580 likes | 752 Views
WCL315 What you Need to Know About Migrating from IE6 to IE8. Chris Jackson Principal Consultant, “The App Compat Guy” Microsoft Corporation appcompatguy@microsoft.com http://www.appcompatguy.com @ appcompatguy. Dear Microsoft, We would like to run IE6 on Windows 7. IE6 is so awesome.
E N D
WCL315What you Need to Know AboutMigrating from IE6 to IE8 Chris Jackson Principal Consultant, “The App Compat Guy” Microsoft Corporation appcompatguy@microsoft.com http://www.appcompatguy.com @appcompatguy
Dear Microsoft, We would like to run IE6 on Windows 7. IE6 is so awesome. Love, Big customer
Is IE6 Engineering Perfection? Supported until 2014
Browsers are Hard to Make • Backward and forward compatibility • Not all scenarios are predicted • “hacks”
Internet Explorer and Standards IE5 for Mac introduces DOCTYPE switch, IE5.5 has the most accurate CSS engine to date (except the box model) IE6 adds more CSS support, DOCTYPE switch IE5 improves CSS support (getting the box model wrong) IE3 is the FIRST browser to support CSS IE4 adds support for DHTML 1996 1997 1998 2000 2001
Internet Explorer and Standards IE9 Platform Previews improve existing standards, and begin to implement important upcoming standards (HTML 5, CSS3, DOM) IE7 significantly improves standards support Further enhancements of support for existing and upcoming standards IE8 introduces a new rendering engine, with standards at its core 2006 2008 2010 Beyond
The Microsoft Security Development Lifecycle Microsoft SecurityResponse Center Conception Goals Best Practicesand Learning ProductDevelopment Incident Response • Protect Microsoft customers by • Reducing the numberof vulnerabilities Reducing the severityof vulnerabilities Secure Design Final Security Review Secure Implementation Release Internal Testing Key Principles Beta Testing Verification Prescriptive yet practical approach Proactive – not just “looking for bugs” Eliminate security problems early Secure by design
Percentage of Total Vulnerabilities by Browser Source: Cenzic Web Application Security Report – Q1-Q2 2009
Blocking Malware Attacks Source: NSS Labs Socially Engineered Malware Test Report
Best Lifecycle for the Enterprise Note: IE6 lifecycle assumes customer is on XP SP3; IE7 lifecycle assumes that Vista will not ship with SP3
Reliability: LCIE iexplore.exe (Frame / Broker Process) Protected Mode Broker UI Frame iexplore.exe (Tab Process / No Protected Mode) iexplore.exe (Tab Process / Protected Mode) Tab 1 Tab 1 …Tab n …Tab n Toolbar Extensions Toolbar Extensions BHOs BHOs ActiveX Controls ActiveX Controls
Reliability LCIE demo
IE User Experience demo
Where Else Do We Lead? • Manageability • Stick around – we’ll talk about it • Compatibility • Come to my compatibility session!
What About My IE6 Stuff? People may not want IE6, but they do want their apps to work.
MED-V v2 demo
Citrix Danger • Out of sight, out of mind • Kind of like your XP apps!
IE8 Deployment – US Company case study
Communicate Like Crazy • To your: • Peers • Management • Web content owners • Anyone who will listen • Don’t just sell how – also sell why • Tabs • Accelerators • F12 Debugging Tools
Use the Platform • Don’t just give possibility – give realization
The Mixed Content Setting “Unraveling the existing web of ownership and content delivery mechanisms on the internal websites to get them all over to HTTPS was too much of a project to accomplish before IE8 deployment, and so the decision was made to step down the browser security on this setting from ‘Prompt’ to ‘Allow’ within the Intranet and Trusted Sites zones. Following web development best practices should move us away from this issue, but if we hadn't made that compromise, we would not have been given the green light for IE 8 deployment, which would have been much worse for security than allowing Caterpillar content to be mixed in delivery."
Consider a PKI Project It isn't an "error" per se. There is a simple problem with the certificate - the certificate was issued to cics.cicspar1, but you are retrieving the certificate from tcpipsy2.cis.cat.com Essentially one server is trying to pass itself off as another with what amounts to a "fake ID." IE6 would simply allow you to ignore these types of errors, but IE8, being more centered on security, won't. The correct long-term solution would be to get a new certificate issued that matches your server name. The interim solution is to ignore the error. As we move forward with PKI, many of these problems will be solved
Set an Online Support Page “…it enabled us to do quick fixes that work on Limited users (the HTAs) for problems that otherwise would have led people to uninstall the browser…”
Be Available “…it is amazing what people will forgive if you respond and fix things quickly.”
What is Compatibility View? IE 5.5 Quirks IE 5.5 Quirks IE 5.5 Quirks IE 5.5 Quirks
Generic Compatibility Settings • Site to Zone Assignment List • Turn on Internet Explorer Standards Mode for Local Intranet • Use Policy List of Internet Explorer 7 sites
Security and Compatibility • Turn off Data Execution Prevention • ONLY use as a LAST RESORT • ATL got a black eye – not actually an issue • (Individual Security Features) • Discovered using tools or investigation • Weight the cost/benefit of disabling
Data Execution Prevention • Helps prevent a category of attacks • Unchecked buffer injects arbitrary code • Convince computer to set EIP to that code • Raises hardware exception
Stack Overflow… Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } Pushed Arguments szIn i EIP = Return of main() Higher Addresses EBP - Frame Pointer j szOut
Stack Overflow… Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(intargc, char** argv) { foo(argv[1], 0); } Pushed Arguments szIn i EIP = Return of main() Higher Addresses EBP - Frame Pointer j = 0x0 szOut= 0x05040504 C:\foo “AAAAAAAAAAAAAAAA\x6C\x11\xB0\x30”
Stack Overflow… Return address of main() changed to point to a malicious code area Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(intargc, char** argv) { foo(argv[1], 0); } Pushed Arguments szIn i Return address = 0x30B0116C Higher Addresses EBP = 0x65656565 j = 0x65656565 szOut= AAAAAAAA C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30”
Stack Overflow… Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(intargc, char** argv) { foo(argv[1], 0); } Pushed Arguments !!pwn3d!! szIn i Return address = 0x30B0116C Higher Addresses EBP = 0x65656565 Malicious Code C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30”
ActiveX Installer Service • Installing ActiveX controls becomes a compatibility issue when your migration includes a transition to standard users • AXIS provides a solution Request to web site ActiveX control specified Request sent to AXIS AXIS checks policy If approved, AXIS installsas local system Web app uses ActiveX IE8 AXIS Group Policy ActiveX (CAB) Web Site
GE Centricity video
IE Security Settings • Many security settings • IE8 Desktop Security Guidehttp://bit.ly/djJsui
SmartScreen® Filter • Improved UI • Faster performance • New heuristics and enhanced telemetry • Anti-malware support • Improved group policy support
SmartScreen® Filter • Microsoft URL Reputation Service (URS) • Checks locally and uses online validation • Local URL cache mechanism • Examines the entire URL • Possible PII disclosure – privacy measures • http://www.microsoft.com/windows/internet-explorer/privacy.aspx • No default setting