The Register® — Biting the hand that feeds IT

Feeds

Microsoft's IE 8 puts giant web hole on notice

Engineers in Microsoft's Internet Explorer group are devising a new means to stamp out one of the web's biggest security banes: attacks that steal email, bank account credentials and other sensitive information by injecting malicious code into trusted websites. Some of the web's biggest names - including Google, Yahoo and …

This topic is closed for new posts.

Page:

Anonymous Coward
Alert

"That's more aggressive than anyone else is being other than Firefox"

So that leaves what, 5 Opera users?

RW
Thumb Down

"a heuristics engine"

In everyday English, they're going to guess.

Sadly, they'll probably guess wrong, early and often; Microsoft has an unenviable track record in such matters.

Stay tuned for the chorus of complaints.

Alan Donaly
Coat

Heuristics are inherently flawed

if they weren't they would be algorithms.

Ian Emery
Paris Hilton

(untitled) :-p

5 Opera users???, PLEASE, no gross over-exaggerations!!!!

Paris, cos she screams like an Opera singer when I give it to her (in my dreams :-( ).

Anonymous Coward
Anonymous Coward

Ooh, El Reg has pro-MS bias for a change?

>IE, which remains far and away the most popular browser

Not exactly - it's by far and away the most used browser, because it's mostly just about good enough that people use it by default. It also has a falling market share (% was in the high 90s, now around 85% and that's before you adjust the figures for all of us using forged browser ID strings because some idiot web designer puts in stupid IE only code), and no-one who uses another browser ever goes back by choice.

Back on topic, I'm glad the IE writers are thinking about it (I'm not going to pretend I know anything about the rights or wrongs of any specific ways to try to prevent the attack - I'm a user, not a hacker. But I do know enough information theory to doubt that a heuristical approach is unlikely to work well for this), because I expect that other browser writers will be prompted into catching up and/or overtake very quickly

Charles Manning

IE most popular

That's like saying VAT is the most popular tax because most people pay it.

Anonymous Coward
Anonymous Coward

I agree with the AC

"most popular browser" should read "most commonly used browser" and should be qualified wiith "mainly by those who don't realise there are alternatives"

James Butler
Gates Halo

There's a new Sheriff in town...

"Having the capability to identify and neuter the replayed markup/script allows the filter to avoid overbearing mitigations such as querying the user, modifying outgoing requests, or blocking entire pages."

Since when did Microsoft consider "querying the user" to be an "overbearing mitigation"? I had thought that was their newest "security feature", but apparently it's not good enough for their web browser. Looks like ol' Bill has truly left the building ...

And it would be good of them to provide a "Run it Anyway" option until they get the filter absolutely perfect ... y'know ... just in case ...

Anonymous Coward
Coat

re: IE most popular...

STD

mine's the one that's ribbed for her pleasure...

Fozzy
IT Angle

thanks for the notice

Well if microsoft says it's so, it must be true

</sarcasm>

As with an other product microsoft releases, it's stability and security will be measured in minutes. After that...well no one here needs a history lesson on Microsoft and their track record

Pookie
Thumb Down

iFrames?

NoScript blocks iFrames. IE is still vulnerable to those. IE sucks...

Geoff Mackenzie

Incredible.

"To prevent performance bottlenecks, the filter only acts on web pages that can result in the execution of scripts, so objects such as images that don't include scripts are ignored"

Wow. I mean, WOW! How awesome is that, a script filter than only checks scripts. Ingenious.

"The filter also gives a green light to code that's found to originate from the site the user is visiting."

Elegantly defeating the purpose then - XSS is effective largely because the scripts, from the browser's point of view, do originate at the site the user is visiting. Or is it me being stupid here? (No trace of sarcasm, I wouldn't rule that out).

"The filter can also be disabled for specific zones, based on an administrator's preferences."

Hello again, ActiveX and trusted sites.

"a heuristics engine is started that inspects the URL and POST data of the requested page and uses regular expressions to identify possible XSS vulnerabilities"

Brilliant - what an impressive sounding way of saying it checks a bunch of regexps against the source and tries to spot the bad guys. This is so trivial to work around it's actually slightly offensive. Anyone remember how IE used to treat things like this?

<img src="j%65vascript:"

Sabahattin Gucukoglu
Stop

Hmm ...

Sounds like an oncoming flop to me.

If you're lumbered with IE, as alas I so often am, there's the option to turn JavaScript off for everything except links in the Security options. That should prevent the effects of JavaScript injection. Trust no-one. Who wants JavaScript when CSS is more often used for layout stuff nowadays anyway? Can't think of (m)any legitimate uses for it that aren't better served by less lazy webmasters.

Cheers,

Sabahattin

Anonymous Coward
Coat

Didn't bother reading the article

Didn't bother reading the article as I know what the conclusion is. The articles starts with

"Engineers in Microsoft's Internet Explorer group are devising a new means to stamp out one of the web's biggest security banes: attacks that steal email, bank account credentials and other sensitive information by injecting malicious code into trusted websites."

Surely the conclusion is they are going to get rid of Internet Explorer, assign it to the dustbin. Am I wrong? The malicious code is MS-HTML and the pathetic broken rendering of CSS.

/Mine's the coat with the big Open Source security hole in the back patched within hours.

Anonymous Coward
Anonymous Coward

"popular" pedants

"popular" - i.e the most populous. i.e. the most used.

popular. not favourite.

Nic
Stop

my oar

I am a web developer with 10 years experience and I use IE as my primary browser.

Shock horror!!!

DrXym

Regular expressions won't help

JavaScript is very easy to obfuscate, e.g. eval("docu" + "ment.pr" + "int('hel" + "lo');"). If that looks easy to spot, imagine I stick the first eval inside another eval and wrap the whole lot up in an array encrypted with a one time pad stored further down the page.

Eddie Edwards
Boffin

@ CS FAIL

"Heuristics are inherently flawed if they weren't they would be algorithms."

Actually many algorithms work by applying a heuristic. For instance, gradient following algorithms apply a heuristic (always move in the direction of maximum gradient) to solve a problem (find a local maximum). These algorithms provably work. There is nothing "inherently flawed" about this.

The heuristics Microsoft are using in this case undoubtedly *are* inherently flawed, but that's because they are almost certainly badly designed, not because there is something inherently wrong with the idea of using a heuristic to solve a problem.

Rich
Pirate

IE 6

Wooo Im still on IE 6.

Why? Because I do a lot of FTP based work and IE7's handling of FTP sucks. Plus I have decent spyware and anti virus protection so im happy with IE6. I use Firefox when I want funky features and tabbed browsing. IE8 can go blow Opera, I wont be downloading it.

So far IE6 doesnt mis handle this Web 2.0 B.S.

Benedict

@ Nic

Do you also use Frontpage?

Tim Parker
Stop

Re : "popular" pedants

> "popular" - i.e the most populous. i.e. the most used.

Not necessarily... 'popular' has a number of (very similar) meanings - including one of which corresponds to 'widespread' (as you're trying to portray) and one which infers approval (which you seem to be trying to deny is intended).

When it comes down to it, only the author would know what the inference was meant to be (if he thought about it much at all) - the rest is guesswork on your, and others, part.

Also to be *really* f picky, popular does not mean 'the most populous'.

Vincent
Stop

define: popular

Google define: popular

- regarded with great favor, approval, or affection especially by the general public; "a popular tourist attraction"; "a popular girl"; "cabbage ...

Yes, I know, Google, shock horror.

Anon Koward
Alert

Slagging match...

Every comment thus far has been slagging off IE, you fanboi's are persistent aren't you :)

Whilst i will agree that more than likely this won't stop all XSS attacks at least it provides some protection and that at least should be encouraged not discouraged for any piece of software no matter the OS or in this case browser.

Whilst I am not a major advocate for any single software product from any company, (I actually feel that each product has it good points and bad, how in the world can some people get so vehement about code does escape me a little), I do respect MS for fighting a battle on so many fronts in the software arena. They have in the last 10 years released products that have shaped IT* and that is something to respect.

*Whether that shaping has been beneficial or negative is not an argument that i would be eager to debate but you can't escape the truth they have shaped it..

Stu
Alert

Come on....

...you're talking about the same 'engineers' (allegedly engineers) that came up with the amazing built in IE popup blocker, which, wait a minute, lets popups through all the time.

Also the wonderful phishing filter, which didn't actually reduce phishing attacks.

M'kay.

.

Just so long as IE8 brings back the semi-decent favorites/history UI from IE6 I think it was, I'll be happy. We can all dream.

Tim

re Opera

Er, what's the Opera comments meaning? Has it become obsolete & nobody's told me? I've been using it for years and it seems perfectly good to me, did try Firefox a year ago but Opera seemed quicker.

sazoo
Happy

@Tim the Opera user

I guess that only leaves 4 others to identify!

If I use it for testing does that count?

Another Web Dev here, fav browser = Firefox, though I will admit Opera is pleasant enough, the Web Dev tools in Firefox make it much more useful for the first 90% of the development! Quick check in Opera to ensure standards compliance, then the horrible task of checking in IE6 & 7 to see how naffed it decides to render margins/paddings and a lot of fiddling later it looks virtually the same in all of them. Last check in Safari to check I don't upset the fanboys an away we go!

Chris Cheale

Opera

For most people Opera is actually the best browser available at the moment, it's fast, feature-packed, pretty and not open to ActiveX vulns... as long as the websites visited are reasonably well written (standards compliant-ish) - however a lot of web developers write shite so Opera doesn't behave "as expected" in all cases.

The reasons I use Firefox (mostly)? Web Developer toolbar, NoScript, Tidy... etc. It's all in the extensions - although the new(ish) Opera debugging wotsit is pretty good.

Since "winning the browser war" against Netscape however long ago MS have sat on their laurels but now they're playing catch-up... IE8 DOES look like a step in the right direction - they may even sort out their iffy CSS implementation. Attempting to tackle XSS is a good move as long as peeps in userland understand that the implementation won't be perfect (unlikely I know) but it might, at least, be another hurdle for "the bad guys" to jump.

MS have a lot of work to do to make a decent web-browser but they've got a lot of resources to throw at it if they so decide.

Matt
Joke

re:Tim

Yes, you've been using it for years, along with 4 other people!

muzchap

RE: Against IE

I agree with Anon Koward

Yes, IE is flawed, but why are you blaming the software vendors - they are REACTING to threats by thieving SCUM and general TOSSERS who try to FCUK everybodys PC experience up.

If those wankers didn't exist - then ALL browsers would be cool.

It's easy to be critical, try doing it yourself then see how easy it is - ESPECIALLY in the litagous state the world is in now - just a few 'false' positives would equate to class actions - "My browser stopped me visiting xyz site"

It's a minefield and *ANY* attempt should be encouraged, not lambasted

My 2p...

This post has been deleted by a moderator

Sooty

heuristics

"When the filter encounters a script that is hosted on a site other than the one being visited, a heuristics engine is started that inspects the URL and POST data of the requested page and uses regular expressions to identify possible XSS vulnerabilities. "

Why bother with heuristics, announce now that the next version of IE will not allow ANY scripts that don't originate from the site you're visiting. Like noscript you can implement a click to allow system to cover the ones that aren't updated or can't be (you might want to always allow scripts coming from youtube for example - if your embedded video doesn't work, click on the icon in its place and press allow/always allow, that sort of thing).

it took about a week using the net normally to 'train' noscript to allow the 1 or 2 components on a website i want while leaving the others blocked and that's blocking all javascript, not just the offsite stuff. It's quite enlightening to see the list of blocked scripts and where its all coming from on most sites.

Anonymous Coward
Anonymous Coward

How about disabling remote scripts full stop?

You could still screenscrape remote JS files into a local dynamic file, but then that'd be a level of tech knowhow above the average HTML jockey.

Fred Tourette

Popular v. Most Used

Stolen from up there...

"[IE is] by far and away the most used browser, because it's mostly just about good enough that people use it by default.... no-one who uses another browser ever goes back by choice."

Exactly. IE is the AOL of browsers: Everyone who finally leaves AOL wonders why it took them so long to do it in the first place. So too with Internet Exploder.

Dave

wherein liability lies, people

"The filter can also be disabled for specific zones, based on an administrator's preferences"

==

its YOUR fault, for being so trusting!

Many may regard M$ as (perm any 'm' from 'n'): venal, stupid, arrogant, avaricious, lazy, flawed, vulnerable, mighty, sh**heads, proud, cowardly, insane, profiteering, gruesome...

but, ultimately, if an 'admin' (aka 'home user' for the most part) puts "braclays_bank_pwn_me_now.kg" (or whatever) on their list of trusted sites...

Simon
Linux

IE is a pain in the BUM!

As a web developer i use Firefox 2, 3, Opera, Safari & M$ IE. For once could IE concentrate on becoming W3C standards compliant. IE's CSS handling is pathetic, breaks. My work renders perfectly in FF, Opera and Safari but IE and there attempt of there own standards is pathetic. Peeps you gotta remember how Bill got his piece of Rubbish Explorer onto our computers. But still a billion Euros fine still doesn't change the fact that IE is an integrated part of the windows system (GASH). For those who use IE Good luck and don't forget your anti virus, anti malware, active x bull droppings. Roll on the day (not too far away) when m$ get out of the software industry, shouldn't be too long now, early look at windoze 7 is laughable.

The penguin coz he knows how to produce good working software.

Jimmy

Not even Tom Cruise...

"For the past few years, Firefox users have had the useful - but by no means perfect - NoScript plugin....."

Giorgio Maone may not be a seeker after perfection, but judging by the blizzard of updates and enhancements he delivers in response to new browser attack vectors I think you can confidently say he is a man on a mission. For whatever reason, the IE developers seem to have conceded that they are on Mission Impossible: you can't build a fortress on a foundation of sand.

Dan Goodin is a useful - but by no means perfect - journalist.

Paul Cooper
Boffin

Valid reasons for using Javascript on a different host

There are valid reasons for using scripts that aren't on the same host as the page being browsed. For example, OpenLayers is an excellent Javascript map browser providing compatibility with all the relevant standards (note that GoogleMaps doesn't!). However, OpenLayers is a) a large library and b) actively being developed. So, I have two choices: I can copy the whole lot to my web page repository and check frequently for updates, or I can link directly to the scripts on the OpenLayers web site. I'll do either depending on the exact circumstances; both have advantages and disadvantages.

Anonymous Coward
Flame

Re: Incredible

"The filter also gives a green light to code that's found to originate from the site the user is visiting."

"Elegantly defeating the purpose then - XSS is effective largely because the scripts, from the browser's point of view, do originate at the site the user is visiting. ..."

From the browsers point of view, the XSS DON'T appear on the same site, its the humans point of view that is the problem.

Obviously by definition the XSS must be external (which is not actually true with an in-line script in the URL), and the browsers are fully away of this! The problem currently is that it is OK to use scripts elsewhere, now combine that with piss poor input validation and you have XSS.

Basically XSS is fine, I personally don't see a problem. However, its the unintended XSS thats the problem, which boils down to poor validation - a very basic computer skill.

Like hulllo, the VALIDATION is most basic *anything* you should always do as a computer programmer with input data - anybody who has ever been formally trained knows this is like lesson one, the problem is that most webmuppets (very similar to webmasters) are not trained except by uncle Bert from the Dummies guides and alike - thus another webmuppet is born.

My feeling is that this M$ suggestion is needed for most users of Browsers (the non techies), purely because so many website designers don't have a clue what they are doing. Or we execute the web designers?

Nic Brough
Joke

Just a guess

But does JIM THE BOSS work for MS? It would explain why he's prone to "Ballmerisms" if I may be allowed to abuse the language somewhat.

Toastan Buttar
Linux

No-one ever goes back ?

From AC @ 21:56

"no-one who uses another browser ever goes back by choice."

I prefer using IE7 under XP to Firefox under Ubuntu. <shrug>

Tux because I spend most of my time in Ubuntu.

Brent Gardner
Dead Vulture

This was a crap article

Pure PR, no real info. This sucks.

Geoff Mackenzie

Re: re: incredible

Cheers Anon, I stand corrected.

suc
Happy

IE7 already has Cross-domain barriers

http://www.microsoft.com/windows/products/winfamily/ie/features.mspx

Cross-domain barriers:

Internet Explorer 7 helps to prevent the script on webpages from interacting with content from other domains or windows. This enhanced safeguard gives you additional protection against malware by helping to prevent malicious websites from manipulating flaws in other websites or causing you to download undesired content or software.

Herby

IE vs. Firefox

Unfortunately, there are still lots of BIG HUGE software producers that INSIST on IE. I've personally been stuck with a couple KRONOS (http://www.kronos.com) and Mercury Quality Center. Both of these have BIG problems with non-IE platforms. One of these days, a big customer will wave a $zillion contract in front of them, and then take it away when they didn't read the fine print about working cross platform.

So, IE has its (dumb) uses, and we all have to suffer! (*SIGH*). Anything they do to put another band-aid over the thousands of holes in the balloon helps, but somehow it keeps us afloat. Bummer!

Michael

@ AC 21:56 and FInnibar

People vote by what they use (just like how you vote for your favorite soda brand by purchasing it). It's pure semantic jockeying to say that something isn't he most popular, it's only the most used. In most every circle, most used defines most popular. The most popular album on the Billboard top 100 is the one that sells the most.

And the reason something is the most used is not relevant to whether or not it is the most popular. If there's one candidate in an election, that candidate wins, and was the most popular. The fact that people don't realize they can write someone else's name in doesn't mean anything. Ignorance is not an excuse, they still voted the way they did. Obviously, most people don't dislike IE enough to go see if there are any alternatives, so your argument is more or less moot.

Anonymous Coward
Thumb Up

Use Opera, Be Happy

Why would anyone be needing to worry about finding your 50 favorite plug-ins, IE's sad design choices, XSS vulnerabilities, and other annoyances?

http://www.secunia.com/product/10615/?

If you aren't using Opera, try it. It's super-fast, the most secure, and very innovative.

Tom Maddox
Stop

@ JIM THE BOSS

Excellent use of misspellings and screaming, but a tad excessive. I give it 3/10 because of obviousness.

Does the Opera UI still look like something that came out of a cat's ass, or have the developers hired a design team?

Liquid
Coat

If i'm not mistaken...

which I might very well be. I'm a Firefox user primarily, but Firefox does none of this. It is the use of extensions in Firefox that provides with the ability to safeguard against these attacks. While Firefox's more open development allows for this as opposed to Microsoft's it is still not built-in. I think in Microsoft's eyes and in mine as well the average home user does not want to take the time to try and configure a tool like Noscripts. At least they are trying, which is a start. Make it easy and automated so the average user doesn't have to worry about it. We all know how the UAC played out in Vista.

Mine's the one with "kick me" on the back

Jonathan McColl
Thumb Up

The future is bright ...

I noticed your very clever writing:

"... IE, which remains far and away the most popular browser. That all will change with IE 8..."

This means to me that IE8 is the version that will kill IE's popularity, and it doesn't matter what meaning 'popular' has.

Geoff Mackenzie

@Liquid

"We all know how the UAC played out in Vista" - with all due respect, don't include me in your 'we all knows' like this. UAC is actually hopeless in terms of improving security; it's a buck passing tool.

Even if I'm wrong, the fact that I hold this opinion clearly shows that we don't, in fact, all know.

Page:

This topic is closed for new posts.