About Zone Elevation

Zone elevation occurs when a Web page loaded in one URL security zone loads a page from a less restrictive zone in a frame or a new window. For example, if a page from the Internet zone loads a page from the Local Machine zone, a zone elevation has occurred. Malicious pages can gain two primary benefits from zone elevation: spoofing and code execution. "Spoofing" is a type of deception where users are made to believe they are using a trusted site. For example, a malicious site could craft a frame that loads the homepage of a legitimate online shopping site, with another frame bearing a fake sign-in prompt that would harvest the user name and password for a user's account. A code execution exploit involves loading a malicious page in the Local Machine zone that runs script or loads controls. The malicious page could even be in the browser's cache, the user having unwittingly downloaded it just by visiting a Web site. Loading a legitimate local page under the wrong circumstances can also lead to a security breach. In general, any untrusted source that directly loads a local resource presents a security risk.

Zone Elevation in Windows XP Service Pack 2 (SP2)

In Windows XP Service Pack 2 (SP2), Windows Internet Explorer blocks zone elevation to the Local Machine zone, and prompts the user if a page attempts zone elevation to the Intranet or Trusted Sites zones. Zone elevation from the Restricted Sites zone to the Internet zone is allowed. Administrators can adjust this setting through group policy. For more information, see Internet Explorer Maintenance Policy. You can change this setting by enabling the Zone Elevation Feature Control, and through the URL Action URLACTION_FEATURE_ZONE_ELEVATION. For more information, see Introduction to Feature Controls.

Windows XP SP2 adds a new Internet Explorer function, CoInternetIsFeatureZoneElevationEnabled, which enables developers to determine whether zone elevation is permitted from one URL to another. In the example that follows, the function tests whether a page in the Internet zone can load a URL in the Local Machine zone.

LPCWSTR lpszToUrl = L"file://c:\\windows\\system32\\drivers\\etc\\hosts";
LPCWSTR lpszFromUrl = L"http://www.microsoft.com";
IInternetSecurityManager* pSecurityManager = NULL;
HRESULT hr = CoInternetCreateSecurityManager(NULL, &pSecurityManager, NULL);
if (SUCCEEDED(hr))
    hr = CoInternetIsFeatureZoneElevationEnabled(lpszFromUrl, lpszToUrl, pSecurityManager, GET_FEATURE_FROM_PROCESS);
    if (S_OK == hr)
        MessageBox("Zone Elevation is disabled.");
    else if (FAILED(hr))
        MessageBox("Error in function.");

When CoInternetIsFeatureZoneElevationEnabled is called, the browser will display a prompt to the user if the URL Action is set to URLPOLICY_QUERY. For more information, see CoInternetIsFeatureZoneElevationEnabled.




About URL Security Zones

Introduction to Feature Controls

Other Resources

Internet Explorer Maintenance Policy

Microsoft Security

MSDN Security Developer Center

TechNet Security Resources

Security Best Practices