Internet Exploder 8 is helping the bad guys in a way that Microsoft probably never envisioned. A filter designed to eliminate cross site scripting attacks helps the forces of evil attack other sites and cause problems that would not be without it.
The ZDNet security site explains that the knowledge of this came from a Blackhat conference in Europe, and the problem affects some sites that everyone uses –
The cross-site scripting filter that ships with Microsoft’s Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat.
According to a presentation at this year’s Black Hat Europe conference, the issue introduces security problems at several high-profile websites, including Microsoft’s own Bing.com (screenshot), Google.com, Wikipedia.org, Twitter.com (screenshot) and just about any site that lets IE 8 users create profiles.
Microsoft added the anti-XSS feature in IE 8 last August to detect Type-1 (reflection) attacks that can lead to cookie theft, keystroke logging, Web site defacement and credentials theft. However, as the researchers discovered, Microsoft’s filters work by scanning outbound requests for string that may be malicious.
This is where the hiccup exists:
When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response then the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful.
The exact method used to alter a server’s response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized then a malicious script may still execute. On the other hand, it is also crucial that benign requests are not accidentally detected.
The researchers figured out a way to use the IE 8’s altered response to conduct simple abuses and universal cross-site scripting attacks.
This document (PDF) explains the scope of the problem and provides some demonstrations.
Jerry Bryant, a spokesman for Microsoft’s security response team, said the bulk of the problems described in the document was fixed with the MS10-002 security patch, which was released for IE users earlier this year.
“Microsoft also added a defense-in-depth change (MS10-018) in March 2010 to provide broader coverage for this type of attack scenario,” Bryant said.
However, not all of the issues have been fixed and the browser’s XSS filter is still introducing security risks on certain web sites.
Until the issue if properly fixed, the researchers recommend the following server-side mitigations:
- Filter all user-generated content so that, even if it is interpreted in a different context, it cannot execute.
- Use site-wide anti-CSRF tokens that prevent any sort of XSS from being exploited in the first place.
- Disable IE8s filters using the response header opt-out mechanism. There are obvious pros and cons to doing this, so consider your options carefully. Despite the serious vulnerabilities discussed in this paper, the filters do go a long way towards protecting IE8 users from traditional XSS attacks. Obviously, once users have upgraded to the patched version we strongly suggest you keep the filters enabled.
End users running IE 8 should consider disabling the filters from within the browser until a comprehensive patch is shipped.
UPDATE: Microsoft’s Bryant e-mailed to point to this August 2008 blog post that provides some additional context on this issue.
Why do we keep seeing this? Sure, Microsoft puts out the browser that everyone attacks, but then you might think that it would also have the most, best experience fending off those attacks. The only thing that can be said about this is that this is not a repeat of mistakes made before – so Microsoft gets a partial pass on this.
Still, it is yet another reason to never use the browser unless forced…with absolutely no other choice.
Quote of the day:
Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand. – Putt’s Law
Download Opera – A faster and more secure Web browser.
≡≡≡≡≡≡≡≡≡≡ Ḟᴵᴺᴵ ≡≡≡≡≡≡≡≡≡≡
―――――ᴳᴴᴼ$ᵀ ᴵᴺ ᵀᴴᴱ ᴹᴬᴄᴴᴵᴺᴱ――――