Friday, May 18, 2007

Internet Explorer Security Zones Arcana

The following is an interesting Internet Explorer issue that one of our MVPs recently noticed. He writes:

We have a group policy object that sets Zone Elevation to Prompt for the Local Computer Zone ("Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone/Web sites in less privileged Web content zones can navigate into this zone" set to "Enabled: Prompt"). We also have disabled the Local Machine Zone Lockdown (LMZL) for Internet Explorer (under Windows Components/Internet Explorer/Security Features/Local Machine Zone Lockdown Security).

When I subsequently visit, I’m prompted about zone elevation to “ieframe.dll” when I mouse over the “Children”, “Families”, etc. menu links on the left side of the page. What’s up with that?

Using Fiddler to view the HTTP traffic as I interact with the site, I don’t see any HTTP requests made as I hover over the menu. If there really is a navigation leading to Zone elevation, it’s not using the HTTP protocol.

At this point, I still don’t know much, but I’ve got a few hunches…

IE made a number of changes to URL handling in IE7, but I know that ieframe.dll contains the error pages that IE7 displays when a navigation fails. I suspect that the Zone elevation prompt is actually being triggered by the navigation to an error page. Unfortunately, even when I click to “Allow” the Zone Elevation, I don’t see an error page, so I can’t confirm my theory.

Now, another thing I know is that IE7 changed how Javascript-protocol URIs are handled. Specifically, we no longer allow the Javascript URI protocol to serve as an IMG source or navigation target. Hyperlinks are a special case; when a page includes a tag like <a href="javascript: runFn()">, IE7 will treat that HTML as if it were written <a href="#" onclick="runFn();">. This change helps simplify and reduce attack surface in the navigation codepath.

Using Fiddler’s “Find” feature to look for javascript: turns up, which contains the script:

document.body.insertAdjacentHTML("beforeEnd","<iframe id='"+BL+"' src='javascript: void 0;'

This may well be the source of the problem. Using Fiddler’s QuickExec box, I type bpafter menulib.js to set a response breakpoint at the download of the script file. Hitting CTRL+F5 in IE refetches the entire page and its resources, and Fiddler breaks into editing mode when menulib.js is downloaded.

Now, since I suspect that the javascript: void 0; is causing the problem, I change the script line to:

document.body.insertAdjacentHTML("beforeEnd","<iframe id='"+BL+"' src='about:blank'

... and click Fiddler’s “Run to completion” button to send my modified script to Internet Explorer. Mousing around the menus, I no longer see the Zone Elevation prompt.

So, I know how to fix the URI, and but why would a Zone Elevation occur?

When you turn off LMZL, you also turn off the feature that forces all res:// URIs into the Internet Zone. The failed frame navigation to 'javascript: void 0;' navigates to a HTML resource inside IEFrame.dll using the RES protocol. Since IEFrame.dll is on the local machine, this results in a Zone Elevation.


Post a Comment

<< Home