Microsoft addresses XSS in Internet Explorer

By Dennis Fisher, Executive Editor 02 Jul 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft is planning to add a series of new security features to the next version of its Internet Explorer browser, including protection against cross-site scripting attacks.

A beta version of IE 8 is due out in August, and along with the XSS filter, it will include a filter designed to provide better protection against phishing attacks, features that make it easier for developers to request resources and share information across domains, and some changes to the way that ActiveX controls are handled by the browser. Specifically, developers will be able to write controls that are only available for the individual user who downloads them.

Cross-site scripting: Hackers broaden reach of cross-site scripting attacks: An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet. Has cross-site scripting evolved?It's astounding what is being done with browser scripts these days. What new tactics can prevent cross-site scripting attacks? Cross-site scripting attacks are a major threat to today's information security environment. In this expert Q&A, Ed Skoudis reveals how attackers use this technique.

The announcement of the new security features in IE 8 came just a week after the release of Firefox 3, the latest version of IE's main competition in the browser world. Firefox 3 also includes updated antimalware and antiphishing capabilities and several other security updates. Microsoft has been fighting to repair the security reputation of IE for several years, since the initial release of Firefox, which the Mozilla Foundation has positioned as a more secure alternative to IE.

But Microsoft has been making steady progress on the security of its ubiquitous browser in recent versions, and IE 8 serves to further that cause. The most intriguing and potentially most useful feature in the new browser is the XSS filter, which is built to protect against Type-1 XSS attacks. These attacks are among the more common ones online right now, and many non-technical users have little idea that they even exist, let alone what to do about them. The XSS filter in IE 8 monitors all of the requests and responses made by the browser and automatically disables XSS attacks when they're detected. Users will see a modified version of the requested page, showing them that the attack was blocked.

"Ultimately we have taken a very pragmatic approach -- we choose to not to build the filter in such a way that we compromise site compatibility. Thus, the XSS Filter defends against the most common XSS attacks, but it is not, and will never be, an XSS panacea. This is similar to the pragmatic approach taken by ASP.NET request validation, although the XSS Filter is able to be more aggressive than the ASP.NET feature," David Ross, a security software engineer at Microsoft wrote in an announcement of the new features.

Also, in the new version of IE, the Data Execution Protection (DEP) feature will be enabled by default on machines running either Vista SP1 or XP SP3. DEP is designed to prevent malicious code from writing to addressable memory space. The feature has been in previous versions of IE, but was disabled by default because of compatibility issues and other considerations.

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw How to detect input validation errors and vulnerabilities Vulnerability test methods for application security assessments Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert IT managers under pressure to weaken Web security policy US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary