Navigation Canceled – IE Patch Breaks Security to Improve Security?
Russ CooperFebruary 20th, 2009
By default, Internet Explorer 7 sets sites in the Internet Zone where “Protected Mode” (PM) is enabled. PM prevents IE from saving files and/or settings via IE without prompting the user for approval. PM is a good thing.
Sites in the Trusted Sites Zone, by default, do not have PM on. Consider it like this, if you trust a site enough to put it in the Trusted Sites Zone then why have PM on?
MS09-002 is the latest Cumulative Update for IE. In that patch, we believe Microsoft introduced a modification to the way it treats the About: page. Thus far no details can be found other than what is contained in their KnowledgeBase article 967941, so our interpretation may not be strictly accurate.
The observed behavior after the patch is as follows:
You’re on a page, say a Google results page. Google is in your Internet Zone, and Protected Mode is on. You click on a link to, say, a Microsoft page. You trust Microsoft and have set them in your Trusted Sites Zone. By default, Trusted Sites Zone has Protected Mode off.
Because you’re switching from PM on to PM off, IE opens a new instance. This is a good thing. The first thing you may see when this happens is it using an About: URI indicating that its turning PM off. After MS09-002, as soon as the About: protocol is invoked it will immediately cancel the navigation attempt and you’ll see “Navigation to the webpage was canceled”. The initial browser window you started in will be frozen for some time…presumably because the process has gone awry.
Microsoft has provided some interesting suggestions on how to resolve the issue, including turning PM off everywhere (not a good idea). The suggestion that makes the most sense, temporarily, is to turn PM on for the Trusted Sites Zone. This will have the least impact of all suggestions they make, meaning you’ll be prompted more often on sites in the Trusted Sites Zone.
We certainly hope we will see a revised patch from Microsoft that corrects this problem.
Tags: Information Security, Microsoft Security Bulletins, MS09-002, Patching, Vulnerabilities
How does this type of action even make sense? Breaking functionality has been at the core of “security fixes” that were poorly planned features in the past – but when you fundamentally break the way a feature works, and prevent someone from using their browser in a sane way the results will be counter-productive.
My educated guess is that rather than taking the extra steps as your blog suggests, most people will simply turn PM off, because otherwise it’ll be an “un-necessary hassle”… or so it would seem.
I can’t believe MS is this irrisponsible, or at least out-of-touch. Maybe this patch was a hurried attempt to fix a problem without concern for consequences? Hopefully it gets fixed proper shortly… before the fallout end up causing a cure-is-worse-than-the-disease scenario.
Posted by: Rafal Los on February 20th, 2009 at 6:31 pm