Add to del.icio.us     Digg this

April 20, 2010

It has just been discovered that the cross-site scripting filter that already ships with Microsoft’s Internet Explorer 8 browser can be severely abused by potential hackers to launch cross-site scripting attacks on Web sites that would otherwise be immune to this specific threat.

The security flaw also causes other issues at several high-profile websites, including Microsoft’s own Bing.com, Google, Wikipedia, Twitter and just about any site that lets IE 8 users create profiles.

Microsoft added the anti-XSS feature in IE 8 in August 2009 to detect Type-1 attacks that can lead to cookie theft, keystroke logging, website defacement and credentials theft.

But as the researchers discovered, Microsoft’s filters work by scanning outbound requests for strings that may be malicious in nature.

When such a malicious string is detected, IE 8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response then the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful to whomever initiated it.

The exact method used to alter a server’s response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized then a malicious script may stil execute. On the other hand, it is also crucial that benign requests are not accidentally detected.

Security analysts figured out a way to use the IE 8’s altered response to conduct simple abuses and universal cross-site scripting attacks.

Jerry Bryant, a spokesman for Microsoft’s security response team, said that most of the security issues described were already fixed with the MS10-002 security patch, which was released for IE users earlier in February.

“Microsoft also added a defense-in-depth change (MS10-018) later in March to provide broader coverage for this type of attack scenario,” Bryant said.

But not all of the security issues have been fixed and the browser’s XSS filter is still introducing security risks on certain web sites.

Until this security hole is properly analyzed and carefully repaired, the researchers recommend the following server-side mitigations:

Filter all user-generated content so that, even if it is interpreted in a different context, it cannot execute.

Use site-wide anti-CSRF tokens that prevent any sort of XSS from being exploited in the first place.

Disable IE 8s filters using the response header opt-out mechanism. There are obvious pros and cons to doing this, so consider your options carefully. Despite the serious vulnerabilities discussed in this paper, the filters do go a long way towards protecting IE 8 users from traditional XSS attacks nevertheless. Obviously, once users have upgraded to the patched version we strongly suggest you keep the filters enabled.

End users running IE 8 should consider disabling the filters from within the browser until a comprehensive Microsoft patch is shipped later.

Microsoft's next 'Patch Tuesday' is only slated for May 11, so some IE 8 users are now hoping that nothing will happen until then abd that their systems will run normally.

Add to del.icio.us     Digg this

Source: Microsoft.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.