Microsoft Research Builds 'BrowserShield'

SteelyBen writes "Researchers at Microsoft have completed work on a prototype framework called BrowserShield that promises to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages. The BrowserShield project, an outgrowth of the company's 'Shield' initiative, could one day even become Microsoft's answer to zero-day browser exploits such as the WMF (Windows Metafile) attack that spread like wildfire in December 2005."

Why bother!?

[Turn-X+Alphonse]

This just gets on my nerves. They must of spent ages planning and coding this not to mention funding.. Why the hell didn't thy put these resources into IE7 instead? Screw this "We'll protect you from the exploits", make it to the exploits are oh.. I don't know.. FIXED

Re:Just what we need

[holdenholden]

I was ambivalent on this until I read the word "Intercept". So basically this new layer sits between the browser and the Intratubes and rewrites pages according to some predetermined criteria. Now there are two options: either they ship the signatures of new exploits to me (via an update) or the layer is on their side (like a proxy).

In the first case: why not ship the actual updates? Otherwise, how would they guarantee that Grandma will update the signatures? Maybe they will need another layer between the new layer and the Tubes, so that the new new layer will rewrite the pages in case the old new layer is not updated. This is not very sensible...

On the other hand, if they host the layer on their side, clearly I am not interested in sharing this information with MS. Either way, I don't see how it will work.

Showing the page anyway?

[CosmeticLobotamy]

It goes without saying that I didn't read the article, but it sounds like they remove the bad stuff and then show the page anyway. Why? Why not just show a page that says, "These f***ing scumbags just tried to f*** up your computer. Quit going there, and punch them in the mouth if you meet them. In the mean time, find a less dangerous source of porn."

That's not even the real danger...

[babbling]

Researchers at Microsoft have completed work on a prototype framework called BrowserShield that promises to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages.

What happens when you mix this with Digital Restrictions Management that goes down to the hardware level? What I'm getting at is, what if it's not malicious code that is being replaced by a "safe equivalent", but perhaps a controversial story on a news website, or an important email between governments?

In the future, he who controls the computers controls the world. Digital Restrictions Management will one day give just a few computer companies control over every internet-connected computer in the world.

Some people will respond to this with "ahh.. I'll just use a firewall". Those people do not realise that firewalls will contain DRM, too.

Re:So, what does this stop?

[niceone]

I searched a bit. There's a better article here. From that artcle:

BrowserShield's suggested solution to nefarious forces who try to hijack your computer for personal gain is to comb through a Web page for JavaScript or Visual Basic® script and encapsulate it with associated logic that is executed at run time on the user's computer.

Also there is a pdf of a paper they have written

.

From the abstract of that (I haven't read the whole thing):

The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at run-time. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at run-time. The rewritten pages contain logic for recursively applying run-time checks to dynamically generated or modified web content, based on known vulnerabilities.

So it looks like what this does is execute scripts that generate HTML and then check the HTML for known vunerabilities.

Re:Just what we need

[NovaX]

why not ship the actual updates?

Sometimes, in the short term, fixing a bug is harder than making sure that it won't be exploited 95%+ of the time. This could be due to architecture/legacy issues, not having resource(s) who know that code base, or the fixer not knowing the code. By using signatures, you're seperating the person that writes the signature from knowing any of the code for the underlying product. Its probably much quicker since they don't have a steep learning curve, can rapidly generate signatures, and its both a cheaper and faster solution. That's not to say its good long term, but considering why IE is slow to fix bugs (MS had haulted development) this has the benefit of being independant and much easier to maintain.

On implementation, Vista will have auto-updates on be default. From their work towards making Windows far more modular, they can probably now stop services, patch, and restart them seemlessly instead of requiring a reboot. If it was proxy based, any browser could use it and we'd likely see a Google proxy too, since the data would be quite valuable and power users would naively trust Google more than Microsoft.

from Microsoft Research

[krunk4ever]

Do note, this is from Microsoft Research and not a core developement team working on the browser. There will always be bugs in software, just like virus can exist on any OS (though some may have more than others). MSR has been renowned for coming up with interesting solutions for interesting problems. I mean Firefox, Opera, Safari, and any other browser out there has been hit with exploits before. I mean every update of Firefox I download has multiple security updates. I'm not saying a perfect browser can't exist, but the road to get there requires both time and effort, espeically while trying to add new features to keep up to date to be able to compete with other browsers.

Just like how AV software isn't the solution to viruses, it's done quite well in protecting many systems. I personally don't understand exactly how this browsershield works, but from what I can grasp, it seems to be an additional check before loading the page into the browser and removing any malicious code. How it detects the malicious code is not clear, but having seen interesting research come out of MSR, I have my faith in these guys to have come up with an interesting solution.

Re:So, what does this stop?

[legoburner]

So it looks like what this does is execute scripts that generate HTML and then check the HTML for known vunerabilities.

Next stop, badware scripts that generate javascript which then goes on to make HTML instead of just generating HTML. I am sure that there will be many levels of potential obfuscation that can only be stopped by using a browser engine to parse/validate the javascript, and at that point wouldn't the browser engine be vulnerable to the same exploits?

Tryed with anti-virus software. And failed.

[ThePhilips]

Well, I thought anti-virus software vendors already failed at similar effort. Every new virus out there first disables all known anti-virus software.

It all boils down to question: how could you tell malicious content from good one??? You would have to resort to signatures. That wouldn't help against 0day exploits in no way, since on that day 0 most signatures are not yet updated.

From the article it sounds more like standard corporate firewall functionality: "block all what looks like HTTP redirect, since that can IE exploit", "block all .exe attachments since that might be Outlook exploit", "block .wmf since that might be IE/Outlook exploit", etc. Nothing new.

Malicious hackers typically embed scripts on Web sites and then use social engineering techniques to trick unsuspecting visitors into downloading Trojans, bots, spyware programs and other harmful forms of malware.

With BrowserShield, Wang argues, many such attacks could be blocked. BrowserShield can be used as a framework that rewrites HTML pages to deny any attempt at executing harmful code on browsers.

Buhahaha! Very funny!! They at Redmond take Windows security very very seriously - they have put best PR people on it!!!

Good luck at identifying that "harmful code," darling!

P.S. And for that "rewrites HTML pages" bit be sure to have M$' lawyers ready. Few content providers would like idea that their pages may be rewritten by the software monopolist.

P.P.S. Would M$ ever learn? How long they intend to have that "ActiveX" crap enabled in their browsers by default?? How many sacrifices they intended to make???

P.P.P.S. On related news from Germany, my employer (about 150 desktops) 1.5 year ago has banned M$IE. Firefox and Opera must be used to access inter/intranets.

Re:Bye bye karma

[NatasRevol]

No, we hate the idea because it's bloody fucking obvious to everyone except Microsoft that they should fix all the vulnerabilites in IE before building a wall around them. In other words, use the shield code to FIX IE.

Yes, firewalls do this, but you don't see Mailman building a mail shield to protect its vulnerabilities - they fix them. You don't see Firefox building a web shield to protect its vulnerabilites - they fix them. Etc, etc, etc.

The concept from MS is fine. The implementation, as is typical, is truly horrendous. Insecure layer after insecure layer will hopefully catch some of the bad stuff, but won't truly protect you because it's not built with fundamental security as a principal idea, but as an after thought. Now, you're going to have to update Windows, IE, AND the web shield. One more way to help users...or not.

But that's just my opinion...

Re:Hold on a second...

[MECC]

Its like using filter paper. The more layers of holey software you use, the more likey that bugs will get stuck on one of layers.

Except that for each layer of holey software, there are new off-ramps to to the operating system. Such exploits won't care about getting to the browser, since they can just exploit the 'software shield' and get to the operating system to do their damage via that vector.

No, I think this just creates more opportunity for system exploits, especially if MS grafts the so-called shield onto their OS.

Security from MS cannot work

[Opportunist]

No, hold on, not a MS-bashing comment, please read on.

It's not that MS is "inapt" or that they can't get their act together, it's simply that computers are computers, people are people and the mix of those is by its very nature unreliable and insecure. No matter how good you make it, there will always be tiny cracks in the security, be it for technical shortcomings or flaws in human nature that can be manipulated by social engineering.

Now, MS is the biggest manufacturer of operating systems. This shield will, invariably, also be present on every PC running their OS. So the first thing you have to defeat, as the attacker, is this shield. Can't get past it, don't bother continuing trying to defeat other security software that may or may not be present. This shield WILL be present!

So every attacker out there WILL have to come up with a cracking scheme. No matter what the cost, no matter how long it takes. It HAS to be cracked.

Thus security from MS cannot be relied on. Not because it is insecure in any way. But because every piece of malware HAS to come with some procedure to circumvent MS security. It will invariably have countermeasures in its arsenal.

Re:Just what we need

[asylumx]

Just admit that you'll never be happy with MS no matter what they do, and stop whining.

Damn them for not making a secure browser, but damn them again for trying to fix it, eh?

Flame on, since I'll probably get marked as troll for pointing out the truth.

Re:Just what we need

[LifesABeach]

Let us ponder the Logistics here. Millions of Vista O/S'es in the wild. And exploit has been detected. The bad people find out. The good people find out. Bad people start writing code to use the exploit. Good people start writing code to remove the exploit. Within a day, Root Kits are sent out globally. 3 or more weeks later,(using past performance data), Vista patches are sent out globally.

I predict, "who ever writes patches for Microsoft will have a job for life." I envy that person.

"slowly, one by one, the penguins steal my sanity" - Unknown

Re:I made a similar product once.

[rbochan]

I'll reiterate:

Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently."

    -Craig Mundie, Microsoft CTO