Why doesn’t IE7 protected mode mark downloaded files as low integrity?
Windows Vista introduces a new concept called IE Protected Mode. It essentially works by controlling access to files based on how much you trust the source. The technology should make it more difficult for web sites to exploit IE vulnerabilities in IE to automatically install malware.
Mandatory Integrity Control (MIC) is one of the technologies that enables IE Protected Mode. It basically sets the trust level of users, programs, and files. The concept is simple: a user or program cannot access resources of higher-level users or programs. By default IE7 in Windows Vista runs as a low integrity process so it cannot even save files to most of the operating system.
Normally, the integrity level of files is not visible to the user, so Mark Minasi wrote a very useful utility called chml to work with integrity levels.
But using tools like chml and looking closer at MIC, some people started noticing that when they download a file from IE7 (or other low-integrity processes), the file isn’t marked with a low integrity, but rather with a medium integrity. So why is that?
After digging around a bit, I realized that IE7 is actually split into several user processes with different levels of integrity. Depending on what you are doing or where you are browsing, you can either be running with low, medium, or high integrity. For example, browsing the Internet results in a low integrity copy of IE and browsing trusted sites uses a medium-level integrity IE. That’s why sometimes you have to open up a new IE window for some sites–it needs to create a separate process with a different integrity level.
So when you go to download a file and and want to save it to, say, your desktop, you wouldn’t be able to do that unless you were using a medium integrity process. Therefore, IE switches you to a different process with a higher integrity. That’s where UAC comes in: you will always see a prompt to save the file when the switch occurs.
Therefore, the integrity of the file you download is set to the integrity level of where you save the file. Try downloading a file to the AppData\LocalLow directory and you will see that it is saved with low integrity in that location.
This process of switching user contexts in the background is kind of strange and confusing but they obviously did it to preserve some usability. Perhaps in later versions of Windows when people are more accustomed to these concepts, that barrier between integrity levels will be better defined.
MIC is a cool feature but it certainly does need some maturing before it does some serious protection. Furthermore, it would be nice if Microsoft would make integrity levels more accessible to users. It would be nice to see which version of IE you are currently using.