"That's more aggressive than anyone else is being other than Firefox"
So that leaves what, 5 Opera users?
Engineers in Microsoft's Internet Explorer group are devising a new means to stamp out one of the web's biggest security banes: attacks that steal email, bank account credentials and other sensitive information by injecting malicious code into trusted websites. Some of the web's biggest names - including Google, Yahoo and …
>IE, which remains far and away the most popular browser
Not exactly - it's by far and away the most used browser, because it's mostly just about good enough that people use it by default. It also has a falling market share (% was in the high 90s, now around 85% and that's before you adjust the figures for all of us using forged browser ID strings because some idiot web designer puts in stupid IE only code), and no-one who uses another browser ever goes back by choice.
Back on topic, I'm glad the IE writers are thinking about it (I'm not going to pretend I know anything about the rights or wrongs of any specific ways to try to prevent the attack - I'm a user, not a hacker. But I do know enough information theory to doubt that a heuristical approach is unlikely to work well for this), because I expect that other browser writers will be prompted into catching up and/or overtake very quickly
"Having the capability to identify and neuter the replayed markup/script allows the filter to avoid overbearing mitigations such as querying the user, modifying outgoing requests, or blocking entire pages."
Since when did Microsoft consider "querying the user" to be an "overbearing mitigation"? I had thought that was their newest "security feature", but apparently it's not good enough for their web browser. Looks like ol' Bill has truly left the building ...
And it would be good of them to provide a "Run it Anyway" option until they get the filter absolutely perfect ... y'know ... just in case ...
"To prevent performance bottlenecks, the filter only acts on web pages that can result in the execution of scripts, so objects such as images that don't include scripts are ignored"
Wow. I mean, WOW! How awesome is that, a script filter than only checks scripts. Ingenious.
"The filter also gives a green light to code that's found to originate from the site the user is visiting."
Elegantly defeating the purpose then - XSS is effective largely because the scripts, from the browser's point of view, do originate at the site the user is visiting. Or is it me being stupid here? (No trace of sarcasm, I wouldn't rule that out).
"The filter can also be disabled for specific zones, based on an administrator's preferences."
Hello again, ActiveX and trusted sites.
"a heuristics engine is started that inspects the URL and POST data of the requested page and uses regular expressions to identify possible XSS vulnerabilities"
Brilliant - what an impressive sounding way of saying it checks a bunch of regexps against the source and tries to spot the bad guys. This is so trivial to work around it's actually slightly offensive. Anyone remember how IE used to treat things like this?
<img src="j%65vascript:"
Sounds like an oncoming flop to me.
If you're lumbered with IE, as alas I so often am, there's the option to turn JavaScript off for everything except links in the Security options. That should prevent the effects of JavaScript injection. Trust no-one. Who wants JavaScript when CSS is more often used for layout stuff nowadays anyway? Can't think of (m)any legitimate uses for it that aren't better served by less lazy webmasters.
Cheers,
Sabahattin
Didn't bother reading the article as I know what the conclusion is. The articles starts with
"Engineers in Microsoft's Internet Explorer group are devising a new means to stamp out one of the web's biggest security banes: attacks that steal email, bank account credentials and other sensitive information by injecting malicious code into trusted websites."
Surely the conclusion is they are going to get rid of Internet Explorer, assign it to the dustbin. Am I wrong? The malicious code is MS-HTML and the pathetic broken rendering of CSS.
/Mine's the coat with the big Open Source security hole in the back patched within hours.
JavaScript is very easy to obfuscate, e.g. eval("docu" + "ment.pr" + "int('hel" + "lo');"). If that looks easy to spot, imagine I stick the first eval inside another eval and wrap the whole lot up in an array encrypted with a one time pad stored further down the page.
"Heuristics are inherently flawed if they weren't they would be algorithms."
Actually many algorithms work by applying a heuristic. For instance, gradient following algorithms apply a heuristic (always move in the direction of maximum gradient) to solve a problem (find a local maximum). These algorithms provably work. There is nothing "inherently flawed" about this.
The heuristics Microsoft are using in this case undoubtedly *are* inherently flawed, but that's because they are almost certainly badly designed, not because there is something inherently wrong with the idea of using a heuristic to solve a problem.
Wooo Im still on IE 6.
Why? Because I do a lot of FTP based work and IE7's handling of FTP sucks. Plus I have decent spyware and anti virus protection so im happy with IE6. I use Firefox when I want funky features and tabbed browsing. IE8 can go blow Opera, I wont be downloading it.
So far IE6 doesnt mis handle this Web 2.0 B.S.
> "popular" - i.e the most populous. i.e. the most used.
Not necessarily... 'popular' has a number of (very similar) meanings - including one of which corresponds to 'widespread' (as you're trying to portray) and one which infers approval (which you seem to be trying to deny is intended).
When it comes down to it, only the author would know what the inference was meant to be (if he thought about it much at all) - the rest is guesswork on your, and others, part.
Also to be *really* f picky, popular does not mean 'the most populous'.
Every comment thus far has been slagging off IE, you fanboi's are persistent aren't you :)
Whilst i will agree that more than likely this won't stop all XSS attacks at least it provides some protection and that at least should be encouraged not discouraged for any piece of software no matter the OS or in this case browser.
Whilst I am not a major advocate for any single software product from any company, (I actually feel that each product has it good points and bad, how in the world can some people get so vehement about code does escape me a little), I do respect MS for fighting a battle on so many fronts in the software arena. They have in the last 10 years released products that have shaped IT* and that is something to respect.
*Whether that shaping has been beneficial or negative is not an argument that i would be eager to debate but you can't escape the truth they have shaped it..
...you're talking about the same 'engineers' (allegedly engineers) that came up with the amazing built in IE popup blocker, which, wait a minute, lets popups through all the time.
Also the wonderful phishing filter, which didn't actually reduce phishing attacks.
M'kay.
.
Just so long as IE8 brings back the semi-decent favorites/history UI from IE6 I think it was, I'll be happy. We can all dream.
I guess that only leaves 4 others to identify!
If I use it for testing does that count?
Another Web Dev here, fav browser = Firefox, though I will admit Opera is pleasant enough, the Web Dev tools in Firefox make it much more useful for the first 90% of the development! Quick check in Opera to ensure standards compliance, then the horrible task of checking in IE6 & 7 to see how naffed it decides to render margins/paddings and a lot of fiddling later it looks virtually the same in all of them. Last check in Safari to check I don't upset the fanboys an away we go!
For most people Opera is actually the best browser available at the moment, it's fast, feature-packed, pretty and not open to ActiveX vulns... as long as the websites visited are reasonably well written (standards compliant-ish) - however a lot of web developers write shite so Opera doesn't behave "as expected" in all cases.
The reasons I use Firefox (mostly)? Web Developer toolbar, NoScript, Tidy... etc. It's all in the extensions - although the new(ish) Opera debugging wotsit is pretty good.
Since "winning the browser war" against Netscape however long ago MS have sat on their laurels but now they're playing catch-up... IE8 DOES look like a step in the right direction - they may even sort out their iffy CSS implementation. Attempting to tackle XSS is a good move as long as peeps in userland understand that the implementation won't be perfect (unlikely I know) but it might, at least, be another hurdle for "the bad guys" to jump.
MS have a lot of work to do to make a decent web-browser but they've got a lot of resources to throw at it if they so decide.
I agree with Anon Koward
Yes, IE is flawed, but why are you blaming the software vendors - they are REACTING to threats by thieving SCUM and general TOSSERS who try to FCUK everybodys PC experience up.
If those wankers didn't exist - then ALL browsers would be cool.
It's easy to be critical, try doing it yourself then see how easy it is - ESPECIALLY in the litagous state the world is in now - just a few 'false' positives would equate to class actions - "My browser stopped me visiting xyz site"
It's a minefield and *ANY* attempt should be encouraged, not lambasted
My 2p...
"When the filter encounters a script that is hosted on a site other than the one being visited, a heuristics engine is started that inspects the URL and POST data of the requested page and uses regular expressions to identify possible XSS vulnerabilities. "
Why bother with heuristics, announce now that the next version of IE will not allow ANY scripts that don't originate from the site you're visiting. Like noscript you can implement a click to allow system to cover the ones that aren't updated or can't be (you might want to always allow scripts coming from youtube for example - if your embedded video doesn't work, click on the icon in its place and press allow/always allow, that sort of thing).
it took about a week using the net normally to 'train' noscript to allow the 1 or 2 components on a website i want while leaving the others blocked and that's blocking all javascript, not just the offsite stuff. It's quite enlightening to see the list of blocked scripts and where its all coming from on most sites.
Stolen from up there...
"[IE is] by far and away the most used browser, because it's mostly just about good enough that people use it by default.... no-one who uses another browser ever goes back by choice."
Exactly. IE is the AOL of browsers: Everyone who finally leaves AOL wonders why it took them so long to do it in the first place. So too with Internet Exploder.
"The filter can also be disabled for specific zones, based on an administrator's preferences"
==
its YOUR fault, for being so trusting!
Many may regard M$ as (perm any 'm' from 'n'): venal, stupid, arrogant, avaricious, lazy, flawed, vulnerable, mighty, sh**heads, proud, cowardly, insane, profiteering, gruesome...
but, ultimately, if an 'admin' (aka 'home user' for the most part) puts "braclays_bank_pwn_me_now.kg" (or whatever) on their list of trusted sites...
As a web developer i use Firefox 2, 3, Opera, Safari & M$ IE. For once could IE concentrate on becoming W3C standards compliant. IE's CSS handling is pathetic, breaks. My work renders perfectly in FF, Opera and Safari but IE and there attempt of there own standards is pathetic. Peeps you gotta remember how Bill got his piece of Rubbish Explorer onto our computers. But still a billion Euros fine still doesn't change the fact that IE is an integrated part of the windows system (GASH). For those who use IE Good luck and don't forget your anti virus, anti malware, active x bull droppings. Roll on the day (not too far away) when m$ get out of the software industry, shouldn't be too long now, early look at windoze 7 is laughable.
The penguin coz he knows how to produce good working software.
"For the past few years, Firefox users have had the useful - but by no means perfect - NoScript plugin....."
Giorgio Maone may not be a seeker after perfection, but judging by the blizzard of updates and enhancements he delivers in response to new browser attack vectors I think you can confidently say he is a man on a mission. For whatever reason, the IE developers seem to have conceded that they are on Mission Impossible: you can't build a fortress on a foundation of sand.
Dan Goodin is a useful - but by no means perfect - journalist.
There are valid reasons for using scripts that aren't on the same host as the page being browsed. For example, OpenLayers is an excellent Javascript map browser providing compatibility with all the relevant standards (note that GoogleMaps doesn't!). However, OpenLayers is a) a large library and b) actively being developed. So, I have two choices: I can copy the whole lot to my web page repository and check frequently for updates, or I can link directly to the scripts on the OpenLayers web site. I'll do either depending on the exact circumstances; both have advantages and disadvantages.
"The filter also gives a green light to code that's found to originate from the site the user is visiting."
"Elegantly defeating the purpose then - XSS is effective largely because the scripts, from the browser's point of view, do originate at the site the user is visiting. ..."
From the browsers point of view, the XSS DON'T appear on the same site, its the humans point of view that is the problem.
Obviously by definition the XSS must be external (which is not actually true with an in-line script in the URL), and the browsers are fully away of this! The problem currently is that it is OK to use scripts elsewhere, now combine that with piss poor input validation and you have XSS.
Basically XSS is fine, I personally don't see a problem. However, its the unintended XSS thats the problem, which boils down to poor validation - a very basic computer skill.
Like hulllo, the VALIDATION is most basic *anything* you should always do as a computer programmer with input data - anybody who has ever been formally trained knows this is like lesson one, the problem is that most webmuppets (very similar to webmasters) are not trained except by uncle Bert from the Dummies guides and alike - thus another webmuppet is born.
My feeling is that this M$ suggestion is needed for most users of Browsers (the non techies), purely because so many website designers don't have a clue what they are doing. Or we execute the web designers?
http://www.microsoft.com/windows/products/winfamily/ie/features.mspx
Cross-domain barriers:
Internet Explorer 7 helps to prevent the script on webpages from interacting with content from other domains or windows. This enhanced safeguard gives you additional protection against malware by helping to prevent malicious websites from manipulating flaws in other websites or causing you to download undesired content or software.
Unfortunately, there are still lots of BIG HUGE software producers that INSIST on IE. I've personally been stuck with a couple KRONOS (http://www.kronos.com) and Mercury Quality Center. Both of these have BIG problems with non-IE platforms. One of these days, a big customer will wave a $zillion contract in front of them, and then take it away when they didn't read the fine print about working cross platform.
So, IE has its (dumb) uses, and we all have to suffer! (*SIGH*). Anything they do to put another band-aid over the thousands of holes in the balloon helps, but somehow it keeps us afloat. Bummer!
People vote by what they use (just like how you vote for your favorite soda brand by purchasing it). It's pure semantic jockeying to say that something isn't he most popular, it's only the most used. In most every circle, most used defines most popular. The most popular album on the Billboard top 100 is the one that sells the most.
And the reason something is the most used is not relevant to whether or not it is the most popular. If there's one candidate in an election, that candidate wins, and was the most popular. The fact that people don't realize they can write someone else's name in doesn't mean anything. Ignorance is not an excuse, they still voted the way they did. Obviously, most people don't dislike IE enough to go see if there are any alternatives, so your argument is more or less moot.
which I might very well be. I'm a Firefox user primarily, but Firefox does none of this. It is the use of extensions in Firefox that provides with the ability to safeguard against these attacks. While Firefox's more open development allows for this as opposed to Microsoft's it is still not built-in. I think in Microsoft's eyes and in mine as well the average home user does not want to take the time to try and configure a tool like Noscripts. At least they are trying, which is a start. Make it easy and automated so the average user doesn't have to worry about it. We all know how the UAC played out in Vista.
Mine's the one with "kick me" on the back
"We all know how the UAC played out in Vista" - with all due respect, don't include me in your 'we all knows' like this. UAC is actually hopeless in terms of improving security; it's a buck passing tool.
Even if I'm wrong, the fact that I hold this opinion clearly shows that we don't, in fact, all know.
You are my hero. Saw your posting in another article, I will watch enthusiastically for your next insights, it's nice to have a bit of humour.
BTW. Opera is great for checking standards compliance, I've used it for years. I do find I use Opera as my second preferred browser.
My main browser is IE, I started developing websites in 1996. I remember the Netscape days, I remember how utterly crap IE 1,2 & 3 were. I remember Mosaic. I know IE7 is bloody annoying but I still like using it.
The webdev plug-ins for Firefox are really cool though.
All my engineering friends (and the companies they work for) FORBID the use of ie" in any way...'cause like ALL ms programing...it is so full of holes...it will require a meg or two of updates each day just to keep it working (and to cover their asses).
I've been using Mozilla Firefox for a couple of years, and LOVE IT! IT ROCKS, and it has had Great support, and forward thinking Script Blocking since I've had it...and ms is just now thinking it may be a good idea! Ms is just old news in a new wrapper...again!
...Paris...'cause stupid is just stupid...no matter how pretty it looks!