Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IE8's XSS Filter Exposes Sites To XSS Attacks

kdawson posted more than 4 years ago | from the first-do-no-harm dept.

Internet Explorer 84

Blue Taxes writes "The cross-site scripting filter that ships with Microsoft's Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat. The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server's response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack cannot succeed. The researchers figured out a way to use IE8's altered response to conduct simple abuses and universal cross-site scripting attacks, which worked against sites that would not otherwise have been vulnerable to XSS." Here is the researchers' backgrounder (PDF) on the attack. Microsoft says that they have issued two patches that address the issue, but the researchers insist that holes remain.
Update: 04/20 14:06 GMT by KD : Microsoft's Security Response Center has issued a statement on the vulnerability.

cancel ×

84 comments

Sorry! There are no comments related to the filter you selected.

Good to know (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31906696)

I have no idea what XSS does in IE8, like 99.9999% of those that use it.

And the [?] help never has any help at all.

XSS. I heard of that. (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31907122)

That's where you buy tracks, right? Ima get me the new Miley video. She's hawt.

Re:Good to know (2, Informative)

CorporateSuit (1319461) | more than 4 years ago | (#31912644)

When you go to a website, and it says "Welcome, Thomas!" because your referrer website sent them to their homepage with something like "http://www.website.com/?name=Thomas" these guys set up the referrer to send you to a page that says something like "http://www.website.com/?name=[malicious code]" and the site says "Welcome !" and congratulations on your new site-specific keylogger.

My first! (-1, Offtopic)

BeefMcHuge (1594193) | more than 4 years ago | (#31906700)

First?

Re:My first! (4, Funny)

Fluffeh (1273756) | more than 4 years ago | (#31906774)

Close, but no cigar.

Really, if you want a first post, subscribe to the site. You will get your silly kicks, and the rest of us will at least know you are making a valuable contribution to the site by paying the rest of the users to be silly.

Re:My first! (0)

Anonymous Coward | more than 4 years ago | (#31907212)

Also, it has to be a nigger joke. ESPECIALLY if you're a subscriber. Just don't post links to gore or you'll have your IP banned.

So, what's up with that "trolltalk" username? How do they put the link to goatse embedded in their slashdot page thing? Have they hacked Slashdot?

Trolltalk (0, Offtopic)

mister_playboy (1474163) | more than 4 years ago | (#31907810)

So, what's up with that "trolltalk" username? How do they put the link to goatse embedded in their slashdot page thing? Have they hacked Slashdot?

http://encyclopediadramatica.com/Trolltalk [encycloped...matica.com]

Read and learn! :)

Fucking Microsoft. (0, Troll)

coolgeek (140561) | more than 4 years ago | (#31906706)

/nt

Re:Fucking Microsoft. (0)

Anonymous Coward | more than 4 years ago | (#31908736)

Why would you want to fuck 'em? There is no doubt whatsoever that you'd catch something that won't just wash off from the encounter.

Deserve what you get (0, Flamebait)

BadAnalogyGuy (945258) | more than 4 years ago | (#31906708)

Strike 1: Using Winblows
Strike 2: Using Internet Exploder
Strike 3: Surfing suspicious sites

Yeeeerrr OUT!

Re:Deserve what you get (-1, Troll)

Z00L00K (682162) | more than 4 years ago | (#31906766)

This is just another example that shows us how bad Microsoft are at detecting and handling malicious content.

May current favorite is the junk email filter in Outlook that is just mysterious and changes behavior at every update causing new cases where legitimate mails gets into the junk pile for unknown reasons. And there is no way to control it either.

No wonder why I like Thunderbird a lot more. It's at least consistent - and you can teach it as you go what's junk or not. It even seems to be a good learner.

Re:Deserve what you get (5, Informative)

TrancePhreak (576593) | more than 4 years ago | (#31906838)

And there is no way to control it either.

You mean like right clicking and selecting "not junk" ?

Re:Deserve what you get (0)

Anonymous Coward | more than 4 years ago | (#31908238)

Right, and adding to safe senders or changing modes from high, to medium, or low. Those all sound like controls to me.

Re:Deserve what you get (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31906858)

It's interesting that a post making light of Microsoft would be marked down to -1 here on *Slashdot* of all places.

The moderators have become humorless sticks in the mud when they seriously think that the OP was going to attract flames with that little post.

Re:Deserve what you get (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31907416)

I bet you fucking love when a guy sticks his dick between your asscheeks! ow!

Re:Deserve what you get (1)

Runaway1956 (1322357) | more than 4 years ago | (#31909396)

Hey - you really ought to give credit where credit is due. Microsoft really has improved security here. Now, instead of XSS destroying the user's computer, they are using the computer to destroy sites. That's an improvement, really. Webmasters shouldn't be using XSS anyway. In effect, XSS is a statement, to the effect, "I'm so cheap that instead of hosting my own content, I'm gonna cheat and allow OTHER SITES to serve up the content, while I get the credit for what you see!"

I can see some good coming of this IE8 exploit. If it causes enough trouble, everyone will abandon XSS, and the browsers will just disable XSS, everyone will be happier.

Except, of course, the cheapskates.

Microsoft's response (4, Informative)

seifried (12921) | more than 4 years ago | (#31906722)

Re:Microsoft's response (5, Funny)

Z00L00K (682162) | more than 4 years ago | (#31906780)

As usually they have a disclaimer too:

*This posting is provided "AS IS" with no warranties, and confers no rights*

Re:Microsoft's response (4, Interesting)

StuartHankins (1020819) | more than 4 years ago | (#31906922)

An additional update to the IE XSS Filter is currently scheduled for release in June. This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation. This issue manifests when malicious script can “break out” from within a construct that is already within an existing script block. While the issue identified and addressed in MS10-002 was identified to exist on high-profile web sites, thus far real-world examples of the SCRIPT tag neutering attack scenario have been hard to come by.

(emphasis mine)

JUNE??? They are waiting until JUNE to "schedule the release" for this bugfix? And what is this "hard to come by", either they have found examples or they haven't. My guess is they have or they would have been quick to state "we have found no examples in the wild". And somehow, I don't know, maybe someone giving a presentation on the topic might signify that others know about this too and may be actively taking advantage of it now? Maybe a teensy chance of that?

<sarcasm>Yes, folks, that's why you pay Microsoft all the big bucks. Their process seems to work so well... maybe they can work this into a regular Patch Tuesday so you don't have to reboot your servers / schedule an outage so many times that week.</sarcasm>

This is fast-food software design, cheap and not particularly good for you. This is what you get when people have low expectations and are sensitive only to price -- how many patch Tuesdays so far this year didn't affect every version of IE, every version of Office and every recent version of Windows (and for most of these, require reboots)? It's way beyond sad and way past "whoops" when a major software manufacturer has this many bugfixes and problems with almost all of their software. Yes, software is complicated, but slow down and implement some quality control techniques for goodness' sake.

This is just churning turds for profit, and we're stupid enough to eat them.

Re:Microsoft's response (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31907004)

This is fast-food software design, cheap and not particularly good for you.

If Microsoft is the fast-food of software, then I think Linux goes something like this:

You hear of a great meal that you can make at home for little or no money. You scour the Internet for hours trying to find the recipe for this meal but you keep finding contradictory and inaccurate recipes for this meal. When you finally get the recipe that you think looks good, you spend about 4 hours in the kitchen trying to make your meal and at the end of night you give up in frustration and go to bed hungry.

I know this isn't always the case with Linux but it is something that comes to mind when reading your generalization about Microsoft products.

Re:Microsoft's response (5, Funny)

gzipped_tar (1151931) | more than 4 years ago | (#31907036)

Nah, it's more like this:

$ make meal
[tons of compiler output]
$ ./meal
Segmentation Fault. Core dumped.

Re:Microsoft's response (1)

Wolfraider (1065360) | more than 4 years ago | (#31908256)

Now that was a spicy meatball

Re:Microsoft's response (0)

Anonymous Coward | more than 4 years ago | (#31910208)

I always dump my core after a good meal. That's how you know it worked.

Re:Microsoft's response (0)

Anonymous Coward | more than 4 years ago | (#31911806)

It also makes room for the silicon wafer thin mint.

Re:Microsoft's response (2, Interesting)

gzipped_tar (1151931) | more than 4 years ago | (#31907010)

April is the cruellest month, breeding
Bugs out of the crap app, delaying
Fixes and patches, stirring
Angry geeks with slashdot dupe.

Re:Microsoft's response (2, Informative)

totally bogus dude (1040246) | more than 4 years ago | (#31907098)

Well maybe they've decided to actually test the patch before releasing it? :)

I discovered today that a patch for a vulnerability [microsoft.com] in the IIS SMTP service causes the settings for the service to be reset [microsoft.com] if you're running it on Server 2008 (2003 doesn't seem to be affected, AFAIK).

Unfortunately we applied that patch (and others) last Wednesday and don't have regular automated testing of our website's ability to deliver mail to localhost, so took a while for us to notice... a quick Google lead me to this discussion [iis.net] where I discovered the cause.

Re:Microsoft's response (1)

grcumb (781340) | more than 4 years ago | (#31915206)

I discovered today that a patch for a vulnerability [microsoft.com] in the IIS SMTP service causes the settings for the service to be reset [microsoft.com] if you're running it on Server 2008 (2003 doesn't seem to be affected, AFAIK).

Well, there's your problem right there.

Doesn't it strike you as peculiar when software becomes so integrated that changes to your web server end up borking your mail server?

For all its shortcomings (and there are, admittedly, more than a few), the Unix toolkit approach at least allows individual services to be treated as separate and distinct entities. It can make managing their interactions kind of... interesting, from time to time, but at least patching one doesn't end up borking the next one.

Systems Integration is more art than science, and it requires long experience to know what works. I pity the fools who think that turnkey systems offer any kind of shortcut.

Re:Microsoft's response (2, Informative)

LinuxAndLube (1526389) | more than 4 years ago | (#31907548)

I just read this: "Now when you look at Microsoft today they do more to secure their software than anyone. They're the model for how to do it. They're not perfect; there's room for improvement. But they are definitely doing more than anybody else in the industry, I would say." [ http://news.cnet.com/8301-27080_3-20002317-245.html?tag=rtcol;inTheNewsNow [cnet.com] ] I think most people in the know would agree with him.

Re:Microsoft's response (0, Troll)

LinuxAndLube (1526389) | more than 4 years ago | (#31908248)

Oh no! The evil troll quoted a security researcher! Quick, mod him down!

Re:Microsoft's response (0)

Anonymous Coward | more than 4 years ago | (#31908812)

Didn't you know? "Troll" is the mod you're supposed to use for "I don't agree with the poster's thoughts, so I'll just mod 'em down anyway..."

Re:Microsoft's response (0)

Anonymous Coward | more than 4 years ago | (#31907854)

what is this "hard to come by", either they have found examples or they haven't.

The issue identified at the EU conference was an attack scenario. A scenario is not an the same as a fully working exploit. So no, they haven't found any examples.

And somehow, I don't know, maybe someone giving a presentation on the topic might signify that others know about this too and may be actively taking advantage of it now? Maybe a teensy chance of that?

The fact that there's a post on Slashdot signifies that we all know about it. But knowing about it is not the same as being able to exploit it. If Microsoft actually thought it was a huge threat they would be rushing to patch it, the fact that they're scheduling it for June means they're pretty confident that it's not going to impact users at all.

how many patch Tuesdays so far this year didn't affect every version of IE, every version of Office and every recent version of Windows (and for most of these, require reboots)?

The fact that they're actively finding problems and patching these things frequently is also a good thing. But you also have to look at the patches being installed and you'll realize most of the time they are just updated lists for IE compatability view or Outlook's junk mail filter.

Re:Microsoft's response (5, Informative)

thornmaker (794873) | more than 4 years ago | (#31908320)

The last sentence of the article's summary is completely wrong. I am one of the "original researchers" for this issue (p42.us is my website). The patches that have been issued by Microsoft up to this point are successful at eliminating the primary security vulnerability, to the best of our knowledge. The main security vulnerability described in our white paper was disclosed to Microsoft last fall and Microsoft fixed the issue in January 2010. The one case that has not been addressed by the filters is very rare and extremely unlikely to be found on a given websites.

Re:Microsoft's response (1)

Keeper Of Keys (928206) | more than 4 years ago | (#31908436)

Got no mod points today, but surely this deserves a few "+1 Informative"s?

Re:Microsoft's response (2, Interesting)

Culture20 (968837) | more than 4 years ago | (#31909260)

The one case that has not been addressed by the filters is very rare and extremely unlikely to be found on a given websites.

Between now and June 8th? That's seven weeks! Seems we're lucky that we're not waiting until June 14th this year.

Re:Microsoft's response (1)

wvmarle (1070040) | more than 4 years ago | (#31908590)

From such wording I would conclude that working exploits are out there.

They may be hard to come by, but it can be done, and the fact they say "have been hard to come by" means that they got at least one (have been being a past tense). And no matter how hard a flaw is to exploit, as soon as a single exploit exists, the rest of the attackers can in principle just re-use it. If script-kiddies can do that, then more serious attackers surely can.

Re:Microsoft's response (1)

Svartalf (2997) | more than 4 years ago | (#31908868)

If script-kiddies can do that, then more serious attackers surely can.

...and will. Cheap shots are always preferred over the more sophisticated attacks because they often require less effort on the part of the attacker for the gain they seek- whatever it might be.

Security is as much a philosophy as it is tech. More to the point, as much as locks and the sort are meant to keep honest people that way- what Microsoft often peddles as "security" is the security of a cheap combination lock rather than the vault combination they claim it is.

Re:Microsoft's response (1)

mcgrew (92797) | more than 4 years ago | (#31908960)

This is fast-food software design, cheap and not particularly good for you.

That's an apt metaphor, except of course that Microsoft charges five star restaraunt prices for its Big Macs.

This is what you get when people have low expectations and are sensitive only to price

If one was sensitive to price they wouldn't use Microsoft. See, they've convinced people that the Big Mac is five star quality food.

slow down and implement some quality control techniques for goodness' sake

Dream on. To quote Lillly Tomlin's Ernestine: "We're the phone company. We don't have to."

Anonymous Coward (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31906724)

I work with the guy who created the XSS filter in IE. The claims are big BS.

Re:Anonymous Coward (-1)

Anonymous Coward | more than 4 years ago | (#31906748)

My uncle works for Nintendo. He says the next system coming out is going to be the bestest ever.

Re:Anonymous Coward (0)

Anonymous Coward | more than 4 years ago | (#31907084)

My cousin works for 3D Realms. He says that Duke Nukem Forever will be released this summer and it will be even more bestest than Nintendo's next system.

More reason to... (5, Funny)

Anonymous Coward | more than 4 years ago | (#31906760)

stick to IE6. Long live Internet Explorer 6!

Re:More reason to... (1)

For a Free Internet (1594621) | more than 4 years ago | (#31907116)

YOU ARE CORRECT. Everyone knows that EI6 is the Internat Standard for webs. Everything elseo comoplicaj it and make ht ejthjiing 0iut Italian yhiua stipid shoit poo poapsopsoih hj the butthoel.

Re:More reason to... (3, Funny)

julesh (229690) | more than 4 years ago | (#31907360)

stick to IE6. Long live Internet Explorer 6!

Why stick with 6? I'm using IE3. When was the last time you heard of an IE3 exploit being released? I'm considering a switch to Netscape Navigator 1.1, just in case.

Re:More reason to... (1)

Antony-Kyre (807195) | more than 4 years ago | (#31911108)

Internet Explorer 3? I'm not sure how to go from IE6 to IE3 while using Windows XP. But, I think I was able to install Netscape version 1, or maybe it was like version 4. However, I don't think YouTube worked when I did that.

The 1990s was a great decade. Let's go retro! Bring back Clippit!

Really old news! (1, Informative)

Anonymous Coward | more than 4 years ago | (#31906808)

Re:Really old news! (1)

CorporateSuit (1319461) | more than 4 years ago | (#31912478)

You've got quite the memory if you can remember remember the 9th of November!

Stop trying to detection security problems (0)

Anonymous Coward | more than 4 years ago | (#31906828)

I remember years ago MS arbitrarily filtered any query string in profiler that contained the word "password" in order to prevent potential leakage of plain text passwords using the profiler tool. All it did was provide people with an additional opportunity to avoid logging of their activities and more importantly pissed off a whole lot of developers and administrators. After massive outcry they subsequently removed the filter in future versions.

I hate when vendors think they can be too cute by half and overload the semantics of a context in the name of security. The road to hell really is paved with good intentions... There are a whole lot of well intentioned vendors in the security space spewing worthless products that will never provide acceptable security by hueristic dection of attacks but companies spend huge sums of money purchasing these systems anyway .. money better served scrutinizing their own crappy application or educating clueless developers. Every time you overload a system like this you introduce the possibility of additional attacks, breakage or more than likely just pissing a whole lot of people off who actually know what they are doing.

In general the web software stack community appears to still be as idiotic as ever.. What the hell were PPL thinking with JSON?

Re:Stop trying to detection security problems (1)

julesh (229690) | more than 4 years ago | (#31907510)

In general the web software stack community appears to still be as idiotic as ever.. What the hell were PPL thinking with JSON?

They were thinking: how do I get data into a web page from a server that isn't the same server as the page originated on? As browser vendors hadn't actually considered this as a valid use case at the time JSON was invented, a workaround was needed, and JSON was the only practical one anybody suggested.

IRONY (0)

Anonymous Coward | more than 4 years ago | (#31906830)

Take note people this is irony.

What if someone made a firefox addon? (1)

QJimbo (779370) | more than 4 years ago | (#31906868)

What about if someone simply made a Firefox addon that emulated this broken IE behaviour?

Would that not simply mean the sites were simply insecure as opposed to Internet Explorer somehow being responsible?

Re:What if someone made a firefox addon? (3, Insightful)

gzipped_tar (1151931) | more than 4 years ago | (#31906950)

You hired a guard and he raped your daughter. Now your neighbor also has a daughter and he hired another guard. Somehow, that guard decided to emulate the broken behavior of your guard as well.

Would that not simply mean that those who were born daughters were simply inviting rapists as opposed to rapists somehow being responsible?

If you can't understand the above analogy, here's a Car Analogy for you.

You drove a Toyota on the road and killed a pedestrian due to negligence. Someone else driving a Ford emulated your broken behavior and killed another pedestrian. It means that the pedestrians were simply choosing the insecure way of transportation as opposed to drivers somehow being responsible.

Re:What if someone made a firefox addon? (0)

Anonymous Coward | more than 4 years ago | (#31907240)

But the way cagers drive around here, I'm pretty sure most of them would agree with your automotive analogy, as support for QJimbo's position.

Re:What if someone made a firefox addon? (1)

KiloByte (825081) | more than 4 years ago | (#31907382)

The IE you were using made an explicit man-at-the-end attack against a properly coded website. Your session was secure until your browser decided to break it.

Re:What if someone made a firefox addon? (1)

sjames (1099) | more than 4 years ago | (#31909364)

It's just a confusing headline. It's the user that is exposed to the XSS attack, not the site.

I don't see why (5, Insightful)

Moraelin (679338) | more than 4 years ago | (#31907784)

Honestly, I usually am the first to lay the blame on developers for doing half-arsed jobs, but in this case... really, why would I blame a site for a modification a third party plugin does to their HTML code? As per the specs, their code is secure. Then someone comes and changes it to something insecure. Why would you hold the former responsible for something done by the latter.

I mean, let's say you write some program, and check your array bounds and everything. Then a year later I'm brought in as a consultant and, perhaps in the name of optimizing speed, inadvertently bypass one of your checks and introduce a buffer overflow vulnerability. Would you say that you should be held responsible for my changes? Would you say your code was simply insecure if it allowed that? Why? By what definition of "insecure"?

Plus, I always believed that responsibility should also come with enough power to do what you're responsible for. E.g., if you're responsible that a project finishes on time, then you should also have the power and budget to make sure it does. Responsibility without any power is IMHO just a name for "scapegoat."

In this case, the IE code and its modifications are completely outside the web designer's control. If Microsoft introduces a new vulnerability next month, which turns a whole other chunk of perfectly good web programming into an XSS exploit vector, the web designer can't do anything to prevent them. It's exactly that scapegoat scenario. You're proposing to hold someone responsible for something they can't prevent or even influence at all.

Plus, it's not like MS's code is public domain or even has an open and detailed specification. You can work around Javascript or HTML problems because you can know exactly what they are, what that code does, what does it output for a given input, etc. (Well, that is, if the browsers actually implemented the specs;)) In this case to work around MS's bug du jour, someone has to keep basically reverse-engineering whatever idiocy MS implemented this time. It seems to me like an undue burden.

Plus, honestly, writing stuff that only works because of a bug in another module (in this case the browser) is bad practice. Now I'm aware that it can't always be avoided. But at least in an ideal world, it should be MS's job to fix MS's bugs, not the devs job to work around it. The devs job should be to write stuff that is correct and secure by the Javascript/HTML/whatever standards, not code that works with the IE bug of the day.

Re:I don't see why (1)

Culture20 (968837) | more than 4 years ago | (#31909444)

I mean, let's say you write some program, and check your array bounds and everything. Then a year later I'm brought in as a consultant and, perhaps in the name of optimizing speed, inadvertently bypass one of your checks and introduce a buffer overflow vulnerability. Would you say that you should be held responsible for my changes? Would you say your code was simply insecure if it allowed that? Why? By what definition of "insecure"?

Failure to implement Core Wars code in the spreadsheet program. If the program were more like a rootkit, your memory-meddling to introduce a buffer overflow would be countered, your bank account would be drained, and your toaster would now be an acoustic spy device relaying sound over the electrical grid... whether or not it is plugged in!

This is how it works. (4, Informative)

clone53421 (1310749) | more than 4 years ago | (#31908992)

No.

The sites were previously not susceptible to cross-site scripting. They escaped their input, whatever needed to be done.

IE cleverly tried to prevent cross-site scripting and in the process they screwed up the properly-escaped response so that now, you can execute a xss attack that didn’t even exist until IE8 changed it.

This is how.

If I enter “<img src=x:x onerror=alert(document.cookie);><script” in a username field, the next page that says “Hi, $name” should not result in a script alert. And if the page also sends the username as a Javascript string, the (PROPERLY ESCAPED) response might look like this:

<script type="text/javascript">
var username = "<img src=x:x onerror=alert(document.cookie);><script";
</script>
Hi, &lt;img src=x:x onerror=alert(document.cookie);&gt;&lt;script

Note that the site properly escaped the angle brackets when it was presented as HTML, and there were no illegal characters that needed escaping in Javascript.

IE8 will detect your “<script” in the input and replace all instances of <script with “<sc#ipt” in the resulting page. (No, I’m not making this up. That is what the researchers claim.) Which, naturally, kills most of the Javascript functionality in the resulting page. But more importantly, it does this:

<sc#ipt type="text/javascript">
var username = "<img src=x:x onerror=alert(document.cookie);><sc#ipt";
</script>
Hi, &lt;img src=x:x onerror=alert(document.cookie);&gt;&lt;script

...which looks like this, when the browser renders it:

var username = "[broken image bitmap] Hi, <img src=x:x onerror=alert(document.cookie);><script

AND THE INJECTED SCRIPT EXECUTES.

Now you just replace the alert() with some Ajax code to send the stolen cookies to your server, craft a URL containing the malicious code in a GET query, and go phishing.

Re:This is how it works. (1)

sjames (1099) | more than 4 years ago | (#31909558)

The key point though is that it is not the site that has been hacked, it's the person using the browser. The site is blameless and unharmed.

Re:This is how it works. (2, Informative)

clone53421 (1310749) | more than 4 years ago | (#31909660)

Actually, no. The site sent code that was executed by the browser to a malicious result. Normally in such a situation you’d blame the site, and rightly so.

The blame goes on IE in this one, though, for breaking correct code generated by the site and turning it into something incorrect (and malicious).

Re:This is how it works. (1)

sjames (1099) | more than 4 years ago | (#31910216)

I WAS talking about this case. In other cases where the site sends incorrect code that causes a problem, the site is unharmed but not blameless.

Even in the latter case, the browser must share the blame unless the user has marked the site as trusted. That is for the same reason that the site is blamed if it permits an SQL injection attack to work. Unless told otherwise, the browser should not presume that any site is trusted by the user nor that any site trusts any other site. A site MAY (and should be able to) tell the browser that it trusts another site (and that should be honored if it does) but that should not imply the converse. A trusts B does not mean B trusts A. None of that should mean user trusts any of them. The question of them trusting user is beyond the browser's scope or control (as the browser is the user's agent).

Meanwhile, the browser should run each site's scripts in their own context. Scripts from A or requested by a script from A run in A's context. Cookies from B are not available in A's context, even if A requests inclusion of a script from B (the script may run due to A trusting B, but since B doesn't necessarily trust A, it doesn't get access to B's context).

Blame for anything that goes wrong is to be assigned to the entity that improperly trusted as well as to the entity that violated that trust.

Not my site... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31906894)

Not if IE8 wanders over to my site. Any version of IE gets a header redirect straight to the eu browser choice web site.
It will remain so indefinitely unless (Which I doubt) IE9 becomes ECMA javascript compliant and w3c standards compliant. Neither of which any existing single version of Internet explorer is.
I made the decision as a result of the IE attacks on Google and IE's failure to correctly render the site's w3c validated css and xml template correctly.
I haven't found any other major browser that can't render it correctly. Even webkit enabled phones have no trouble.

The sooner everyone starts doing the same, the safer the web will be and the easier web developer's jobs will be.

Web sites don't need Internet explorer. Internet Explorer needs websites.

Re:Not my site... (5, Funny)

grrowl (953625) | more than 4 years ago | (#31907172)

I'm sure your user will be deeply affected by this.

Re:Not my site... (0, Flamebait)

Anonymous Coward | more than 4 years ago | (#31907908)

Not if IE8 wanders over to my site. Any version of IE gets a header redirect straight to the eu browser choice web site.

Please. You think you're making a statement but anyone who gets redirected is just going to think you're a fag and move on.

Re:Not my site... (0, Redundant)

clone53421 (1310749) | more than 4 years ago | (#31909080)

You say that as if you think he cares...

Re:Not my site... (0)

Anonymous Coward | more than 4 years ago | (#31909008)

This.

The argument against doing this is "oh, it won't work, people will just go to another site"
But that is the thing, if EVERYBODY done it, EVERYBODY, they don't have any other site TO go to. (in both cases, everybody means all the largest sites)

Microsoft made us suffer for years, they deserve to suffer for stopping the web evolving. (and failing in the end anyway)
To hell with their forced interpretation of what they think the specifications were supposed to be like.

Internet Explorer is the only annoyance in web development. Every single time it is an error in their rendering.
I've just gave up caring about IE users. They get a nice double-red bordered box saying they are using an old / broken / insecure browser and links to update to decent browsers to explain why the webpage is almost certainly broken.

I mean for crying out loud, made a very simple page that every browser should have supported for at least a decade now, and, oh yes, you guessed it, IE NEVER WORKED (yes, IE8!). Even Netscape worked, that is just sad!
Development of Trident is an absolute joke. They must work on the thing 1 day of the week, 2 at the most. Even Google get more done on their personal project time.

If the design is broken . . . (1)

NicknamesAreStupid (1040118) | more than 4 years ago | (#31906946)

. . . you can't fix it in the implementation. They have sent themselves down this path and are too far to turn back. Their only hope is to make it too proprietary for anyone outside Microsoft to understand. IE9 must use the IRS tax code interface, which will render it indecypherable and, therefore, unusable.

Re:If the design is broken . . . (1)

gzipped_tar (1151931) | more than 4 years ago | (#31906968)

Insecure by obfuscation?

Oh the horrors! (4, Insightful)

Hurricane78 (562437) | more than 4 years ago | (#31906988)

will dynamically generate a regular expression matching the outbound string

RegEx? Dynamic? Generated?? I don’t think I’m the only one who got the chills and raising hackles from this...
I think this deserves an award for the most made-for-disaster concept even conceived. ^^

Re:Oh the horrors! (2, Interesting)

Statecraftsman (718862) | more than 4 years ago | (#31907068)

The only thing crazier than a dynamically generated regex is running a proprietary browser on top of a proprietary operating system.

Re:Oh the horrors! (0, Interesting)

Anonymous Coward | more than 4 years ago | (#31907118)

The only thing crazier than running a proprietary browser on top of a proprietary operating system is running a browser whose code you have not thoroughly audited yourself on top of an operating system whose code you have not thoroughly audited yourself (and believing yourself somehow vastly superior to all 'them' who don't do as you do).

Re:Oh the horrors! (1)

icebraining (1313345) | more than 4 years ago | (#31907662)

I've audited Lynx code thoroughly, you insensitive clod!

Re:Oh the horrors! (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31908284)

And in any case, you're still running on proprietary hardware, anyway.

Re:Oh the horrors! (2, Insightful)

AaxelB (1034884) | more than 4 years ago | (#31909286)

Even auditing the code doesn't help. [bell-labs.com] The only thing crazier than running a browser and OS whose code you've not audited is auditing the browser's and OS's code but then compiling them! The only way out is to write the compiler in pure machine code yourself.

...and then you just have to run it in your head -- you can't trust hardware!


More seriously, proprietary software requires you place all your trust in one entity. With open-source software, that trust is more distributed, and it's less likely that someone was able to bury something malicious, especially if there's an active and large developer community. This isn't at all to say there can't be anything malicious (or flawed) in OSS, but it's easier to trust a large group of people that have nothing to gain from duping you and who know they would probably get caught than it is to trust a single company that might have something to gain and can probably get away with it.

With proprietary software, you're betting that a specific company won't fuck you over.
With OSS, you're betting that at least one person out of a community of developers (and users who actually do audit code) won't fuck you over.

Re:Oh the horrors! (0)

Anonymous Coward | more than 4 years ago | (#31908388)

The only thing crazier than that is saying something that dumb

Re:Oh the horrors! (1)

gzipped_tar (1151931) | more than 4 years ago | (#31907104)

BTW, be sure to check the PDF (link in summary). The paper was well written, and the documented bug was totally fucking ridiculous. I'd say that the whole thing was made-for-disaster.

Re:Oh the horrors! (1)

0WaitState (231806) | more than 4 years ago | (#31907792)

Why, does the PDF have a javascript exploit?

The fix (1)

symbolset (646467) | more than 4 years ago | (#31907174)

$browser=isitie(); if $browser then ieisbrokepage() else [...]

Colour me unsurprised (0)

Anonymous Coward | more than 4 years ago | (#31907210)

Now you know how far you can trust micros~1 code: Even the supposed security enhancements are abuse waiting to happen.

Malice? Criminal incompetence. And that for a company that employs thirty five thousand of supposedly the world's bestest pro-grammers.

Security through not adding security features (1)

Alex Belits (437) | more than 4 years ago | (#31907216)

This demonstrated the point that apparently is lost on the majority of people who are in various ways are responding to various "threats":

In the overwhelming majority of cases the best response to the possibility of attack is TO DO NOTHING.
In a large subset of those, fixing underlying problem is the best direction of efforts, security-related or otherwise.

It's simple -- when you (be it a person, organization or a piece of software) respond to something in a predictable manner your actions are controlled by it. If the original problem was the possibility that "you" could be coerced into doing something stupid and self-destructive, adding more predictable and complex reactions only provides more possibilities for doing the same.

Otherwise immune? (1)

abigsmurf (919188) | more than 4 years ago | (#31907304)

If a site is capable of executing user submitted content it's hardly immune from attacks.

Re:Otherwise immune? (1)

julesh (229690) | more than 4 years ago | (#31907350)

If a site is capable of executing user submitted content it's hardly immune from attacks.

It isn't. RTFA. Internet Explorer looks at the returned data, and takes a guess that it is. The action IE takes in response to this causes it to become capable of executing the content (by introducing new bugs into javascript code that already existed on the page).

Re:Otherwise immune? (1)

clone53421 (1310749) | more than 4 years ago | (#31909102)

The site wasn’t capable, and was in fact immune.

Until IE fsked its scripts and turned all of its Javascript code into HTML because it detected a possible XSS attack.

IE is a liability and should be killed.

Re:Otherwise immune? (1)

sjames (1099) | more than 4 years ago | (#31909696)

Unless the SITE (that is, the server) is the one executing the code, then the attacks are against the client and it is up to the client to fix them, in this case, IE.

SQL injection is a good example of an attack against a site, and vulnerability to that is a site vulnerability.

Foreseeable (1)

Schraegstrichpunkt (931443) | more than 4 years ago | (#31908194)

... the browser will automatically alter the response ...

This smacks of the thinking behind PHP's magic quotes [wikipedia.org] .

Microsoft's so-called security experts should have known that this was a bad idea, especially if they'd worked with the UTF-7 XSS vulnerabilities. Any time you take a parsed language and haphazardly change the way that it parses, you're opening the door to security holes. That's probably why Dan Bernstein, years ago, said "Don't parse" in his page about qmail security [cr.yp.to] .

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?