Internet Explorer Security Zones Arcana
The following is an interesting Internet Explorer issue that one of our MVPs recently noticed. He writes:
We have a group policy object that sets Zone Elevation to Prompt for the Local Computer Zone ("Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone/Web sites in less privileged Web content zones can navigate into this zone" set to "Enabled: Prompt"). We also have disabled the Local Machine Zone Lockdown (LMZL) for Internet Explorer (under Windows Components/Internet Explorer/Security Features/Local Machine Zone Lockdown Security).
When I subsequently visit http://encompassnw.org, I’m prompted about zone elevation to “ieframe.dll” when I mouse over the “Children”, “Families”, etc. menu links on the left side of the page. What’s up with that?
Using Fiddler to view the HTTP traffic as I interact with the site, I don’t see any HTTP requests made as I hover over the menu. If there really is a navigation leading to Zone elevation, it’s not using the HTTP protocol.
At this point, I still don’t know much, but I’ve got a few hunches…
IE made a number of changes to URL handling in IE7, but I know that ieframe.dll contains the error pages that IE7 displays when a navigation fails. I suspect that the Zone elevation prompt is actually being triggered by the navigation to an error page. Unfortunately, even when I click to “Allow” the Zone Elevation, I don’t see an error page, so I can’t confirm my theory.
Now, another thing I know is that IE7 changed how Javascript-protocol URIs are handled. Specifically, we no longer allow the Javascript URI protocol to serve as an IMG source or navigation target. Hyperlinks are a special case; when a page includes a tag like <a href="javascript: runFn()">, IE7 will treat that HTML as if it were written <a href="#" onclick="runFn();">. This change helps simplify and reduce attack surface in the navigation codepath.
Using Fiddler’s “Find” feature to look for javascript: turns up http://encompassnw.org/jscripts/menulib.js, which contains the script:
document.body.insertAdjacentHTML("beforeEnd","<iframe id='"+BL+"' src='javascript: void 0;'
This may well be the source of the problem. Using Fiddler’s QuickExec box, I type bpafter menulib.js to set a response breakpoint at the download of the script file. Hitting CTRL+F5 in IE refetches the entire page and its resources, and Fiddler breaks into editing mode when menulib.js is downloaded.
Now, since I suspect that the javascript: void 0; is causing the problem, I change the script line to:
document.body.insertAdjacentHTML("beforeEnd","<iframe id='"+BL+"' src='about:blank'
... and click Fiddler’s “Run to completion” button to send my modified script to Internet Explorer. Mousing around the menus, I no longer see the Zone Elevation prompt.
So, I know how to fix the URI, and but why would a Zone Elevation occur?
When you turn off LMZL, you also turn off the feature that forces all res:// URIs into the Internet Zone. The failed frame navigation to 'javascript: void 0;' navigates to a HTML resource inside IEFrame.dll using the RES protocol. Since IEFrame.dll is on the local machine, this results in a Zone Elevation.
We have a group policy object that sets Zone Elevation to Prompt for the Local Computer Zone ("Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone/Web sites in less privileged Web content zones can navigate into this zone" set to "Enabled: Prompt"). We also have disabled the Local Machine Zone Lockdown (LMZL) for Internet Explorer (under Windows Components/Internet Explorer/Security Features/Local Machine Zone Lockdown Security).
When I subsequently visit http://encompassnw.org, I’m prompted about zone elevation to “ieframe.dll” when I mouse over the “Children”, “Families”, etc. menu links on the left side of the page. What’s up with that?
Using Fiddler to view the HTTP traffic as I interact with the site, I don’t see any HTTP requests made as I hover over the menu. If there really is a navigation leading to Zone elevation, it’s not using the HTTP protocol.
At this point, I still don’t know much, but I’ve got a few hunches…
IE made a number of changes to URL handling in IE7, but I know that ieframe.dll contains the error pages that IE7 displays when a navigation fails. I suspect that the Zone elevation prompt is actually being triggered by the navigation to an error page. Unfortunately, even when I click to “Allow” the Zone Elevation, I don’t see an error page, so I can’t confirm my theory.
Now, another thing I know is that IE7 changed how Javascript-protocol URIs are handled. Specifically, we no longer allow the Javascript URI protocol to serve as an IMG source or navigation target. Hyperlinks are a special case; when a page includes a tag like <a href="javascript: runFn()">, IE7 will treat that HTML as if it were written <a href="#" onclick="runFn();">. This change helps simplify and reduce attack surface in the navigation codepath.
Using Fiddler’s “Find” feature to look for javascript: turns up http://encompassnw.org/jscripts/menulib.js, which contains the script:
document.body.insertAdjacentHTML("beforeEnd","<iframe id='"+BL+"' src='javascript: void 0;'
This may well be the source of the problem. Using Fiddler’s QuickExec box, I type bpafter menulib.js to set a response breakpoint at the download of the script file. Hitting CTRL+F5 in IE refetches the entire page and its resources, and Fiddler breaks into editing mode when menulib.js is downloaded.
Now, since I suspect that the javascript: void 0; is causing the problem, I change the script line to:
document.body.insertAdjacentHTML("beforeEnd","<iframe id='"+BL+"' src='about:blank'
... and click Fiddler’s “Run to completion” button to send my modified script to Internet Explorer. Mousing around the menus, I no longer see the Zone Elevation prompt.
So, I know how to fix the URI, and but why would a Zone Elevation occur?
When you turn off LMZL, you also turn off the feature that forces all res:// URIs into the Internet Zone. The failed frame navigation to 'javascript: void 0;' navigates to a HTML resource inside IEFrame.dll using the RES protocol. Since IEFrame.dll is on the local machine, this results in a Zone Elevation.
0 Comments:
Post a Comment
<< Home