Microsoft Research Builds 'BrowserShield'

SteelyBen writes "Researchers at Microsoft have completed work on a prototype framework called BrowserShield that promises to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages. The BrowserShield project, an outgrowth of the company's 'Shield' initiative, could one day even become Microsoft's answer to zero-day browser exploits such as the WMF (Windows Metafile) attack that spread like wildfire in December 2005."

zero-day browser exploits

[HateBreeder]

... Will just get a new name: zero-day browser-sheild exploits.

I made a similar product once.

Unfortunately, I wrote it directly into my program without giving it another name, since I didn't realize I could sell the security separate from the program.

Innovation at its finest I suppose.

Solve the problem, don't patch it

[mrjb]

How will this even help? Will the browser shield require signatures and/or heuristics like virus scanners, and thus get outdated? If manpower needs to be invested in this technology, wouldn't the same manpower be better invested in solving the problem, rather than patching it?

Hold on a second...

[JeremyALogan]

... so their answer to poorly written software that is security-hole ridden is to layer more software written by the same people on top of it? Wouldn't it be easier to just write good software in the first place then actually fix, in a timely manner, anything that crops up? I'm failing to see how more bloat is going to help.

Sounds like they've re-invented the sandbox.

[giafly]

FTA: "We basically intercept the Web page, inject our logic and transform the page that is eventually rendered on the browser," Wang said. "We're inserting our layer of code at run-time to make the Web page safe for the end user.

"The essence of the sandbox model is that local code is trusted to have full access to vital system resources (such as the file system) while downloaded remote code (an applet) is not trusted and can access only the limited resources provided inside the sandbox" - Java Security Architecture

Bizarro!

[zmollusc]

WTF? This is the kind of approach that would be used on someone else's propriatary legacy software, or on some piece of hardware to keep it working without altering the thing itself. What are m$ saying? 'Our browser code is such a POS that we don't know how it works anymore'? 'We lost the source code ages ago and we cannot be bothered doing the job right'? 'We have so much market share that we really don't give a crap anymore, pass the crack pipe and the stock options'?

well it's the Microsoft way

[Pliep]

1. create product with security leaks
2. receive complaints
3. do not solve security leaks but instead, build a wall around them
4. go to sleep and forget about 1.

Wrong-Headed!

[dacap]

*sigh* So they are STILL trying to put bandaids on their old, insecure, highly-patched (and therefore low quality) software rather than ditching insecure communications protocols and writing a simpler browser that is secure from the gound up.

Yep - Microsoft is all in favor of security - so long as it maintains backward compatibility and they don't have to throw anything away.