Microsoft Research Builds 'BrowserShield'

SteelyBen writes "Researchers at Microsoft have completed work on a prototype framework called BrowserShield that promises to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages. The BrowserShield project, an outgrowth of the company's 'Shield' initiative, could one day even become Microsoft's answer to zero-day browser exploits such as the WMF (Windows Metafile) attack that spread like wildfire in December 2005."

Re:Just what we need

[holdenholden]

I was ambivalent on this until I read the word "Intercept". So basically this new layer sits between the browser and the Intratubes and rewrites pages according to some predetermined criteria. Now there are two options: either they ship the signatures of new exploits to me (via an update) or the layer is on their side (like a proxy).

In the first case: why not ship the actual updates? Otherwise, how would they guarantee that Grandma will update the signatures? Maybe they will need another layer between the new layer and the Tubes, so that the new new layer will rewrite the pages in case the old new layer is not updated. This is not very sensible...

On the other hand, if they host the layer on their side, clearly I am not interested in sharing this information with MS. Either way, I don't see how it will work.

Showing the page anyway?

[CosmeticLobotamy]

It goes without saying that I didn't read the article, but it sounds like they remove the bad stuff and then show the page anyway. Why? Why not just show a page that says, "These f***ing scumbags just tried to f*** up your computer. Quit going there, and punch them in the mouth if you meet them. In the mean time, find a less dangerous source of porn."

That's not even the real danger...

[babbling]

Researchers at Microsoft have completed work on a prototype framework called BrowserShield that promises to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages.

What happens when you mix this with Digital Restrictions Management that goes down to the hardware level? What I'm getting at is, what if it's not malicious code that is being replaced by a "safe equivalent", but perhaps a controversial story on a news website, or an important email between governments?

In the future, he who controls the computers controls the world. Digital Restrictions Management will one day give just a few computer companies control over every internet-connected computer in the world.

Some people will respond to this with "ahh.. I'll just use a firewall". Those people do not realise that firewalls will contain DRM, too.

Re:Just what we need

[NovaX]

why not ship the actual updates?

Sometimes, in the short term, fixing a bug is harder than making sure that it won't be exploited 95%+ of the time. This could be due to architecture/legacy issues, not having resource(s) who know that code base, or the fixer not knowing the code. By using signatures, you're seperating the person that writes the signature from knowing any of the code for the underlying product. Its probably much quicker since they don't have a steep learning curve, can rapidly generate signatures, and its both a cheaper and faster solution. That's not to say its good long term, but considering why IE is slow to fix bugs (MS had haulted development) this has the benefit of being independant and much easier to maintain.

On implementation, Vista will have auto-updates on be default. From their work towards making Windows far more modular, they can probably now stop services, patch, and restart them seemlessly instead of requiring a reboot. If it was proxy based, any browser could use it and we'd likely see a Google proxy too, since the data would be quite valuable and power users would naively trust Google more than Microsoft.

Tryed with anti-virus software. And failed.

[ThePhilips]

Well, I thought anti-virus software vendors already failed at similar effort. Every new virus out there first disables all known anti-virus software.

It all boils down to question: how could you tell malicious content from good one??? You would have to resort to signatures. That wouldn't help against 0day exploits in no way, since on that day 0 most signatures are not yet updated.

From the article it sounds more like standard corporate firewall functionality: "block all what looks like HTTP redirect, since that can IE exploit", "block all .exe attachments since that might be Outlook exploit", "block .wmf since that might be IE/Outlook exploit", etc. Nothing new.

Malicious hackers typically embed scripts on Web sites and then use social engineering techniques to trick unsuspecting visitors into downloading Trojans, bots, spyware programs and other harmful forms of malware.

With BrowserShield, Wang argues, many such attacks could be blocked. BrowserShield can be used as a framework that rewrites HTML pages to deny any attempt at executing harmful code on browsers.

Buhahaha! Very funny!! They at Redmond take Windows security very very seriously - they have put best PR people on it!!!

Good luck at identifying that "harmful code," darling!

P.S. And for that "rewrites HTML pages" bit be sure to have M$' lawyers ready. Few content providers would like idea that their pages may be rewritten by the software monopolist.

P.P.S. Would M$ ever learn? How long they intend to have that "ActiveX" crap enabled in their browsers by default?? How many sacrifices they intended to make???

P.P.P.S. On related news from Germany, my employer (about 150 desktops) 1.5 year ago has banned M$IE. Firefox and Opera must be used to access inter/intranets.