Posted by G Doucet on 09/12/06 22:46

TC wrote:
>
> Andy Dingley wrote:
>> TC wrote:
>>
>> > 1. The change increases the default security of the Local Zone. I think
>> > that's a good idea.
>>
>> You get to write to my filesystem, I'm 0wned already.
>
> No, that depends on what I can write, and where I can write it. I can't
> own your PC by writing text files to the TEMP directory.
>
> MOTW relates specifically to content written by browsers (possibly
> running under restricted accounts) to the places that browsers can
> actually write to. That is the context in which to discuss it. *All*
> security mechanisms become irrelevant if the attacker can write
> anything to anywhere.
>
>
>> > 2. It is not a "mystical incantation". It is clearly documented in MSDN:
>>
>> That's the point. Here's a security measure that's well-intentioned, if
>> somewhat weak. Then they've publically written down how to make a key
>> to unlock it.
>
> Unlock what?
>
> Go to groups.google.com. View the first few lines of the source
> (without saving it). Now File : SaveAs the page, and look at the saved
> source. You'll see that *IE itself* has added the MOTW. Run the saved
> file locally - all is good. Now remove the MOTW, and run it again -
> you'll get the active content warning.
>
> Adding the MOTW has not "unlocked" anything. It has not let the page do
> anything that it couldn't do before. It has not magically elevated the
> page above the Internet Zone permissions.
>
> TC (MVP MSAccess)
> http://tc2.atspace.com
>

The Mark Of The Web must be generally misunderstood because I am at a loss.

It is written here http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/motw.asp that to mitigate the
security risk of attackers trying to exploit the Local Machine zone and its looser restrictions to access my computer, Internet
Explorer 6 for Windows XP SP2 "locks down" the Local Machine zone.


So I'm guessing that prior to Internet Explorer 6 for Windows XP SP2, the local zone was like a free for all, and that now with
Internet Explorer 6 for Windows XP SP2, the local zone is lock down. It must be because now I get prompted when I open one of my
own HTML files on my D: drive just because it has two lines of simple javascript!?

It is also written that the Mark of the Web (MOTW) is a feature of Microsoft Internet Explorer that enhances security by enabling
Internet Explorer to force Web pages to run in the security zone of the location the page was saved from as long as that security
zone is more restrictive than the Local Machine zone.

I don't know what that means "the location the page was saved from", because I created my own HTML files from scratch using notepad,
and I didn't save them from anywhere!?

It is also written there that by referencing the MOTW, Internet Explorer can force web pages into a zone that has more restrictions,
such as the Internet zone. At the same time, the MOTW cannot be used to elevate Web pages to a zone with fewer restrictions.

Well first they say that the local zone is locked down and now they say that the MOTW can't raise IE to a less restricitve zone.
It's not making sense. :-P

Help.
G Doucet

[Back to original message]