IE in XP SP2 (Part 2): Information Bar - Stopping the modal dialog madness

Article
03/21/2004

The Information Bar is a new piece of UI that shows up when potentially dangerous actions on a page have been blocked. It appears between the toolbar and the content window, and looks a bit like the bar that appears in Outlook 2003 and MSN 8/9 to block images from email messages.

The following are some of the actions blocked by the Information Bar.

ActiveX Install Prompts

In Part 1 I discussed some of the changes made to Authenticode to enhance usability and allow you to block publishers you don't trust. What I didn't mention is that in most cases you won't even see the dialog anymore, because the Information Bar will appear first!

If you're like me, you're wary about installation dialogs for a couple of reasons. First, there's always the possibility you might miss-click and accidentally install something that could be spyware/malware. Next, even though you know not to install unsolicited software, do your friends and family that use your computer understand this? Also, what happens when they stray from mainstream sites and reach a malicious page that bombards them with multiple ActiveX install prompts in an attempt to trap them into installing the software? We've changed some of the plumbing for Authenticode to help prevent multiple prompts, and you can now hold down Esc to both cancel the dialog and stop loading the page, but the the Information Bar goes further by simply not showing the dialog unless you request it.

When you click the bar you're presented with a menu from which you can install the ActiveX control. This temporarily turns off the block and refreshes the page, at which point you will get the Authenticode dialog.

One case that will bypass the Information Bar in this scenario is when a page is using a control that is newer than the one you already have installed. Since you have already trusted the software we permit the Authenticode dialog to show immediately in order to promote upgrades, particularly because upgrades often contain security fixes. A control will only be considered an upgrade if it uses the same CLSID as a control that is installed and it has been signed with the same certificate as the installed control. This helps prevent malicious sites from bypassing the Information Bar by making their control look like an upgrade.

Non-user-initiated Download Prompts

Like ActiveX, if a page tries to push a file download on you, again raising the possibility that you will run (or save and later run) unsolicited software, it will be blocked by the Information Bar. The logic for whether to block downloads is similar to the logic for blocking pop-up windows, so if you directly click a link you'll get the file download dialog unimpeded. Some download sites will have to adapt to this new behavior.

On a side note, we have also turned on the option to verify the signature on certain types of files such as EXEs. This means that when you run software from the download dialog you may get a secondary prompt that shows the same information as the Authenticode dialog (i.e. name and publisher from the digital signature). This prompt helps certify that the file is, indeed, from who it says it is from. File attachments in Outlook Express and a few other scenarios will get the same treatment.

Blocked Pop-up Windows

As with blocked downloads, Jeff Davis is much more qualified to talk about this, but I'll mention a couple of things.

First, the pop-up blocker is now on by default! When a pop-up window is blocked the Information Band will appear, and from there you replay the pop-ups, always allow pop-ups for the site, and configure the pop-up blocker. The first thing I do from here is turn off the Information Bar for pop-ups. They're so common, and so infrequently wanted, that I prefer the lighter weight option of just showing the status bar icon.

ActiveX Control Blocked Errors

If you've ever tried to browse the web with elevated security settings (or on Windows 2003 server) you know that it can be a frustrating experience because of the frequent message boxes stating that "An ActiveX control has been blocked...". Now this'll be pulled into the Information Bar, giving you a less intrusive user experience. Unlike most of the other items in Information Bar, this is not actionable. There is currently no way to temporarily lower your security settings to get the ActiveX install prompt.

This also means that if you're really paranoid, install the interesting/useful ActiveX controls like Flash, and then to go "Tools/Internet Options...", "Security" tab, "Custom Level" (for Internet), and set "Download signed ActiveX controls" to Disable. Now you have no chance of accidentally installing ActiveX controls and the browser is still usable.

Local Machine Zone Lockdown

Local Machine Zone Lockdown is one of the most impactful security mitigations in IE for XP SP2. It deserves an entire blog entry (or several), but, briefly, LMZ Lockdown affects the explorer.exe and iexplore.exe processes, and places severe restrictions on on things such as executing script and running ActiveX controls in the local machine zone (i.e. a local .html file). When the lockdown is in effect you will see the Information Bar with a menu item that lets you temporarily disable the lockdown by reverting to the old Local Machine Zone settings for that instance of the browser.

----

That's all for now. Note that there may be more (or fewer) actions blocked by the Information Bar in the future, and I haven't necessarily covered them all.

In designing and building these IE security features we've spent a lot of time trying to find the right balance between allowing sites to do what they need (preserving site compatibility), and giving the users more control. This is a very fine line; anything we do to stop the "bad guys" also has the potential to break the "good guys" if they are doing something similar, but for legitimate reasons. Between now and RTM you can expect site compatibility to get a bit better as we implement (safe) workarounds for common scenarios, but if you're a web developer you should not rely on it.

Do you think this will make browsing the web more secure? What about reducing the proliferation of spyware/malware?

Comments

Anonymous
March 21, 2004
ActiveX control will be considered an upgrade only if it's signed with the same certificate? Is Microsoft saying that once you buy a certificate you only have a year (or two) to finalize your code because once you renew your certificate (effectivelly creating a new one) it will not be considered an upgrade to an existing control?
Anonymous
March 21, 2004
I should be more precise: we check that the certificate is from the same issuer, and issued to the same subject. This should allow for renewals.
Anonymous
March 21, 2004
Thanks for the clarification, that makes a lot more sense.
Anonymous
March 21, 2004
How about tabbed browsing ? Will IE now have tabbed browsing ?
Anonymous
March 21, 2004
Oleg Dulin :: Microsoft to Catch Up with Mozilla
Anonymous
March 22, 2004
Will Microsoft update IE's CSS rendering? IE's poor CSS rendering is a significant hindrance to all web designers / developers who try to make W3C standards-compliant markup.
Anonymous
March 22, 2004
IE/XP sp2 changes: Windows XP is in final testing changes for a significant new updater, and "jeffdav" or Microsoft details how Internet Explorer will change. New window propagation sounds similar to previous implementations: a new window can be opened only...
Anonymous
March 22, 2004
Oleg and JC - I can't comment on future features, sorry.

However, for tabbed browsing you can use Avant Browser or MyIE2, two good browsers that host the IE web browser control.

Also, unless somebody beats me to it, later this week I'll describe how to enable the new IE security mitigations and UI such as the Information Bar for 3rd party browsers such as those.
Anonymous
March 22, 2004
Is there any chance that any of these bugs will be fixed for the final Service Pack2?
http://www.positioniseverything.net/explorer.html

A simple no would be better than just ignoring all the post asking for better standards support, transparent png etc
Anonymous
March 22, 2004
I just removed the blue e from my quick launch menu. And i replaced it with a little FireFox icon, mainly for the Tabbed browsing but also for the cool plugin abilities and increased browsing security. Thanks you microsoftees.
Anonymous
March 24, 2004
Microsoft has made the Windows XP SP2 "preview" available for downloading, this is a look at what will be happening...
Anonymous
March 24, 2004
José, see my comment just prior to yours. For XP SP2, security work was the priority. Beyond that I can't comment on CSS, PNG, or other standards support.
Anonymous
March 29, 2004
Can you please explain why Local Machine is locked down more than a site in the Internet zone?
Anonymous
March 30, 2004
David, I'm considering doing a more in-depth post on this later but I need to do some asking around first since I don't know much about that feature.

I suspect it's because you can do more within the same zone than across zones, even with the same permissions. This means once an attacker can stick their foot in the door and get into the LMZ, even with internet-level permissions they could roam around in that zone and potentially find another exploit that lets them do something more harmful.

It's all about defense in depth.
Anonymous
April 19, 2004
If there is an activex download initiated by the user, can a developer avoid the information bar?
Anonymous
April 19, 2004
JC, currently there is no such thing as an ActiveX control install directly initiated by the user. The only alternative right now is to package the control in a small exe-based installer and do a regular download.

This is a scenario we continue to think about.
Anonymous
April 22, 2004
Is LMZ lock-down the default setting? Or does one have to choose to lock it down?

Where do the "old local machine zone settings" come from? They're not available for users to set in Tools | Internet Options | Security.
Anonymous
April 22, 2004
You say "... a menu item that lets you temporarily disable the lockdown..."

Can you define "temporarily" ?

Does that mean click the "override" menu item once, and you get to view one local HTML file... and to see another local HTML file you have to click the menu item AGAIN?

How does a user disable the LMZ lockdown for an entire browsing session? This is essential for anyone who needs to locally view browser-based app's... such as online training.
Anonymous
April 23, 2004
I have an asp.net page that downloads an activex object. I now have it to where it waits for the user to click on the information bar. The problem is that when the user clicks on the information bar, IE refreshes, giving me the "The page cannot be refreshed without resending the information" dialog.

I've tried setting the cacheability, etc., but it seems that IE invalidates the cache regardless.

How am I supposed to get around this?
Anonymous
April 23, 2004
I recommend moving the ActiveX install earlier in the process, on a page that does not require posting information back to the server.
Anonymous
April 25, 2004
Sean, temporarily means it only lasts for that session of IE. Once you exit that instance of the browser you would have to click again.

Local browser-based apps that are hosted in IE and require script should use the "mark of the web" as described in the XP SP2 documentation. They can also be configured to run un an HTA or other host.

The last resort would be to disable this security mitigation using the registry keys.
Anonymous
June 04, 2004
The comment has been removed
Anonymous
June 05, 2004
TheICrow, the solution is to use the Mark of the Web on local content, or host it in another container such as an HTA. For things like standard HTMLHelp, this is already the case.

I've been using SP2 on my main home and work machines for several months now, and haven't encountered LMZ lockdown very often, especially with the newer builds. The exception is when testing web pages locally before putting them up on a server.

In recent builds there is a new setting, "Allow active content to run in files on my computer" under Internet Options / Advanced / Security. This will keep you from having to mess with the registry.
Anonymous
June 29, 2004
The Information Bar does not appear when a web site tries to install an ActiveX control on a XP SP2 Professional machine . If a different user logs into the same machine, it does. All the security settings are the same in both the cases. What could be the reason for this behavior?
Anonymous
July 07, 2004
Developer, is the user an Admin? Non-admins typically can't install ActiveX controls. In future releases we will improve the error handling for the non-admin scenario.
Anonymous
July 13, 2004
well, that's too late.

IE made me sick -> switched to firefox on friday.
Anonymous
July 13, 2004
Ok one more FireFox Nazy, tabbed Brosing + Pop Block + extensions + W3C = Firefox
Anonymous
August 10, 2004
The comment has been removed
Anonymous
August 18, 2004
I love the new popup killer that's part of the Windows XP Service Pack 2 updates to Internet Explorer, but I have a question. Is there a way to tell IE that, for specific websites, you don't want the Information...
Anonymous
November 06, 2006
The comment has been removed
Anonymous
June 24, 2008
PingBack from http://tatyana.videomarketsite.com/alwaysallowactivexwithoutmessageiereg.html
Anonymous
July 09, 2008
PingBack from http://german.infovideoclub.info/turnoffinternetexplorerinformationbar.html
Anonymous
May 29, 2009
PingBack from http://paidsurveyshub.info/story.php?title=tony-schreiner-s-weblog-ie-in-xp-sp2-part-2-information-bar
Anonymous
June 09, 2009
PingBack from http://greenteafatburner.info/story.php?id=4890
Anonymous
June 13, 2009
PingBack from http://barstoolsite.info/story.php?id=9

Share via

Comments

Additional resources