Friday 22 August 2008

IE7 - Another Compatibility Platform to consider

Getting applications to work on Vista or Windows Server 2008 is not the only compatibility issue that you may encounter. One additional "platform" that you may not have considered is the security and application compatibility restrictions that have introduced as part of the update Microsoft's Internet Explorer - IE7.

Chris Jackson (Microsoft compatibility SWAT team) has made a recent post on his blog (http://blogs.msdn.com/cjacks/) where he mentions how you can extract (more) useful data from the Internet Explorer Compatibility Evaluator - a key component of the Microsoft Application Compatibility Toolkit (ACT), version 5.

These ideas got me thinking about the IE7 compatibility question(s). More specifically,

1) Have new security restrictions been introduced?
2) What features and functionality are no longer available?
3) Are there recent Microsoft updates or patches that may cause an issue with IE7?
4) Are there any new compatibility issues that are specifically relevant to Windows Vista and Server 2008?

It does not take long to work through the IE 7 release notes, the accumulated IE7 support documentation and with a little help from friends who have deployed IE7 to highlight some of the potential security and compatibility issues including;

Deprecated API's
Does you application reference any API's or functionality from these groups?

• DirectAnimation
• Channel Definition Format (CDF)
• Gopher Protocol

Deprecated Features
Does your application rely on any of the following functionality?

• XBM Image format
• Telnet Protocol
• Gopher Protocol
• SSL Version 1.x
• Scriptlet MIME Types


IE7 Signed Controls
Internet Explorer 7 allows for ActiveX controls to be signed and therefore allow for greater privileges and access to local machine file system. Some intranet environments may require that all controls are now signed. To deploy to these environments, you need to ensure all of your ActiveX controls that rely on the IE engine are signed.

IE7 Safe for Scripting Controls
Managing ActiveX controls in an secure enterprise environment is a difficult balancing act. IE7 allows for an additional level of security with the CATID_SafeForScripting and the CATID_SafeForInitializing component category registry settings. These settings allow your IE7 applications to fully use the ActiveX scripting model

E 7 ActiveX Pre-Approved CLSID
Due to the increased security restrictions available in IE7, ActiveX objects (DLL's) may not install correctly due to lack of sufficient permissions. Adding the unique identifier of an ActiveX control to the pre-approved list of ActiveX controls will allow the application component to install successfully. As recommend in Microsoft's (ActiveX Security: Improvements and Best Practices - see references) you should not employ this option if;

- Your ActiveX control was not designed to use pages served from the Internet (as opposed to your intranet)
- Your ActiveX control is downloaded to the target machine
- Your control is solely intranet based (you should use Active Directory Group Policy objects instead)


I will post an update to this blog in a few days, as I will collate all of the security updates that relate to IE7 and add a patch/security update section to this posting.



References:

Microsoft IE7 Release Notes
http://msdn.microsoft.com/en-us/ie/aa740486.aspx

Security and Compatibility in Internet Explorer 7
http://msdn.microsoft.com/en-us/library/ms649488.aspx

Finding Security Compatibility Issues in Internet Explore
http://msdn.microsoft.com/en-us/library/bb250493.aspx

ActiveX Security: Improvements and Best Practices
http://msdn.microsoft.com/en-us/library/bb250471.aspx

No comments: