Welcome to MSDN Blogs Sign in | Join | Help

Running IE with SAFER

Michael Howard recently did a two part series on MSDN about browsing the web and reading email safely as an Administrator (part 1 | part 2).  Today he's got a Quick Start posted on his blog to get IE setup to run with SAFER.  Personally, I prefer the run as normal user route, but if you've got to be an admin on your machine, this is certainly a big step up from browsing the web with full administrative rights.
Published Monday, January 31, 2005 2:34 PM by shawnfa
Filed under: ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Running IE with SAFER

Monday, January 31, 2005 3:04 PM by rx
dont even use explorer, firefox will kill it soon..

# re: Running IE with SAFER

Monday, January 31, 2005 4:46 PM by treego14
I think Opera will be the end of Firefox.

# re: Running IE with SAFER

Tuesday, February 01, 2005 4:48 PM by Fred
and IE the end of Opera anyway

# re: Running IE with SAFER

Tuesday, February 08, 2005 10:41 AM by Keith Brown
The thing that bothers me about Mike's approach is that it's subject to all kinds of luring attacks. As an example, unless you're in a job with JOB_OBJECT_UILIMIT_HANDLES, window messages aren't secured between processes running in the same window station. What's to stop the sandboxed application from sending window messages to Explorer? Start | Run | Malicious Code of Your Choice | <enter>.

I agree with you that running as a non-admin in the first place is the best possible plan. Mike's trick will be useful until someone discovers the 10 lines of code it takes to get around it.

Another thing that bothers me is neither the Platform SDK nor Mike's article discusses the problem wrt the partial trust SAFER levels. I think people might get a false sense of security from this.

# re: Running IE with SAFER

Tuesday, February 08, 2005 4:18 PM by Shawn
Like I said, running as a non-admin is my prefered way to go as well :-) As to the message attack, Windows people will tell you that the Desktop is the security boundary. In order to do this safely you need to actually run as admin in a seperate desktop.

-Shawn

Leave a Comment

(required) 
required 
(required) 
 
Page view tracker