dienjd
5th March 2007 03:14 UTC
Vista - links and IE Protected Mode
Just ran an installer with links in the MUI License page and an InstallOptions page, and they are opening IE7 with Protected Mode turned off (the default is On for security reasons).
Are there plans to have NSIS see if IE is the default browser, and if so and running on Vista, to open it with Protected Mode turned on? Currently, a user could theoretically have malicious code run through their browser that was spawned at a low security level by an NSIS EXE. I guess we could subclass links on InstallOptions pages now to try to deal with this, but I don't know if it's possible to do that with one embedded in a MUI_PAGE_LICENSE file.
Here's a brief description of Protected Mode:
http://windowshelp.microsoft.com/Win...013031033.mspx
Anders
5th March 2007 03:46 UTC
I would say this is microsofts problem, you cant expect every application that opens a url with ShellExecute to do special checking for IE7 on Vista
Besides, you should only run installers you trust in the first place so there should be no security issue
dienjd
5th March 2007 04:01 UTC
Originally posted by Anders
I would say this is microsofts problem, you cant expect every application that opens a url with ShellExecute to do special checking for IE7 on Vista
I wish this were the case, but most apps will not be running at the highest security level like installers do, so it's really installers that have the added burden of dealing with the new Vista security measures.
Besides, you should only run installers you trust in the first place so there should be no security issue
The security issue that I meant was for an installer to launch IE and then sometime later an unrelated web site does something bad through that same IE process. The attack is unrelated to the installer itself, but some would blame the installer for letting it happen, since it ran IE outside of Protected Mode. This doesn't seem fair of course, but if possible it would be nice if NSIS could account for this.