs, to see if they can make use of the WindowsXP+ GUI controls (e.g. the softer scrollbars, rounded buttons, with 3-phase highlight etc.) Its not a big issue, but it would look very slick with the newer chrome.Anonymous
November 29, 2006
@Steve Can you explain the "outline" feature a bit. Is it selecting part of the page when you select corresponding DOM node?Anonymous
November 30, 2006
I realize that this is an off topic question, so apologies ahead of time for the "randomness" factor. Are there any plans to introduce the support for the multipart/x-mixed-replace Content-Type in IE7 or later versions of IE. This appears to be currently supported by Safari, Firefox and Opera browsers, it would be nice to have IE be part of the pack as well...Anonymous
November 30, 2006
The comment has been removed