August 2004 - Posts - Jon Galloway

August 2004 - Posts

XP SP2, IE, the Local Machine Zone Lockdown, and you

Summary

XP SP2 is especially tough on content running in the Local Machine Zone (meaning html files running on your desktop, a CD, or elsewhere on your machine). XP SP2's changes to the LMZ prevent all active content, including Javascript, Java, ActiveX.

Behavior

Blocked content triggers an Information Bar message saying "To help protect your security, Internet Explorer blocked this site from downloading files to your computer. Click here for more options...".
Clicking on the information bar brings up a prompt: "Allow Blocked Content".
Clicking that gives you a prompt: "Enabling active content on your Local Machine may harm your computer. Do you want to continue?"

Some examples of affected applications:

  1. Dave's Quick Search Taskbar Toolbar Deskbar is a toolbar that hosts a tiny browser window with an input box that can run searches on several different sites based on shortcut keys ("sp2" does a default Google search, "msft intc csco$" does a Bloomberg search, etc.). It uses a plugin architecture with Javascript files to allow you to add your own shortcuts. Under XP SP2, it pretty much stops working because the Javascript in the Local Machine Zone is blocked.
  2. HTML based CDROM's (such as training or educational CD's with simple Javascript menus).
  3. HTML Help applications with Javascript / ActiveX / Java.
  4. HTML developers working on HTML files with Javascript menus.
  5. HTML / Javascript utilities, such as auto-login pages (described below).

Why?

There are good reasons for this change - content running in the Local Machine Zone is by default higly trusted, so in the wrong hands it can do quite a bit of damage. Zone Elevation Attacks are among the most exploited IE attack vectors. However, the LMZ Lockdown can cause your local HTML content to stop working. Like it or not, this is how it works in XP SP2.

Microsoft MSDN information on the LMZ lockdown (more resources at end of post):
http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/locallockdown.aspx
http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/lockdown_devimp.aspx

Solutions

There are several solutions if the LMZ Lockdown affects your application:

  1. Give your HTML "The Mark Of The Web." This is probably the simplest solution, and is discussed below.
  2. Wrap your HTML in an HTML Application (HTA).
  3. Use a web browser control to display your content inside an application, rather than just showing it inside IE. Content shown within an application can be given higher privleges. Note that you have the option of using a Gecko browser control in addition to the IE browser control.
  4. Bad solution A - Don't download XP SP2 or block SP2 Auto Update for your network. SP2's improved security is a good thing - think big picture and fix your HTML.
  5. Bad solution B - Circumvent the LMZ Lockdown. Heck, we should probably be opting in to the LMZ Lockdown for other apps, not trying to disable it for IE.

Examples

I have several "auto-login" pages use javascript to log me into sites that I have to log into daily. These all stopped working when I upgraded to XP SP2. These pages are HTML files on my local filesystem. They contain HTML source from the original online page, modified it to prefill my username and password[1]. There's also a body onload statement so the form submits itself:

<html>
<head></head>
<!--several javascript functions such as hash() removed to keep this simple-->
<body onload="document.login_form.submit();">
<form method=post action=https://login.yahoo.com/config/login_verify2?pbnj42pbnj
name=login_form onsubmit=
"return hash(this,'http://login.yahoo.com/config/login_verify2')"ID="Form1">
<!--several hidden form fields removed to keep this simple-->
<input type=hidden name=".slogin" value="pretendyahoousername" ID="Hidden7">
<input name="passwd" type="password" size="17" maxlength="32" ID="Password1" value="notmyrealpassword">
</body>
</html>

The Javascript in the LMZ tiggers the blocked content warning. I'm given the option to allow the blocked content, but that However, IE will give your page a free ride if you include the magic MOTW tag at the top[2]:
Either:

<!-- saved from url=(0014)about:internet -->

Or[3]:

<!-- saved from url=(0023)http://www.somesite.com -->

So my new HTML reads:

<!-- saved from url=(0014)about:internet -->
<html>
<head>
</head>
<body onload="document.login_form.submit();">
<form method=post action=... >

And all is well and good.

The PHDCC site has a good description of this and the HTA solution, with screenshots, so I won't go into too much more detail here. Here's an example of the HTA code to host HTML, though (via PHDCC):

<HTML> <HEAD> <TITLE>HTML Application</TITLE> <HTA:APPLICATION 
ID=
"oMyApp"
BORDER=
"thin"
INNERBORDER=
"no"
SCROLL=
"no"
CAPTION=
"yes"
SHOWINTASKBAR="yes"
SINGLEINSTANCE="yes"
SYSMENU=
"yes"
WINDOWSTATE=
"normal">
</HEAD>
<BODY>
<IFRAME
src=
"index.htm"
trusted=yes
width=100%
height=100%
marginwidth=0
marginheight=0
border=0>
IFRAMES not supported
</IFRAME>
</BODY>
</HTML>

Links for further information

  1. Microsoft Technet summary on Browser Security Changes for SP2
  2. Analysis and help by PHDCC

Footnotes

[1] A free thump on the melon to the first astute person that tells me that this is not secure. Of course it's not secure. I only do this with passwords and sites I don't care about.
[2] This makes me wonder - couldn't the evil hacker guys just put this in their HTML and get the same free ride? I'm sure I'm missing something there.
[3] The number in perintheses, (0023), is the number of characters that follow. This code was taken from the www.phdcc.com site, but I didn't use their site URL in case the sample code gets copied and pasted.

UPDATE: Eric Law clarified in the comments:

Regarding your question #2: What's ~really~ happening when you use the MOTW is that the page is treated as having originated from the internet.  This means two things:

1> It runs with Internet permissions, not local machine zone permissions.

2> It no longer is able to access your local file system.  So, for instance, it cannot use the ADODB stream to read files off your harddisk and then send them to the Internet in a form post.

Note also: A MOTW cannot say that a page came from a more secure zone (e.g. can't claim it came from the trusted zone).

 

Google Releases Gmail Notifier

If you want POP access to GMail, there's PGtGM. If you just want a notification, there's now an official GMail Notifier:
Philipp Lenssen writes "After several unofficial, screen-scraping Gmail utilities, Google now released the official Gmail Notifier (Beta) for Windows. It will sit in the Windows tray, alerting you of new emails in your account (if you are lucky enough to have one already). Additionally, the Gmail Notifier can connect 'mailto:'-links in web pages to Gmail."
[Via Slashdot: ]
Posted by Jon Galloway | with no comments
Filed under:

Today's controversy is brought to you by the letter J

First, Tony posts an innocuous message about the XP SP2 updates to IE on the IEBlog:

[...] We also came up with a very original idea – popup blocking. J Sites can now no longer open windows except when the user clicks a link or button to initiate it. Similarly, sites cannot change your home page without a user click as well. [...]

IE users will see a smiley () and Mozilla / Firefox users just see a "J" after the "popup blocking" announcement. That's because the post HTML used the Webdings font which is only supported on IE[1]. The stage is now set - Tony makes a joke about Microsoft inventing popup blocking. The fact that he's joking is obvious to IE users. Unfortunately, the IE blog is heavily trolled by anti-MS zealots who don't see the smiley, take him seriously, and go nuts! Let the games begin!

Luckily Jim picked this up or we'd be calling in the riot squad. And Jim's analysis is brilliant: "You see why writing correct HTML and having browsers interpret it correctly is important?"

More postgame analysis here.

Lessons learned:

  1. World War I was started by the assasignation of Archduke Franz Ferdinand. World War III will likely be sparked by a post or comment on the IE Blog.
  2. The IE Blog could probably post the cure for cancer and there would still be the standard comments about how the cure (1) is overdue (2) is suspect based on MS's record (3) is not standards compliant, and (4) shows how appallingly MS is out of touch.
  3. The cross browser, peace on earth friendly smiley character, &#9786; is the preferred HTML implementation.[2]
  4. [1] It was also written in Word (it's full of mso specific tags), which is somehow implicated in all this as well.
    [2] Either Freetextbox or IE's inplace edit makes using &#9786; tough, since it converts it to a smiley character in the HTML code. Try creating a post, adding &#9786;, and switch back and forth between design and HTML view.

weblogs.asp.net / .TEXT admin now supports Firefox

The recent upgrade to .TEXT admin includes an upgrade to FreeTextbox 2.x, which means it now supports Firefox / Mozilla. Firefox has supported WYSIWYG HTML edit mode for a while, it just needed to be turned on.

Other things I learned this weekend: a group of rhinosceros is called a crash, while a group of flamingos is called a flamboyance.

Posted by Jon Galloway | with no comments
Filed under:

XP SP2 to RTM very very soon / Some SP2 gotchas

UPDATE:
XP SP2 Release Schedule
5th August RTM Announcement
10th August RTW (release to web)
24th August Windows Update/Automatic Updates release
[via NeoWin]

Kent reports that Windows XP SP2 will Released To Manufacturing today (8/4/04) soon - see update above.

Release Candidate 2 has been removed from the Microsoft website, but is still available elsewhere on the web[1]. Microsoft recommends not installing RC2 and waiting for the official release, but if you develop or maintain internet, intranet, or HTML applications you may want to get a look at how IE6 XP SP2 will affect your applications before your users do.

Microsoft XP SP2 resources [for IT professionals] [for developers] [for web developers]

The main things I've noticed:

  1. Many users already have a popup blocker installed - the Google Toolbar, for instance. I expect some user confusion as these users will now have two popup blockers installed. Support information or help desks will talk them through allowing the popup through the IE popup blocker, but the other popup blocker will still block it. 
  2. The IE6 popup blocker is different than others I've used. It's a little more confusing as far as allowing popups for a certain site.
  3. If a page or popup gets blocked due to security restrictions and you choose to allow the page, you lose your information on the page and have to reenter it. This may confuse users.
  4. The firewall is very user friendly. It prompted me when an application tried to communicate through a blocked port and allowed me to open it in the prompt. I very much hope that help desks talk users through this process instead of telling them to disable the firewall!
  5. Local internet security restrictions are going to be a big deal. I bet this will be one of the biggest surprises of XP SP2 - look for HTML based software that runs off CD's or using embeded browser controls to stop working. More here: http://www.phdcc.com/xpsp2.htm
  6. I've been using Notepad2 as a replacement for Notepad, and XPSP2 undid my notepad2 replacement - other folks have hit this, too.. Replacer worked for a while, but Notepad seems to have come back.
  7. ISORecorder doesn't work with SP2. I use ISORecorder pretty often - it's a freeware app that allows you to right click on an ISO file and burn it to a CD using the built in XP CD writer. Alex posted that there will be an update to ISORecorder by the RTM date, but it's not there yet. Until he updates it, you can use CDBurn (incuded in the "Microsoft® Windows® Server 2003 Resource Kit Tools" download - see Benjamin Zamora's post).

[1] If you do install RC2, I've been told to install the 2149 build rather than 2162, since the final release of SP2 should install cleanly over 2149.

More ASCII Art

A few recent posts on the weblogs.asp.net feed [1 2 3] reminded me of a some code I wrote a year ago and have been meaning to post.

This is a simple ASP.NET page - you upload the image file and input the text; it scales the text to the same proportions as the image and applies the HTML color in a font tag. Most ASCII Art things just let you pick the image, this one lets you pick your text too - helpful if you want to embed your copyright into the image. Okay, yes, it is completely useless. One obvious optimization would be grouping to eliminate unnecessary font tags when adjacent characters are the same color (<font color='#BFBFBF'>i</font><font color='#BFBFBF'>t</font> becomes <font color='#BFBFBF'>it</font>).

Try it: [here]

Sample output:

With Microsoft® Visual Studio® .NET and the Microsoft .NET Framework, developers can develop Web
services quickly and integrate them easily with other applications. Most developers can leverage
existing skills, because the .NET Framework's common language runtime allows you to develop Web
services using any modern programming language.     * Microsoft Visual Studio .NET and the Microsoft
.NET Framework supply a complete solution for developers to build, deploy, and run Web services.     *
These tools help enhance the performance, reliability, and security of Web services. Microsoft
Visual Studio .NET Developers can use a variety of programming environments to create Web services.
Microsoft Visual Studio .NET represents the best development environment for .NET-connected software
and services. Visual Studio .NET advances the high-productivity programming languages: Microsoft
Visual Basic®, which includes new object-oriented programming features; Microsoft Visual C++®, which
advances Microsoft Windows® development and enables you to build .NET-connected applications; and C#,
which brings RAD to the C and C++ developer. Program in the Right Language for the Task Visual
Studio .NET provides a single, unified development environment. Built on the .NET Framework, it
provides support for working with Web services created in all modern programming languages.
Applications and Web services created in one language can be programmed against and debugged in any
other language supported by Visual Studio .NET. This greatly enhances the ability to use existing Web
services to build new and exciting solutions. Transform Applications into Web Services Visual
Studio .NET automatically creates the necessary XML and SOAP interface needed to turn an application
into a Web service. Developers can concentrate on building the application, not on the plumbing for the
Web service. Reuse Existing Web Services Developing with Web services is similar to developing with
components. Visual Studio .NET gives developers the ease of importing Web services or using Web
services hosted remotely and programming against them as they would a COM element today, saving time
and giving developers the opportunity to concentrate on core functionality. Microsoft .NET Framework
and Microsoft .NET Compact Framework The .NET Framework, and the device-focused .NET Compact
Framework, are high-productivity, standards-based, multi-language application execution environments
that handle essential plumbing chores and ease deployment. The application execution environment
manages memory, addresses versioning issues, and improves the reliability, scalability, and security of
your application. Components include the common language runtime, a rich set of class libraries for
building Web services, and Microsoft ASP.NET. The common language runtime is the engine in the .NET
Framework that provides a managed execution environment, which is protected by industry-standard
technologies, and is designed to support developers using many different languages to create
applications.

Code:

+ Default.aspx.cs 

+ Default.aspx 

Posted by Jon Galloway | 5 comment(s)
Filed under:
More Posts