Commentary

David DeJean
 

How Clever Is Too Clever?

You begin to get a feeling for how complex Longhorn is going to be when it takes one Microsoft engineer to explain what another Microsoft engineer really meant when he tried to explain a new feature. The feature wasn't even in Longhorn, but in the future version 7 of Internet Explorer. Gordon Mangione, corporate vice president of Microsoft's security group, at the MS Tech Ed conference last week in Orlando, revealed some details of a "low-rights" mode in IE 7 that will provide some defense against browser-based exploits, and he implied that IE 7 would ship with this mode enabled by default. What he forgot was that IE 7 for Windows XP SP2 is going to beta this summer, and XP doesn't have any support for the feature.

You begin to get a feeling for how complex Longhorn is going to be when it takes one Microsoft engineer to explain what another Microsoft engineer really meant when he tried to explain a new feature.


More Hardware Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>

The feature wasn't even in Longhorn, but in the future version 7 of Internet Explorer. Gordon Mangione, corporate vice president of Microsoft's security group, at the MS Tech Ed conference last week in Orlando, revealed some details of a "low-rights" mode in IE 7 that will provide some defense against browser-based exploits, and he implied that IE 7 would ship with this mode enabled by default. What he forgot was that IE 7 for Windows XP SP2 is going to beta this summer, and XP doesn't have any support for the feature.

Enter Rob Franco, Lead Program Manager for IE Security. On Thursday, 6/9, Franco wrote an entry on Microsoft's Microsoft's IE Blog to explain Mangione's explanation. "Low-rights" IE will work only with Longhorn, it turns out, because Longhorn will have something called Least User Access, which will allow programs and processes to run with less authority than the user who runs them.

Today, 6/14, John Bedworth, the Development Manager for Internet Explorer Security, jumped into IEBlog to explain what Franco forgot to explain, how 'low-rights' IE is different from running as a regular (limited) user in XP.

(Ironically, Mangione himself explained Longhorn's Least User Access back in April, when he called it Windows Service hardening, in a conversation with CMP editors. See Microsoft Security Products Chief Takes On Spyware.)

Even though it's apparently hard to explain, it's a clever approach, if not anything very new. ("Administrator" privileges, which have bedeviled Windows users since NT, have their antecedents in Unix/Linux "root" and similar features of other OSes. Lotus Notes, as just one application example, has long let developers precisely control the authority level of agents executing on the server.)

The problem may be, as the comment-posters in IEBlog have already pointed out, that compatibility with existing Web sites and applications will require Microsoft to build in so many exceptions and back doors that what was supposed to be a brick wall will become just more swiss cheese. No doubt we're due for more explanations.

Win An iPod!

Did you submit your entry for the Software Hall of Fame in the first week of the Pipelines' Great Tech Call 'Em Like You See 'Em contest? If not, there's still time. And this week, for your second of four chances to win an iPod, the focus is on hardware: what do you think belongs in the Hardware Hall of Fame? Check out what the Pipeline editors think, and pen your own entry for the chance to win an iPod or any one of 36 other cool prizes. Enter even if you've already got an iPod, and if you win, give it to me.


Related Reading




Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

InformationWeek encourages readers to engage in spirited, healthy debate, including taking us to task. However, InformationWeek moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. InformationWeek further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
T-Shirt Giveaway T-Shirt Giveaway: Each week we're selecting one great comment from our readers. The author of the comment will receive an InformaitonWeek Community t-shirt. So get posting!
Subscribe to RSS

Resource Links