System and method for zone transition mitigation with relation to a network browser

US 7,571,459 B2
Filed: 04/30/2004
Issued: 08/04/2009
Est. Priority Date: 04/30/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for security privilege transition mitigation between web pages that are associated with different security zones while a user is browsing, comprising:

accessing, using a computing device, a first web page at a first Uniform Resource Locator (URL) in a web browser having a first security context determined from the first web page that is associated with a first security zone having a first security level;

determining, using the computing device, when an event occurs that requests a navigation to occur from the first web page to a second web page at a second URL having a second security context determined from the second web page that is associated with a second security zone having a second security level; and

determining, using the computing device, when to allow the navigation to occur from the first web page to the second web page by determining when the first security context of the first web page is higher than or equal to the second security context of the second web page.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for determining whether to allow a network browser action when a transition occurs between security zones as a result of the action is provided. Gaining access to a local machine zone may be a goal for unauthorized entities attempting to improperly access a user'"'"'s content. The present invention therefore may be initiated to block transitions from the security zones with stricter security restrictions to zones with less security restrictions. In addition, a selected alternative may be commenced depending on the relative weight of the security zones involved the zone transition. Depending on the relative weight of security zones, the transition between zones may be allowed, prevented, or the user may be prompted to decide whether to allow or prevent the action that results in the zone transition.

186 Citations

23 Claims

1. A computer-implemented method for security privilege transition mitigation between web pages that are associated with different security zones while a user is browsing, comprising:
- accessing, using a computing device, a first web page at a first Uniform Resource Locator (URL) in a web browser having a first security context determined from the first web page that is associated with a first security zone having a first security level;
  
  determining, using the computing device, when an event occurs that requests a navigation to occur from the first web page to a second web page at a second URL having a second security context determined from the second web page that is associated with a second security zone having a second security level; and
  
  determining, using the computing device, when to allow the navigation to occur from the first web page to the second web page by determining when the first security context of the first web page is higher than or equal to the second security context of the second web page.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising preventing, using the computing device, the navigation between the first web page and the second web page when the first security level is lower than the second security level.
  - 3. The computer-implemented method of claim 1, wherein determining whether to allow the navigation further comprises prompting a user, using the computing device, to select whether to allow the transition by requesting from the user whether to allow or prevent the navigation from the first web page to the second web page.
  - 4. The computer-implemented method of claim 1, wherein determining the first security level further comprises querying a zone manager, using the computing device, for the first security level corresponding to the first web page.
  - 5. The computer-implemented method of claim 1, wherein determining the first security level further comprises analyzing a markup associated with the first resource, using the computing device, to determine the first security privilege corresponding to the first resource.
  - 6. The computer-implemented method of claim 1, wherein determining whether to allow the transition further comprises determining, using the computing device, a relative weight between the first security privilege and the second security level.
  - 7. The computer-implemented method of claim 6, further comprising applying, using the computing device, an alternative depending on the relative weight between the first security level and the second security level, wherein the alternative includes at least one of allowing the transition, preventing the transition, and prompting a user.
  - 8. The computer-implemented method of claim 1, further comprising allowing, using the computing device, the transition navigation when the transition between the first resource and the second web page is a result of a user initiated action.
  - 9. The computer-implemented method of claim 1, further comprising preventing, using the computing device, the transition navigation between the first web page and the second web page when the first security level is undeterminable.

10. A computer-readable medium that includes computer-executable instructions which, when executed by a computing device, implement a method comprising:
- determining a first security zone that is associated with a first Uniform Resource Locator (URL);
  
  determining when an attempt is made to navigate to a second security zone that is associated with a second URL;
  
  determining whether to allow the navigation from the first URL to the second URL based upon an examination of a first security privilege that is associated with the first security zone and an examination of a second security privilege that is associated with the second security zone;
  
  wherein the determination is made by examining only the first URL and second URL; and
  
  preventing the navigation from the first URL to the second URL when the first security zone has a first security context that is lower than a second security context associated with the second security zone.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computer-readable medium of claim 10, wherein determining the first security privilege further comprises querying a zone manager for the first security privilege corresponding to the first web page.
  - 12. The computer-readable medium of claim 10, wherein determining the first security privilege further comprises analyzing markup associated with the first web page to determine the first security privilege corresponding to the first web page.
  - 13. The computer-readable storage medium of claim 10, wherein determining whether to allow the navigation further comprises determining a relative weight between the first security privilege and the second security privilege.
  - 14. The computer-readable storage medium of claim 13, further comprising applying an alternative depending on the relative weight between the first security privilege and the second security privilege, wherein the alternative includes at least one of allowing the transition, preventing the transition, and prompting a user.
  - 15. The computer-readable storage medium of claim 10, further comprising allowing the navigation when the navigation between the first web page and the second web page is a result of a user initiated action.
  - 16. The computer-readable storage medium of claim 10, further comprising preventing the navigation between the first web page and the second web page when the first security privilege is undeterminable.

17. A system for mitigating transitions between security zones associated with a network browser, comprising:
- one or more processors; and
  
  one or more computer-readable storage media, comprising instructions that, when executed by the one or more processors, implement;
  
  a zone manager that is configured to manage the privileges associated with the security zones;
  
  wherein the security zones include a trusted sites zone, an Internet zone, a restricted sites zone, and a local machine zone;
  
  a zone determination function that is configured to determine security zones corresponding to resources that are associated with a network browser action; and
  
  a zone weight determination function that is configured to determine the relative weight between the security zones and apply an alternative based upon the relative weight;
  
  wherein the alternative prevents the network browser action when a first security zone has a first security context determined from a first web page that is lower than a second security context that is determined from a second web page.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The system of claim 17, wherein the difference between the first security context and the second security context corresponds to a relative weight difference between the first security zone and the second security zone.
  - 19. The system of claim 17, wherein the zone determination function is further configured to query the zone manager for the security zones corresponding to resources that are associated with a network browser action.
  - 20. The system of claim 17, wherein the zone determination function is further configured to analyze markup associated with the resources to determine the security zones corresponding to resources that are associated with a network browser action.
  - 21. The system of claim 17, wherein the alternative includes at least one of allowing the transition, preventing the transition, and prompting a user.
  - 22. The system of claim 17, wherein the zone manager is further configured to automatically allow the network browser action when the network browser action is a result of a user initiated action.
  - 23. The system of claim 17, further comprising preventing the network browser action when at least one of the security zones corresponding to the resources that are associated with the network browser action is undeterminable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ganesh, Shankar, Franco, Roberto A., Schmucker, Kurt James
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US10/835,909
Publication Number

US 20050246772A1
Time in Patent Office

1,922 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

H04L 63/105   Multiple levels of security

H04L 63/168   above the transport layer

System and method for zone transition mitigation with relation to a network browser

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

186 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for zone transition mitigation with relation to a network browser

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links