Major IE8 Flaw Makes "Safe" Sites Unsafe

After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.

See, Microsoft is right

IE8 is compatible with sites designed for IE6. You won't see other browsers going the extra mile like this.

Re:See, Microsoft is right

[Penguinisto]

Strangely enough, I'm torn between demanding a funny mod or an insightful one for you.

...times like this that /. really need a "Funny-but-Damned-Clever" mod.

Re:See, Microsoft is right

[Jurily]

...times like this that /. really need a "Funny-but-Damned-Clever" mod.

The best humor has an element of truth.

Re:See, Microsoft is right

[TheVelvetFlamebait]

We do. It's called -1 Troll.

Breaking News

[BeaverAndrew]

Oh my gosh! Internet explorer is not safe to use? This is incredible hot, breaking news to me.

Re:Breaking News

[palegray.net]

I must dispute your view in the strongest terms possible. Internet Explorer is perfectly safe for everyday use. However, as there is no such thing as perfect security, you must take additional precautions to keep evil hackers away from your data. Apply these rules according to the sensitivity of your data, from least important to most:

• Disconnect your computer from your local network. Download files on another computer, scan them for viruses, print them out, scan them into your Windows PC using ORC software, and then view the pages in IE.
• Do the above, but have a priest onsite to bless each page individually before scanning it. This is an excellent deterrent against viruses with the word "demon" in the name.
• Do the above, but encase your PC in acrylic and immerse it in a 10,000 gallon tank of holy water. Interact with it while wearing scuba gear.
• Do the above, but put a lid on the tank and immerse it in the ocean. Interact with your PC via a submersible robot in the tank from from outside while wearing scuba gear.

If you fail to follow these simple security guidelines, you can't blame Microsoft for the results.

Re:Breaking News

[Penguinisto]

Internet Explorer is perfectly safe for everyday use.

As long as you follow the old US gov't C3 security guidelines/settings for Windows NT 4.0 while you do it, sure.

Re:Breaking News

[dkleinsc]

You forgot to do something to filter out those pages with the Evil Bit set (see RFC 3514).

Re:Breaking News

[lorenlal]

No no no... I think he's on to something there.

In other news

[Dartz-IRL]

Rain is wet....

Despite MS best efforts, IE just won't shake it's 'insecure' tag, will it?

Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.

Re:In other news

[palegray.net]

Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.

Dude, cutting yourself in half over a web browser seems a little extreme.

Re:In other news

[vistapwns]

Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed.

Re:In other news

Are you sure you should be feeling so smug?

Slashdot posted that Firefox may not be as secure as you might think it is.

http://tech.slashdot.org/story/09/11/11/1626224/Firefox-Most-Vulnerable-Browser-Safari-Close?art_pos=5

Re:In other news

[erroneus]

The browser is a still an integral part of the OS. All else follows.

Re:In other news

[selven]

I agree, that is excessive. BTW, do you use vim or emacs? I want to know whether or not I should call the hit.

Re:In other news

[lorenlal]

As long as you have UAC enabled... Implying that you have Vista or Windows 7.

Re:In other news

[quickOnTheUptake]

You mean the article that only a single pie graph comparing browsers? And no discussion at all of where he got his list of vulnerabilities from?
I don't think it is that they are selective, just that they refused to accept numbers on faith alone.

Re:In other news

[DJRumpy]

That's the clincher. I can only imagine how many corporations are in the same boat as mine. Tons of IE6 specific apps and XP due to the Vista fiasco. I'm still waiting for an IE upgrade, years after 7 and 8 have been released. It's about as insecure as you can get, yet they still use it.

This alone should teach the dangers of relying on a single vendor too much. What's odd is they are actually very good about this on any other platforms, but they wear blinders when it comes to Microsoft products.

Re:In other news

[LordLimecat]

Get win 7 professional. Have your IE8 in 7, and your IE6 in xpmode. Problem solved.

Re:In other news

[DJRumpy]

Yes, after months or years of testing. Had IE been standards compliant in the first place, without all of the OS specific hooks, many companies wouldn't be in this boat.

It is not an insignificant effort to get off of IE 6, especially without many thousands of users, and hundreds or thousands of apps that will break, or require testing under Windows 7's Virtual PC software.

Re:In other news

[Zero__Kelvin]

"Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed."

I think you are going overboard there. Just because Microsoft IE engineers have their head in the sand, that's no reason to call the whole project sandboxed. You inspired me to write a little one question deductive reasoning test, just for you:

Q: The degree and number of IE security problems compared to Firefox is like:

A) The number of people starving in Ethiopia compared to the number of people who couldn't Super-Size their McDonald's order today
B) The death toll in a plane crash compared to the death toll in a skateboarding accident
C) The pain involved in being shot in the stomach by a twelve gauge compared to the pain of a hangnail
D) All of the above

Good luck, and don't forget to phone a friend if possible!

Re:In other news

[DJRumpy]

I beg to differ. If the hooks are OS specific, then chance are, that they will not work on any other OS but the one they are targeted for.

Change the OS, and your applications break. This proprietary path is most definitely NOT standards compliant. If your browser is using non-standard HTML tabs, methods, or properties, then it is not standards compliant. IE6 may have displayed the standard HTML without issue (debatable), but it also had non-standard MS specific implementations that are specific only to IE.

Compliance cuts both ways, both in what you do within and outside of the standards.

Re:In other news

You didn't RTFA. The flaw is located in normal user-mode code. Nothing about the flaw is in any way amplified or exacerbated by any perceived OS integration.
And for that matter, IE has been a normal program from day one, however much MS may choose to deny that. IE is only a part of the OS in the sense that its rendering engine is used by the help system and the like. Is Konqueror part of the Linux kernel? Of course not.

Re:In other news

[furbearntrout]

FWIW, That article also had a link to a PDF, which also had a single pie graph comparing browsers, and no discussion at all of where he got his list of vulnerabilities from.

Re:In other news

[RobertM1968]

Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed.

Why you aren't marked troll, on a site with relatively technologically savvy people (and a decent collection of trolls making up the rest of it's populace) I don't know.

The differences between IE and Firefox when it comes to security issues is... deep space and day on Earth.

Why you ask?

Start with no such software tends to truly be secure.

When someone finds and posts about a security vulnerability in Firefox, it gets acknowledged and addressed. When someone posts about a security issue in IE, Microsoft sends takedown notices and threat letters, and then, if no one else has noticed the posts or issue, they pretend it isn't an issue or isnt serious until they get "taken to the mat" about it by the Internet populace.

When the Firefox team fixes an issue, it is usually fixed... when Microsoft "fixes" security issues, they resurface numerous times afterwards because they were truly not fully fixed. As an example, I cite the .Net fixes, the most recent one (the one noted due to the Firefox plugin snuck into a .Net update) which was the SIXTH MAJOR attempt to fix the same issue. FIVE years and SIX MAJOR attempts (and who knows how many minor attempts) and this time they promise it is truly fixed. Really. They promise.

Microsoft often takes months (and sometimes years) to release patches for vulnerabilities... the Firefox team is much quicker and usually (though not always) takes days or weeks.

Should I go on?

Every decent sized piece of software has problems. The key points that makes Firefox and IE bad comparisons aren't the number of issues (though in that respect, IE still has had far more as is evidenced by the security sites NOT owned by Microsoft (which are dwindling))... the key points are how they are dealt with.

Software that cannot be patched (because the patches dont exist or take months or longer to be released) creates massive problems on the Internet (or a massive third party security suite market - or both) that encompasses large amounts of time (months of bots and such beating away at other machines). Software that can or is patched quickly minimizes such a scenario. That is simply very basic math. Take the number of infectable machines (even assume that IE and Firefox's market share is the same for this), multiply by the amount of days a patch does not exist, multiply by the amount of machines each can infect per day... now, with Microsoft's long time period between acknowledging and fixing such issues... which browser is better?

As for IE being sandboxed... we have already noted (as numerous of the new vulnerabilities have proven) that such "technology" has not worked in either IE7 or IE8. So who cares that it is sandboxed? It doesn't work, thusly it doesn't matter.

Re:In other news

[RobertM1968]

Had IE been standards compliant in the first place, without all of the OS specific hooks, many companies wouldn't be in this boat.

Well, I still have to test in IE8, because it still is not standards compliant in many key respects. Them citing that it's compliant is irrelevant to reality. When key CSS or Javascript features are not yet compliant, and they are highly used ones, then it becomes an issue. DIV placement is still an issue. XML requests still need to be handled differently. Various CSS attributes still need to be handled differently or they will not render the same as in any other browser. Table attributes (no, I am not going to get into the tables vs divs war right now either, so dont even go there) still dont get properly handled in IE8 (or IE7 or of course IE6).

For the most part, if I write it, it works in Chrome, Opera, Safari and Firefox without the need for changes... still not so with IE8 (or IE7 or obviously IE6).

And because of not-so-complete uptake of IE7 or IE8, it means I have to test for all three major IE variants - and then either Firefox or Chrome or Safari (and occassionally all three just to be sure - though that is rarely a need and more out of choice).

So, though what you say about previous versions is true, it still does apply to a decent extent to IE8 as well. Perhaps one day, there will be an IE release that is actually standards compliant. But we aren't there yet.

Re:In other news

[RobertM1968]

An independant study is not (a) one funded by Microsoft or (b) one performed by a company that Microsoft has a large financial stake in. Please point me to ANY independent study that does not fit into category (a) or category (b) or both.

That aside, such statistics are irrelevant when one takes into account that if a Firefox vulnerability is reported and fixed/not fixed, the whole world knows about it or can at least look it up on the Firefox dev sites... while in the meantime, if an IE vulnerability is reported, Microsoft tries to hide it, squelches as many references to it that it can, and has even denied that such an issue exists - at least until some half assed patch (that often does not fully address the issue - .Net anyone?) is released.

Redundant

[gyrogeerloose]

"IE8 Flaw" is, in and of itself, a redundancy.

Re:Redundant

[selven]

IE = Internet Exploder. So an IE flaw would constitute IE not exploding the internet (ie. working as it should). So far the record is spotless.

Re:Got to love (joke) the MS spin

[jonbryce]

If it is anything like IE 5.2 for Mac, then very few sites will work in it anyway. I am aware that it isn't exactly the same as the Windows version, it does support the <q> tag for example, whereas the Windows version doesn't.

Would anyone know they were infected?

[NoYob]

The exploit currently doing the rounds is not particularly stable and often just causes the browser to crash.

I doesn't sound like much of a threat and if anything, folks may think it's a bug and move to IE 8 or to another browser all together - solving the problem without installing any fixes.

Yeah, and NEW technology

[NoYob]

... run injected code.

Damn! Code injection! Is that like Fuel Injection? So, I'll get better performance and speed from it?

Re:Ummm

[hrimhari]

Looks like you went to the wrong article.

Re:It's not a bug

[hrimhari]

You got it! It's Microsoft's version to Opera Unite! And to think they had it all along...

Re:Ummm

[lorenlal]

Please go to the "a new hole in IE8" article.

And if you're looking for the article to *read* it... yes, you are new here.

Re:IE8 is *not* vulnerable

[praseodym]

Except, that was the FIRST security flaw linked in the article. The SECOND one (at The Register) is about a different security flaw, in the XSS filter. The XSS filter is new in IE8.

And, BTW, Google does indeed disable it so that they are not vulnerable to the flaw: their servers send a "X-XSS-Protection: 0" header.

That seems like a really strange thing to do...

[argent]

It seems to me that if the IE team is capable of telling that a combination of features is potentially dangerous, then why would they edit the source of the page to avoid triggering the vulnerability, rather than actually eliminating the vulnerability being attacked?

No no, IE == "Interfect Exploder"

[zooblethorpe]

Again, that's "Interfect Exploder". Remember to ask for it by name!

Cheers,

Re:No no, IE == "Interfect Exploder"

[hairyfeet]

I think my old boss Doug had a better name for IE-"Internet Exploiter". After all if you use Internet Exploiter you can be pretty assured of being exploited by every scammer, bugwriter, and malware vendor on the planet. Between it and Outlook Excrement you are sure to have more viruses than a Bangkok whore with crotch itch! Accept no substitute!

Seriously though, why don't they just give up already? IE is already the joke of the IT world, and it seems like we are always hearing about IE getting pwned one way or another, so why not be smart and just buy one of the smaller players and use that instead? Hell IE is so far behind the standards at this rate it'll take them another decade to catch up anyway, and with all that money I'm sure they could score Opera easily, hell they could probably buy it dirt cheap! And as a bonus it would give them a mobile browser that doesn't suck! It's a two for one deal!

Re:No no, IE == "Interfect Exploder"

[bobintetley]

Heh. We always called it "Insecure exploder"

New IE8 security feature.

A New IE8 security feature... bug.... feature.... bug..... feature.... bug...... feature....bug.

Now that other companies browser has a huge flaw!

[fluffy99]

When asked why they are disabling the XSS protection in IE8, Google responds that IE8 has a undiclosed vulnerability. Anyone here think Google is just mud-slinging to disparrage the main competitor to Chrome?

Re:Now that other companies browser has a huge fla

[TropicalCoder]

No

Re:See, Microsoft is right,Christmas gifts

[elysiuan]

Maybe Taco & co. aren't adding 'coolforsale' to the lameness filters thinking they'll start some kind of escalating spam war?

Otherwise I don't know why the hell they don't just do it already.

Re:See, Microsoft is right,Christmas gifts

[Meski]

It reminds me of those sub-literate bots you see on Warcraft trade channel. My finger itches to right-click report spam it.

And the moral of this story is:

"Friends don't let friends use Microsoft products without the services of a lawyer"

or was it, "in Soviet Redmond, browser uses you"?

Law of unintended consequences.

[b4dc0d3r]

MS thought they were being safe, like replacing single quotes with double before making an INSERT statement for a database, or removing less-than or greater than characters to prevent someone embedding <script> tags everywhere.

The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones

Someone is pre-formatting the data so that when it is re-written, it becomes dangerous. In other words, this is like EVERY OTHER VULNERABILITY EVER. Someone makes a feature, doesn't think it through completely, and either leaves a hole, bypass, or unintended consequence.

Re:See, Microsoft is right,Christmas gifts

[vishbar]

When the hell did "cool" become a noun anyway? That bothers the hell out of me.

Re:IE8 is *not* vulnerable

[plague3106]

Or they do it because XSS screws up their ad-revenue system.

Re:IE8 is *not* vulnerable

[praseodym]

That doesn't really make sense; if XSS is screws up their system, why disable IE's protection for it? The only reason must be that the XSS protection is flawed.

Indeed. There is no facepalm epic enough.

[argent]

MS thought they were being safe, like replacing single quotes with double before making an INSERT statement for a database, or removing less-than or greater than characters to prevent someone embedding tags everywhere.

I understand what they were trying to do. It's like every idiot web designer who manages to make it impossible for people named "d'Agostino" (or for that matter "da Silva") to register at their web site. This whole approach has been known to be made of 100% undiluted organic FAIL for a decade. There is no lolcat facepalm epic enough for this.

Re:Now that other companies browser has a huge fla

[Bob+Ince]

Even without the security problem, I would disable XSS protection on my sites. If I've made a mistake and let an HTML-injection flaw in my app, chances are it'll still be vulnerable (since IE8's XSS protection is a pathetic string-hack on the HTML source which is insufficient to protect against anything but the most basic of attacks), so IE8 is offering only to obfuscate and not fix my problems.

Meanwhile if I allow XSS “protection”, I have a problem when someone legitimately uses a term in the query string that appears in the page and looks to IE like it might be dangerous. This is easy to do: just searching for ‘<style>’ will often break the CSS of the search results page.

Not only that, but I'm also open to deliberate sabotage when an attacker looks at my source, finds some script they don't like, and puts it in the query string so that IE8 doesn't execute it. Certainly this can be used to deliberately disable things like frame-buster scripts, to get around redress attack protections. It is presumably a form of this deliberate attack crafting that leads to whatever the undisclosed vulnerability is.

So no, I don't think Google are wrong. IE8's XSS protection is utterly, utterly bogus. It adds only more complication and more problems to webmasters' lot and no real effective security.

Re:IE8 is *not* vulnerable

[plague3106]

If their ad tech relies on XSS, and IE successfully blocks XSS on google, then disabling it would allow googles ad tech to work again. Not that hard, really..

Re:IE8 is *not* vulnerable

[praseodym]

That doesn't make sense:
1. Google serves all ads within Google.com from that same domain. No cross-site scripting anywhere, so nothing for the XSS filter to block.
2. For external sites (AdSense), disabling the XSS filter on Google.com won't help either: the external site would have to disable it. Otherwise anyone could just disable the XSS filter on their own domain and hack away on other sites.