ALTE DOCUMENTE
|
||||
When a Web page is opened in Internet Explorer, Internet Explorer puts restrictions on what the page can do, based on where that Web page came from: the Internet, a local intranet server, a trusted site, and so on. For example, pages on the Internet have stricter security restrictions than pages on a user's local intranet. Web pages on a user's computer are in the 10210x2317k Local Machine security zone, where they have the fewest security restrictions. This makes the Local Machine security zone a prime target for malicious users. Zone Elevation Blocks makes it harder to get code to run in this zone. In addition, Local Machine Zone Lockdown makes the zone less vulnerable to malicious users by changing its security settings.
Web developers must plan changes or workarounds for any possible impact to their Web site.
Application developers should review this feature to plan to adopt changes in their applications that run in the Local Machine security zone. Since the feature is not enabled for processes other than Internet Explorer by default, developers must register their applications to take advantage of the changes.
End users might be impacted by sites that are not compatible with these stricter rules and settings.
Zone Elevation Blocks
Detailed description
Internet Explorer prevents the overall security context for any link on a page from being higher than the security context of the root URL. This means, for example, that a page in the Internet zone cannot navigate to a page in the Local Intranet zone, except as the result of a user-initiated action. A script, for example, could not cause this navigation. For the purpose of this mitigation, the security context ranking of the zones, from highest security context to lowest, is: Restricted Sites zone, Internet zone, Local Intranet zone, Trusted Sites zone, and Local Machine zone.
Zone Elevation Blocks also disables JavaScript navigation if there is no security context.
If a user clicks a link which causes the Web site to attempt to navigate to a higher zone, a message will appear in Internet Explorer with one of two messages. The italicized portions change, according to the situation.
The current Internet site is trying to open a file that is on your Trusted sites list.
If you trust this Internet site, proceed by clicking OK.
The current site is in your Restricted sites list and is trying to open a file that is on your computer. We recommend that you do not allow this.
In both cases, the default action does not allow the zone elevation. The user must explicitly allow the requested zone elevation.
Why is this change important? What threats does it help mitigate?
Elevation of privilege is one of the most exploited vulnerabilities in Internet Explorer, with the ultimate goal of running malicious code in the Local Machine zone. Zone Elevation Blocks helps mitigate many privilege escalation attacks.
What works differently?
Non-user initiated navigation from one zone to a "higher" zone is blocked. This means that Web pages that automatically call more privileged Web pages fail.
How do I resolve these issues?
If a trusted Web application cannot be used, you can modify the Internet Explorer security zone settings to allow the application to continue working. You can also require user initiation of navigations between pages in different security zones.
|