IE8 Security Part IV: The XSS Filter
Today we are releasing some details on a new IE8 feature that makes reflected / “Type-1” Cross-Site Scripting (XSS) vulnerabilities much more difficult to exploit from within Internet Explorer 8. Type-1 XSS flaws represent a growing portion of overall reported vulnerabilities and are increasingly being exploited “for fun and profit.”
The number of reported XSS flaws in popular web sites has skyrocketed recently – MITRE has reported that XSS vulnerabilities are now the most frequently reported class of vulnerability. More recently, sites such as XSSed.com have begun to collect and publish tens of thousands of Type-1 XSS vulnerabilities present in sites across the web.
XSS vulnerabilities enable an attacker to control the relationship between a user and a web site or web application that they trust. Cross-site scripting can enable attacks such as:
- Cookie theft, including the theft of sessions cookies that can lead to account hijacking
- Monitoring keystrokes input to the victim web site / application
- Performing actions on the victim web site on behalf of the victim user. For example, an XSS attack on Windows Live Mail might enable an attacker to read and forward e-mail messages, set new calendar appointments, etc.
While many great tools exist for developers to mitigate XSS in their sites / applications, these tools do not satisfy the need for average users to protect themselves from XSS attacks as they browse the web.
Source- IE Blog
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
IE8 Security Part III: SmartScreen® Filter
As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs, I get a lot of spam. Of the spam I receive, a significant number of messages represent phishing attacks. Most of these lures aren’t very clever or convincing, but phishing has become a simple numbers game—hosting phishing sites is cheap, and even if only a few users fall for any given phishing attack, attackers will profit by increasing the volume of phishing campaigns.
In Internet Explorer 7, we introduced the Phishing Filter, a dynamic security feature designed to warn users when they attempt to visit known-phishing sites, and worked with partners to introduce Extended Validation certificates that light up the address bar when users visit sites with verified identity information. Beyond the Phishing Filter, Microsoft has also published educational materials on identifying phishing scams, and developed a strategy to attack phishing at multiple levels.
For Internet Explorer 8, we’ve built upon the success of the Phishing Filter feature (which blocks over a million phishing attacks weekly) to develop the SmartScreen® Filter, a replacement that improves upon the Phishing Filter in a number of important ways:
- Improved user interface
- Faster performance
- New heuristics & enhanced telemetry
- Anti-Malware support
- Improved Group Policy support
Source- IE Blog
Microsoft Internet Explorer Vulnerability Warning Issued
The flaw focuses on IE’s inline frames, often used for serving ads, which typically come from a different domain than content that appears on the same Web page. Microsoft’s Internet Explorer 6, 7, and 8 beta 1 appear to contain a security flaw that could subject users who visit a malicious Web site or open a malicious e-mail message to arbitrary code. U.S. CERT has published a vulnerability note indicating Internet Explorer doesn’t handle document frames securely.
Document frames can be used to subdivide Web pages such that the content associated with each division comes from a different server or domain. These "iframes," or inline frames, often are used for serving ads, which typically come from a different domain than content that appears on the same Web page.
The problem, as U.S. CERT describes it, is that "Microsoft Internet Explorer fails to properly restrict access to a document’s frames, which may allow an attacker to modify the contents of frames in a different domain."
Source: InformationWeek
IE8 Beta 1 June Security Update Now Available on Windows Update
Today the IE team released the IE June Cumulative Security Update for Internet Explorer 8 Beta 1 for Developers on Windows Update. For detailed information on the contents of this update, please see the following documentation:
If you are using IE8 Beta 1 for Developers, we encourage you to download this security update through Windows Update or the Microsoft Download Center today.
Source- IE Blog
Livestation launches NEW beta 1.0.76.7
Livestation is a free software application that provides a range of live news television channels and radio stations that can be received on a computer anywhere with a basic broadband connection. You can watch television on your desktop, or on your laptop, at home, at work, on the move, or in a hotel room, provided you have a broadband internet connection or wireless access.
Livestation allows you to receive live TV and radio news from the world’s leading broadcasters on your PC, via a multi-channel interactive application on the desktop giving you a unique window on the world’s news. You can watch Livestation full screen or minimised to fit in the corner of your screen, enabling you to carry on with other tasks while also keeping an eye on the news. You can flick between channels, just as you would on your TV set.
Livestation is legal, safe, free and comes with no strings attached.
Current features include:
- High quality live audio and video
- Channel selection and programme guide
- Programme information overlay
- Ability to scale player window from 50% to 200%
- Always on top window setting
- Full screen playback option
- Volume control and mute.
Other functions, including support for subtitles and audio description, and many other interactive features, will be added in future releases.
What’s new in Livestation 1.0.76.7:
- Personalise your player with your own channels(stream bookmarks).
- Bookmark your own channels, tag them, search for them
- Watch your own channels in Livestation.
- Twitter integration [view full changelog]
Minimum requirements:
* Windows XP Service Pack 2 or Vista
* Internet Explorer 6+
* 1.5 Ghz processor
* A network of at least 800 kbps.
* Microsoft Silverlight
* Free registration: Publisher’s website
Notes: This is a pre-release version of the Livestation player which may not include all the final features and may have faults or flaws. Please only install and use this version of the Livestation player if you are comfortable using pre-release software.
Livestation is available for download at this address
Link: Livestation Home Page
View: Source & Screenshots
IE Team to Mozilla: Congratulations!
In what has now become a tradition, the Internet Explorer team sent a "Congratulations on Shipping!" cake to the Mozilla Foundation headquarters for shipping Mozilla Firefox 3.0. As you might be able to see in the picture, the ring around the Internet Explorer "e" is actually three-dimensional and it’s certainly more fancy than the cake they previously sent Mozilla for shipping Firefox 2.
Source: Ryan Paul at Ars Technica
June 2008 Security Updates are Now Available
The June 2008 Windows XP Embedded Security Updates are now available on the Mobile & Embedded Communications Extranet (ECE) for Microsoft® Windows® XP Embedded Service Pack 2, Feature Pack 2007, and/or Update Rollup 1.0.
June 2008 Windows XP Embedded Security Updates
The June 2008 Windows XP Embedded Security Updates are cumulative and include updates for the Desktop QFE Installer (DQI) Tool and the Component Database.
The following updates are included in this release – please see the ECE for more details:
For Windows XP Embedded with SP2, Feature Pack 2007, and/or Update Rollup 1.0:
· KB 950749 Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution.
· KB 951376 Vulnerability in Bluetooth Stack Could Allow Remote Code Execution.
· KB 950759 Cumulative Security Update for Internet Explorer.
· KB 950760 Cumulative Security Update of ActiveX Kill Bits.
· KB 951698 Vulnerabilities in DirectX Could Allow Remote Code Execution.
· KB 950762 Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service.
The June 2008 Windows XP Embedded Security Updates are available here at the ECE:
Source-MSDN Blog
What’s Coming in Internet Explorer 8 for IT Professionals?
Yesterday at Tech Ed IT Pro 2008 in Orlando we announced some of the enhancements we’re making in Internet Explorer 8 to help IT Professionals deploy and manage IE8 within their organization. We wanted to share those with the IT Pros on our blog.
Over the last year we’ve surveyed over 2000 IT Professionals to understand their concerns and priorities for deploying and managing desktops and software within their organization. We learned that IT Pros have a lot of things to worry about - more than 30 different concerns came up. However, some topics arose considerably more frequently than others. Here are the top ones:
- Deployment and implementation of new technology
- Managing updates and upgrades
- Application compatibility
- Security of data, network and systems
Internet Explorer 7 already has a pretty strong deployment and management story. For IE7 IT Pros are able to:
- Generate customized builds that include company’s settings and branding by using Internet Explorer Administration Kit(IEAK)
- Centrally manage browser settings through group policy
- Use common deployment infrastructures like Windows Update, Windows Server Update Services, Systems Management Server and Active Directory
In addition to deployment and management support, IE 7 introduced a number of features intended to help your users browse more safely and hence protect your corporate data, network and systems:
- Phishing Filter
- ActiveX Opt-in
- Extended Validation Certificates
IE7 did a lot to address the concerns of the IT Professionals but we felt there were some places we could improve. Yesterday, we announced some of our new features:
Slipstream Support in Internet Explorer 8
We got consistent feedback from customers that deploying Internet Explorer 7 as part of Windows XP is hard. Many IT Pros want to update their Windows XP images to contain IE7 by default, so IE7 gets installed as part of the OS install. To do that the IT Pros need to boot their existing images of Windows XP, install IE7 and then recapture the image. This process roughly takes 2 hours per image.
With Internet Explorer 8 and Windows Vista you’ll be able to “Slipstream” Internet Explorer 8 into a Vista image so that when you deploy Vista it already contains Internet Explorer 8. To slipstream IE8 only takes 10-15 minute per image. You’ll also be able to slipstream IE8 cumulative updates so that you are shipping the most up to date and secure image.
Look out for a forthcoming post to learn more about Slipstreaming IE8.
Application Compatibility and Internet Explorer 8
You have seen a lot of discussion on this blog about our decision to ship Internet Explorer 8 with standards mode switched on by default. Today, not all sites are built to conform to web standards so we’ve given end users and developers control over how sites display in IE8.
How about IT Professionals? For one, we’re adding new events to the Application Compatibility Toolkit (ACT) that help you detect and resolve potential issues between IE8 and your internal applications and web sites. For another, we’re providing Group Policy settings that help you control, with great granularity, those settings that most impact compatibility. Lastly, we’re looking at how to intelligently solve this problem for intranets - providing the greatest application and web site compatibility while still maintaining our core tenets of security, performance, and reliability.
Security in Internet Explorer 8
The Internet has changed the way that people live and work. People are spending more and more time on the web but this growth in web usage also attracted people who have malicious intent. From phishing scams to sites which install malware, the web can be a dangerous place to be. Who hasn’t had to jump across the keyboard/mouse to stop a friend or loved one visiting a phishing site or installing a piece of suspicious software? What happens when that person doesn’t have their tech-savvy friend watching over their shoulder?
Did you know that more than $3 billion has been lost in Phishing scams? The browser – and particularly in IE8 - plays an important role in helping protect users against a range of attacks, from social attacks like phishing to browser based exploits.
Rather than cover those features here, we’ve already posted information about some of the ways we’re helping your users browse more safely:
There’s more to come around security in later blog postings.
Updates to the IEAK
The internet Explorer Administration Kit (IEAK) enables IT Pros to customize IE for their company’s needs. You might be familiar with this tool since it was available for IE6 and IE7. In IE8, IEAK is getting a facelift. We have fixed a number of bugs and added some enhancements to improve the performance of IEAK. IEAK8 will support custom IE8 builds for new platforms: Vista and Windows Server 2008 and new IE8 features like Activities and Web Slices.
Stay tuned for a follow-up blog post that will contain more detail about IEAK8.
Wrap Up
We plan to include all of the above mentioned features in our Beta 2 release which is planned for August 2008. As always when developing software, features can get cut or postponed if we find bugs that affect ship quality but right now we’re on track to have these features for Beta 2.
IE7 was a great browser to deploy and manage in an enterprise or business environment. With IE8, we’re doubling down on that investment to make sure that we have the best browser to deploy and manage in an enterprise environment.
Source- IEBlog
