Microsoft addresses XSS in Internet Explorer

By Dennis Fisher, Executive Editor 02 Jul 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft is planning to add a series of new security features to the next version of its Internet Explorer browser, including protection against cross-site scripting attacks.

A beta version of IE 8 is due out in August, and along with the XSS filter, it will include a filter designed to provide better protection against phishing attacks, features that make it easier for developers to request resources and share information across domains, and some changes to the way that ActiveX controls are handled by the browser. Specifically, developers will be able to write controls that are only available for the individual user who downloads them.

Cross-site scripting: Hackers broaden reach of cross-site scripting attacks: An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet. Has cross-site scripting evolved?It's astounding what is being done with browser scripts these days. What new tactics can prevent cross-site scripting attacks? Cross-site scripting attacks are a major threat to today's information security environment. In this expert Q&A, Ed Skoudis reveals how attackers use this technique.

The announcement of the new security features in IE 8 came just a week after the release of Firefox 3, the latest version of IE's main competition in the browser world. Firefox 3 also includes updated antimalware and antiphishing capabilities and several other security updates. Microsoft has been fighting to repair the security reputation of IE for several years, since the initial release of Firefox, which the Mozilla Foundation has positioned as a more secure alternative to IE.

But Microsoft has been making steady progress on the security of its ubiquitous browser in recent versions, and IE 8 serves to further that cause. The most intriguing and potentially most useful feature in the new browser is the XSS filter, which is built to protect against Type-1 XSS attacks. These attacks are among the more common ones online right now, and many non-technical users have little idea that they even exist, let alone what to do about them. The XSS filter in IE 8 monitors all of the requests and responses made by the browser and automatically disables XSS attacks when they're detected. Users will see a modified version of the requested page, showing them that the attack was blocked.

"Ultimately we have taken a very pragmatic approach -- we choose to not to build the filter in such a way that we compromise site compatibility. Thus, the XSS Filter defends against the most common XSS attacks, but it is not, and will never be, an XSS panacea. This is similar to the pragmatic approach taken by ASP.NET request validation, although the XSS Filter is able to be more aggressive than the ASP.NET feature," David Ross, a security software engineer at Microsoft wrote in an announcement of the new features.

Also, in the new version of IE, the Data Execution Protection (DEP) feature will be enabled by default on machines running either Vista SP1 or XP SP3. DEP is designed to prevent malicious code from writing to addressable memory space. The feature has been in previous versions of IE, but was disabled by default because of compatibility issues and other considerations.

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary