Windows Defender Beta 2 for Windows XP

Microsoft has FINALLY updated Microsoft AntiSpyware. It’s now Windows Defender, and Beta 2 was released this evening.

From the new Windows Defender FAQs:

Windows Defender (Beta 2) is the name of the next beta version of Microsoft Windows AntiSpyware. It includes several enhancements that are based on customer input. Changes include, but are not limited to:

1) Improved detection and removal. Windows Defender (Beta 2) can detect and remove more threats posed by spyware and other potentially unwanted software. Real-Time Protection, which helps prevent unwanted software from being installed, is enhanced to better monitor key points in the operating system for changes. These features help you stay productive because they help to prevent pop-ups and the performance degradation that is caused by spyware and other potentially unwanted software.

2) Redesigned and simplified user interface. The Windows Defender (Beta 2) user interface has been redesigned to make it easer to scan your computer and remove unwanted files. The new interface also delivers a warning system that alerts you to the severity of a threat and makes appropriate recommendations to help secure your computer. This new design gives you more control over the software on your computer and minimizes interruptions to your work.

3) Protection features for all users. Windows Defender (Beta 2) can now be run by all the users who use a particular computer, whether they have administrator-level privileges or not. This helps ensure that all the people who use a computer are able to benefit from the protection features offered by Windows Defender (Beta 2).

4) Definition updates delivered through Automatic Updates. Windows Defender (Beta 2) now receives updates through Automatic Updates. Provided by Microsoft analysts, these updates help keep you protected from the latest threats at no additional cost.

5) Voting network statistics. When Windows Defender (Beta 2) detects potentially unwanted software, it shows you how customers who participate in the opt-in network voted to classify the software. This helps provide you with more information even before Microsoft analysts evaluate the software.

Compare Windows Defender to OneCare Live and other Microsoft Security Offerings


Security and Compatibility with IE7

The MS IE Team notice the compatibility with the existing functionality that customers depend on. So they have put many effort to handle it. Here is the info of the new IE on compatibility from the IE Team:

One of the biggest challenges in making software more secure is maintaining compatibility with the existing functionality that customers depend on.  We’re here at the RSA security conference in Silicon Valley to work with other software and security professionals to meet our customers’ expectations for safety and compatibility. While we have taken a great deal of care to preserve compatibility, the new security features in Internet Explorer 7 do change the way platform works and only testing with your products can gauge the impact and investment you may need to make to be fully compatible with IE7.

For the IE7 Beta preview for XP SP2, we prepared preview documentation and a preliminary compatibility tool to help developers analyze and address the most difficult compatibility and security problems posed by IE7 for web sites and browser extensions. More documentation will follow for other security features, but we are releasing the documents for the most challenging security features first. This will give you the maximum time for testing and remediation of any issues you find.

One or more of the security enhancements in IE7 may require an update in your code. The most notable changes include:

  • “Protected Mode” for Windows Vista will run Internet Explorer with restrictions that help prevent attackers from using vulnerabilities to install malware or otherwise damage a user’s system. At the same time, Protected Mode restricts Internet Explorer itself and will restrict extensions run in Internet Explorer. It is possible that that you will need to update your extension to be compatible with Protected Mode.
  • “ActiveX opt-in” will disable most ActiveX controls on the system. If your ActiveX control needs to be enabled by default, we have put together a set of ActiveX best practices to help you understand how to make it safe enough to be used on the internet and enable it for use with IE7.
  • IE7 has more secure defaults for SSL. IE7 will disable SSLv2, enable TLSv1, block non-secure http content in secure https pages, and block navigation to sites that have SSL certificate errors.
  • We rebuilt critical code paths for URL parsing and Cross Domain security using new best practices for secure software development. Your website or application may need to be updated if it relies on a non-standard URL syntax. The compatibility tool will help you test for these problems.
  • We have retired a number of rarely-used legacy features from the product to reduce attack surface. The removal of these features may require you to update your website or your application. Please refer to the IE7 Beta preview release notes for the list of removed features.

Besides ensuring compatibility, Website Developers and Software Developers can take advantage of IE’s security features to help users feel more confident while they browse your site or download your code:

  • IE7 includes an enhanced experience for sites that include upcoming higher assurance SSL certificates including the lock icon with a green filled address bar. Along with other browsers, the Certificate authority industry is working with us towards a tougher SSL standard for the enhanced experience. This past Sunday and Monday, we met to work on the standard with the American Bar Association here in San Jose. The certificate authorities who coolaborated with us this weekend include Geotrust, Verisign, Identrus, Comodo, Cybertrust, Go Daddy and X-Ramp.  To see what the experience will be like, you can try out the enhanced experience by downloading a test root certificate and then visiting our demo site using IE7 Beta 2 Preview. If you think your site should have this experience, contact your certificate authority to learn about their plans to offer higher assurance SSL certificates that will be recognized by the IE7 address bar.
  • In the upcoming Beta 2 release, IE7 will let users sign into web sites using visual “InfoCards” rather than passwords.  This eliminates a number of common attacks because when no password is typed, there is none to be stolen (and none to forget).  The “InfoCard” system uses certificates to make it harder for imposter sites to pass themselves off as genuine.
  • IE7 checks the signatures on downloaded programs such as ActiveX controls and executables to make it easy for customers to identify your code. If you distribute software over the internet, you should sign your code with a valid code signing certificate.

We’ve already had the chance to work with engineers from companies like Adobe, Real Networks and many others. We found that our colleagues at these other companies are just as passionate about security as we are. We hope you’ll take this opportunity to work with us towards a safer experience for our mutual customers. We look forward to your feedback during this process and getting to know you better along the way!

Protected Mode in Vista IE7

Here is the info of the protected mode in Vista IE7 from the IE Team Blog:

Microsoft Windows Vista introduced an enhanced security model that we were able to build on in Vista’s version of IE7. I want to tell you about a new major IE defense-in-depth security feature called Protected Mode. Defense in depth is a security principle that a system should provide multiple layers of defense, in case one layer is ever breached. Protected Mode takes advantage of three key new technologies in Vista’s security model:

  • User Account Control (UAC), which implements the Principle of Least Privilege.

    UAC will help users run Vista without requiring administrator privileges to be productive. Administrators can also run most applications with a limited privilege, but have “elevation potential” for specific administrative tasks and application functions. 
  • Mandatory Integrity Control (MIC), a model in which data can be configured to prevent lower-integrity applications from accessing it. The primary integrity levels are Low, Medium, High, and System. Processes are assigned an integrity level in their access token. Securable objects such as files and registry keys have a new mandatory access control entry (ACE) in the System Access Control List (ACL).
  • User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against “shatter attacks.” A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages.

Internet-facing applications such as browsers are inherently at a higher security risk than other applications because they can download untrustworthy content from unknown sources. IE7’s Protected Mode leverage’s Windows Vista’s UAC, MIC and UIPI features to boost browser security. In IE7’s Protected Mode—which is the default in other than the Trusted security zone—the IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn’t have enough privileges to install software, put files in the user’s Startup folder, hijack browser settings, or other nastiness.

In Protected Mode IE writes/reads special Low versions of the cache, TEMP folder, Cookies and History:

  • Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
  • Temp: %userprofile%\AppData\Local\Temp\Low
  • Cookies: %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
  • History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low

When IE runs outside of Protected Mode (the default for the Trusted security zone), it does not cross the security boundary to read the Low versions. However, the Favorites folder is shared between the modes.

In a similar vein insulating higher integrity processes from lower integrity processes, Protected Mode leverages UIPI to block window messages to higher-integrity processes and other forms of lower-to-higher access, to guard against web-based shatter attacks.

Conforming to the security concept of  “least privilege,” web browsing and other routine functionality takes place at Low integrity level. Protected Mode does occasionally need to have functions performed at Medium and High integrity levels. For this purpose, Protected Mode uses the security concept of  “separation of privilege.” Medium level functions are carried out by a separate User Broker process. High level functions are carried out by a separate Admin Broker process. An example of a function requiring an admin’s High rights is the installation of an ActiveX control or a “setup.exe” type of installation. The Admin Broker carries out the ActiveX installation on IE’s behalf. The Admin Broker always gains the user’s consent before acting. An example of a function requiring Medium rights is a SaveAs operation to the user’s user profile folder.  Here the medium-level User Broker assists. For most operations the User Broker requires user consent.

Because Low rights is such as restrictive environment, Protected Mode includes compatibility features. These features allow most add-ins to run unaffected.  Protected Mode provides a “compatibility layer” that consists of a set of shims that intercept certain system API calls. There’s the File & Registry Shim, which virtualizes file system operations; the CreateProcess Shim, which allows an add-on to launch another process at Medium, with user consent; and the CoCreateInstance Shim, which allows an add-on to launch a COM server at Medium, again only with user consent.

Since a Low process lacks the privilege to write to most locations in the file and registry, the File & Registry Compat Shim virtualizes some common file system folders and registry keys. Those file and registry locations are redirected to per-user Low-integrity virtual locations where they can’t affect the real versions.  The virtualized file system is in the Temporary Internet Files (TIF)—the same general place IE caches web files. If an add-in attempts to append to an existing file, the shim applies a “copy-on-write” approach, first copying the file to the corresponding virtual location, with the actual append happening only to the virtualized version. If the add-in attempts a file and a real version of a file and a virtualized version both exist, the shim makes the add-in read the virtualized version. The shim does not otherwise affect reads. Registry virtualization works similarly. Note that Vista’s UAC virtualization does not apply to Protected Mode; if an add-in attempts to write to sensitive areas will not be redirected and they will just get an Access Denied error.

For example, the Compat Shim virtualizes the UserProfile folder (real location %userprofile%) to the TIF location %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\{system drive letter}\Users\{username}.

An example of a file system location to which an add-in is simply denied access is %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies

As an example of the registry virtualization, the Compat Shim virtualizes the real registry key HKCU\Software to HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\{SID}\Software . (A SID is the user’s security identifier.)

An example of a registry location where an add-in is simply denied access is HKCU\Software\Classes.

The CreateProcess Shim intervenes when an add-in attempts to launch a process using CreateProcess() or equivalent API. The shim presents an “elevation dialog” to the user, asking the user whether they want to run the app at a higher privilege level than IE. If the user assents, the app is allowed to launch at Medium level. If the user says no, the app is not launched. The CoCreateInstance Shim works similarly but kicks in when an add-in attempts to launch a COM server.

To optimize user experience, the registry has Elevation Opt-In Lists for CreateProcess and COM (at HKLM\Software\Microsoft\Internet Explorer\Low Rights; there’s also a per-user version in HKCU). These allow-lists can enable Protected Mode IE to silently launch specified apps or COM servers at elevated privilege levels, among other options. When it’s necessary to launch a non-IE process with admin privileges, you would include the RequestedExecutionLevel marking in the application manifest.

The compatibility layers should allow most legacy add-ons to just work without requiring any modification. Protected Mode provides a set of APIs that new and existing add-ins can make use of  to work natively in Protected Mode. For example, IEIsProtectedMode() lets an add-in find out if IE is running in Protected Mode. The IEGetWriteableFolderPath() and IEGetWriteableHKCU() functions find low-integrity locations to which the add-in can write. To save a file outside the TIF so that users and apps can later find the file, an add-in employs a two-step procedure, first calling the IEShowSaveFileDialog() function to get the user’s consent and desired user profile location, and then calling IESaveFile() to write to that location. Add-in writers also can create their own broker processes if needed for custom elevated operations.

For further information:

Introduction to the Protected Mode API

Understanding and Working in Protected Mode Internet Explorer

User Account Control White Paper