New Internet Explorer Security Setting
Detailed description
A new URL action setting, Binary Behaviors, is in each Interne 19119t1911t t Explorer security zone. The default value for this setting is Enable for all zones except the Restricted Sites zone. In the Restricted Sites zone, the default value is Disable.
Why is this change important? What threats does it help mitigate?
This new setting helps mitigate attacks in which binary behaviors were being used maliciously and allows the user to control the use of binary behaviors on a per-zone basis.
What works differently?
Any use of any binary behaviors for HTML rendering from the Restricted Sites zone is blocked.
How do I resolve these issues?
To use binary behaviors from the Restricted Sites zone, an application will have to implement a custom security manager. (For more information, see the "Creating a Customized URL Security Manager" section in "Introduction to URL Security Zones" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=21863.)
When the binary behaviors URL action is exercised from a custom security manager, the URL action will pass in a string representation of the particular binary behaviors that can be enabled by that custom security manager as needed for application compatibility. The following process takes place when this URL action is exercised:
Internet Explorer calls into a custom security
manager (if available), using the ProcessUrlAction
method with a dwAction of
URLACTION_BEHAVIOR_
The pContext parameter points to a LPCWSTR that contains the behavior that a policy is being queried for. For example, #default#time.
You set *pPolicy = URLPOLICY_ALLOW for your smartTag behavior, from within your custom security manager, as appropriate.
In the absence of the custom security manager, the default action is to disallow running behaviors in the Restricted zone.
|