Browsing behind Windows Vista

Windows Vista has a new security construct called Mandatory Integrity Controls (MIC), which is similar to integrity functionality long available in the Linux and Unix worlds. In Vista, all security principals (users, computers, services, and so on) and objects (files, registry keys, folders, and resources) are given MIC labels.

A subject of lesser integrity cannot modify (write or delete) an object of higher integrity, even if the normal NTFS permissions would otherwise allow it. Perhaps surprisingly, MICs take precedence over traditional file permissions, and it’s critical that they do.

Security principals are assigned MICs in the form of SIDs (security identifiers) that are added to their access tokens during log-on. Objects have MIC labels stored as part of their access controls — specifically within the System Access Control List portion, which is where the auditing attributes are stored as well. When a security principal or a process on behalf of the security principal attempts to access an object, both MICs are checked and their integrity evaluated.

Although many integrity levels exist, Windows regularly uses six label values (from lowest to highest): Untrusted, Low, Medium, High, System, and Trusted Installer. Normal users have Medium integrity. The null/anonymous user is Untrusted. The default built-in Administrator and elevated members of the Administrators group have High integrity. The Windows system kernel and service files rank as System.

Most Web browsers run with Medium integrity by default. Add-on programs normally run as Medium or High. Internet Explorer in its default Protected Mode (enabled for all zones but Trusted Sites) runs with Low integrity for rendering processes, as does Google’s Chrome. Although Internet Explorer was the first browser to support MICs, Chrome actually utilizes them to a greater extent (see the Chrome review). Along with preventing lesser-integrity writes, Chrome prevents lesser-integrity reads as well.

The purpose behind integrity controls, of course, is to give Windows another layer of defense against malicious hackers. For example, if a buffer overflow is able to crash Internet Explorer (and not a third-party add-on or toolbar), the resulting malicious process will often end up with Low integrity and be unable to modify Windows system files. This is the primary reason so many Internet Explorer exploits have resulted in an “important” severity rating for Vista but a higher “critical” rating for Windows XP.

Every Web browser should make use of Vista’s integrity controls to the fullest extent possible. Their implementation significantly improves protection for the end-user. Browsers running in Low integrity, such as Chrome or Internet Explorer, offer additional protections that the others don’t — but should.

Source: infoworld


Leave a Reply