1 / 58

WCL315 What you Need to Know About Migrating from IE6 to IE8

WCL315 What you Need to Know About Migrating from IE6 to IE8. Chris Jackson Principal Consultant, “The App Compat Guy” Microsoft Corporation appcompatguy@microsoft.com http://www.appcompatguy.com @ appcompatguy. Dear Microsoft, We would like to run IE6 on Windows 7. IE6 is so awesome.

imala
Download Presentation

WCL315 What you Need to Know About Migrating from IE6 to IE8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WCL315What you Need to Know AboutMigrating from IE6 to IE8 Chris Jackson Principal Consultant, “The App Compat Guy” Microsoft Corporation appcompatguy@microsoft.com http://www.appcompatguy.com @appcompatguy

  2. Dear Microsoft, We would like to run IE6 on Windows 7. IE6 is so awesome. Love, Big customer

  3. Is IE6 Engineering Perfection? Supported until 2014

  4. Browsers are Hard to Make • Backward and forward compatibility • Not all scenarios are predicted • “hacks”

  5. Internet Explorer and Standards IE5 for Mac introduces DOCTYPE switch, IE5.5 has the most accurate CSS engine to date (except the box model) IE6 adds more CSS support, DOCTYPE switch IE5 improves CSS support (getting the box model wrong) IE3 is the FIRST browser to support CSS IE4 adds support for DHTML 1996 1997 1998 2000 2001

  6. Internet Explorer and Standards IE9 Platform Previews improve existing standards, and begin to implement important upcoming standards (HTML 5, CSS3, DOM) IE7 significantly improves standards support Further enhancements of support for existing and upcoming standards IE8 introduces a new rendering engine, with standards at its core 2006 2008 2010 Beyond

  7. What Happened?

  8. Where do we still lead?

  9. The Microsoft Security Development Lifecycle Microsoft SecurityResponse Center Conception Goals Best Practicesand Learning ProductDevelopment Incident Response • Protect Microsoft customers by • Reducing the numberof vulnerabilities Reducing the severityof vulnerabilities Secure Design Final Security Review Secure Implementation Release Internal Testing Key Principles Beta Testing Verification Prescriptive yet practical approach Proactive – not just “looking for bugs” Eliminate security problems early Secure by design

  10. Percentage of Total Vulnerabilities by Browser Source: Cenzic Web Application Security Report – Q1-Q2 2009

  11. Blocking Malware Attacks Source: NSS Labs Socially Engineered Malware Test Report

  12. Best Lifecycle for the Enterprise Note: IE6 lifecycle assumes customer is on XP SP3; IE7 lifecycle assumes that Vista will not ship with SP3

  13. Reliability: LCIE iexplore.exe (Frame / Broker Process) Protected Mode Broker UI Frame iexplore.exe (Tab Process / No Protected Mode) iexplore.exe (Tab Process / Protected Mode) Tab 1 Tab 1 …Tab n …Tab n Toolbar Extensions Toolbar Extensions BHOs BHOs ActiveX Controls ActiveX Controls

  14. Reliability LCIE demo

  15. UX: Smart Address Bar

  16. UX: Visual Search

  17. IE User Experience demo

  18. Where Else Do We Lead? • Manageability • Stick around – we’ll talk about it • Compatibility • Come to my compatibility session!

  19. What About My IE6 Stuff? People may not want IE6, but they do want their apps to work.

  20. MED-V

  21. MED-V v2 demo

  22. Citrix

  23. Citrix Danger • Out of sight, out of mind • Kind of like your XP apps!

  24. IE8 Deployment – US Company case study

  25. Communicate Like Crazy • To your: • Peers • Management • Web content owners • Anyone who will listen • Don’t just sell how – also sell why • Tabs • Accelerators • F12 Debugging Tools

  26. Use the Platform • Don’t just give possibility – give realization

  27. Get It on the Approved List

  28. Create an IECTT Package

  29. The Mixed Content Setting “Unraveling the existing web of ownership and content delivery mechanisms on the internal websites to get them all over to HTTPS was too much of a project to accomplish before IE8 deployment, and so the decision was made to step down the browser security on this setting from ‘Prompt’ to ‘Allow’ within the Intranet and Trusted Sites zones. Following web development best practices should move us away from this issue, but if we hadn't made that compromise, we would not have been given the green light for IE 8 deployment, which would have been much worse for security than allowing Caterpillar content to be mixed in delivery."

  30. Consider a PKI Project It isn't an "error" per se. There is a simple problem with the certificate - the certificate was issued to cics.cicspar1, but you are retrieving the certificate from tcpipsy2.cis.cat.com Essentially one server is trying to pass itself off as another with what amounts to a "fake ID." IE6 would simply allow you to ignore these types of errors, but IE8, being more centered on security, won't. The correct long-term solution would be to get a new certificate issued that matches your server name. The interim solution is to ignore the error. As we move forward with PKI, many of these problems will be solved

  31. Set an Online Support Page “…it enabled us to do quick fixes that work on Limited users (the HTAs) for problems that otherwise would have led people to uninstall the browser…”

  32. Be Available “…it is amazing what people will forgive if you respond and fix things quickly.”

  33. How did that go?

  34. Managing IE8

  35. What is Compatibility View? IE 5.5 Quirks IE 5.5 Quirks IE 5.5 Quirks IE 5.5 Quirks

  36. Generic Compatibility Settings • Site to Zone Assignment List • Turn on Internet Explorer Standards Mode for Local Intranet • Use Policy List of Internet Explorer 7 sites

  37. Security and Compatibility • Turn off Data Execution Prevention • ONLY use as a LAST RESORT • ATL got a black eye – not actually an issue • (Individual Security Features) • Discovered using tools or investigation • Weight the cost/benefit of disabling

  38. Data Execution Prevention • Helps prevent a category of attacks • Unchecked buffer injects arbitrary code • Convince computer to set EIP to that code • Raises hardware exception

  39. Stack Overflow… Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } Pushed Arguments szIn i EIP = Return of main() Higher Addresses EBP - Frame Pointer j szOut

  40. Stack Overflow… Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(intargc, char** argv) { foo(argv[1], 0); } Pushed Arguments szIn i EIP = Return of main() Higher Addresses EBP - Frame Pointer j = 0x0 szOut= 0x05040504 C:\foo “AAAAAAAAAAAAAAAA\x6C\x11\xB0\x30”

  41. Stack Overflow… Return address of main() changed to point to a malicious code area Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(intargc, char** argv) { foo(argv[1], 0); } Pushed Arguments szIn i Return address = 0x30B0116C Higher Addresses EBP = 0x65656565 j = 0x65656565 szOut= AAAAAAAA C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30”

  42. Stack Overflow… Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(intargc, char** argv) { foo(argv[1], 0); } Pushed Arguments !!pwn3d!! szIn i Return address = 0x30B0116C Higher Addresses EBP = 0x65656565 Malicious Code C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30”

  43. ActiveX Installer Service • Installing ActiveX controls becomes a compatibility issue when your migration includes a transition to standard users • AXIS provides a solution Request to web site ActiveX control specified Request sent to AXIS AXIS checks policy If approved, AXIS installsas local system Web app uses ActiveX IE8 AXIS Group Policy ActiveX (CAB) Web Site

  44. GE Centricity video

  45. IE Security Settings • Many security settings • IE8 Desktop Security Guidehttp://bit.ly/djJsui

  46. SmartScreen® Filter • Improved UI • Faster performance • New heuristics and enhanced telemetry • Anti-malware support • Improved group policy support

  47. SmartScreen® Filter • Microsoft URL Reputation Service (URS) • Checks locally and uses online validation • Local URL cache mechanism • Examines the entire URL • Possible PII disclosure – privacy measures • http://www.microsoft.com/windows/internet-explorer/privacy.aspx • No default setting

More Related