Book Reviews
Recent reviews from Slashdot readers:
- Advanced Excel for Scientific Data Analysis Learn to turn Excel into something that rivals Mathematica using VBA, brains, and a heaping helping of fortitude.(Jack Herrington's review.)
- Nagios 3 Enterprise Network Monitoring A great book for anyone using Nagios as more than a casual user.(jgoguen's review.)
- Schneier on Security Schneier argues that security is not something you can buy; it is something you must get.(Ben Rothke's review.)
Submitting a review for consideration is easy; please first read Slashdot's book review guidelines. Updated: 2008114 by samzenpus
7250314
story
Comments: 83 +- Technology: Major IE8 Flaw Makes "Safe" Sites Unsafe on Tuesday November 24, @05:32PM
Posted
by
kdawson
on Tuesday November 24, @05:32PM
from the keep-your-scripts-to-yourself dept.
from the keep-your-scripts-to-yourself dept.
background: url(//a.fsdn.com/sd/topics/topicie.gif); width:64px; height:64px;
msie
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicinternet.gif); width:70px; height:73px;
internet
background: url(//a.fsdn.com/sd/topics/topicit.gif); width:75px; height:61px;
it
After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.
Related Stories
Executive ability is prominent in your make-up.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
See, Microsoft is right (Score:5, Funny)
IE8 is compatible with sites designed for IE6. You won't see other browsers going the extra mile like this.
Re: (Score:3, Insightful)
Strangely enough, I'm torn between demanding a funny mod or an insightful one for you.
Re: (Score:2)
The best humor has an element of truth.
Re: (Score:3, Interesting)
We do. It's called -1 Troll.
Yeah, and NEW technology (Score:1)
... run injected code.
Damn! Code injection! Is that like Fuel Injection? So, I'll get better performance and speed from it?
Re: (Score:2)
Maybe Taco & co. aren't adding 'coolforsale' to the lameness filters thinking they'll start some kind of escalating spam war?
Otherwise I don't know why the hell they don't just do it already.
Re: (Score:2)
Breaking News (Score:5, Funny)
Re:Breaking News (Score:5, Funny)
If you fail to follow these simple security guidelines, you can't blame Microsoft for the results.
Parent
Re:Breaking News (Score:5, Insightful)
Internet Explorer is perfectly safe for everyday use.
As long as you follow the old US gov't C3 security guidelines/settings for Windows NT 4.0 while you do it, sure.
Parent
Re:Breaking News (Score:4, Funny)
No no no... I think he's on to something there.
Parent
Re:Breaking News (Score:4, Funny)
You forgot to do something to filter out those pages with the Evil Bit set (see RFC 3514 [ietf.org]).
Parent
In other news (Score:5, Insightful)
Rain is wet....
Despite MS best efforts, IE just won't shake it's 'insecure' tag, will it?
Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.
Re: (Score:2, Funny)
Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.
Dude, cutting yourself in half over a web browser seems a little extreme.
Re: (Score:3, Funny)
I agree, that is excessive. BTW, do you use vim or emacs? I want to know whether or not I should call the hit.
Re: (Score:1, Flamebait)
Re: (Score:3, Informative)
As long as you have UAC enabled... Implying that you have Vista or Windows 7.
Re: (Score:3, Interesting)
That's the clincher. I can only imagine how many corporations are in the same boat as mine. Tons of IE6 specific apps and XP due to the Vista fiasco. I'm still waiting for an IE upgrade, years after 7 and 8 have been released. It's about as insecure as you can get, yet they still use it.
This alone should teach the dangers of relying on a single vendor too much. What's odd is they are actually very good about this on any other platforms, but they wear blinders when it comes to Microsoft products.
Re: (Score:2)
Re:In other news (Score:5, Insightful)
Yes, after months or years of testing. Had IE been standards compliant in the first place, without all of the OS specific hooks, many companies wouldn't be in this boat.
It is not an insignificant effort to get off of IE 6, especially without many thousands of users, and hundreds or thousands of apps that will break, or require testing under Windows 7's Virtual PC software.
Parent
Re: (Score:2)
Had IE been standards compliant in the first place, without all of the OS specific hooks, many companies wouldn't be in this boat.
Well, I still have to test in IE8, because it still is not standards compliant in many key respects. Them citing that it's compliant is irrelevant to reality. When key CSS or Javascript features are not yet compliant, and they are highly used ones, then it becomes an issue. DIV placement is still an issue. XML requests still need to be handled differently. Various CSS attributes still need to be handled differently or they will not render the same as in any other browser. Table attributes (no, I am not goin
Re: (Score:2)
I beg to differ. If the hooks are OS specific, then chance are, that they will not work on any other OS but the one they are targeted for.
Change the OS, and your applications break. This proprietary path is most definitely NOT standards compliant. If your browser is using non-standard HTML tabs, methods, or properties, then it is not standards compliant. IE6 may have displayed the standard HTML without issue (debatable), but it also had non-standard MS specific implementations that are specific only to IE.
C
Re: (Score:3, Funny)
I think you are going overboard there. Just because Microsoft IE engineers have their head in the sand, that's no reason to call the whole project sandboxed. You inspired me to write a little one question deductive reasoning test, just for you:
Q: The degree and number of IE security problems compared to Firefox is like:
A) The number of people starving in Ethiopia compared to the number of
Re: (Score:2)
Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed.
Why you aren't marked troll, on a site with relatively technologically savvy people (and a decent collection of trolls making up the rest of it's populace) I don't know.
The differences between IE and Firefox when it comes to security issues is... deep space and day on Earth.
Why you ask?
Start with no such software tends to truly be secure.
When someone finds and posts about a security vulnerability in Firefox, it gets acknowledged and addressed. When someone posts about a security issue in IE, Microso
Re: (Score:1, Insightful)
Are you sure you should be feeling so smug?
Slashdot posted that Firefox may not be as secure as you might think it is.
http://tech.slashdot.org/story/09/11/11/1626224/Firefox-Most-Vulnerable-Browser-Safari-Close?art_pos=5
Re: (Score:3, Insightful)
The browser is a still an integral part of the OS. All else follows.
Re: (Score:2, Informative)
You didn't RTFA. The flaw is located in normal user-mode code. Nothing about the flaw is in any way amplified or exacerbated by any perceived OS integration.
And for that matter, IE has been a normal program from day one, however much MS may choose to deny that. IE is only a part of the OS in the sense that its rendering engine is used by the help system and the like. Is Konqueror part of the Linux kernel? Of course not.
Re: (Score:3, Informative)
I don't think it is that they are selective, just that they refused to accept numbers on faith alone.
Re: (Score:2)
An independant study is not (a) one funded by Microsoft or (b) one performed by a company that Microsoft has a large financial stake in. Please point me to ANY independent study that does not fit into category (a) or category (b) or both.
That aside, such statistics are irrelevant when one takes into account that if a Firefox vulnerability is reported and fixed/not fixed, the whole world knows about it or can at least look it up on the Firefox dev sites... while in the meantime, if an IE vulnerability is r
Got to love (joke) the MS spin (Score:1)
Oh, wait. IE8 has a bunch of other security flaws that make it insecure anyway, and nobody would think to use IE 5.x on anything worth protecting.
Re: (Score:2)
If it is anything like IE 5.2 for Mac, then very few sites will work in it anyway. I am aware that it isn't exactly the same as the Windows version, it does support the <q> tag for example, whereas the Windows version doesn't.
Redundant (Score:4, Insightful)
Re: (Score:2)
IE = Internet Exploder. So an IE flaw would constitute IE not exploding the internet (ie. working as it should). So far the record is spotless.
No no, IE == "Interfect Exploder" (Score:2)
Again, that's "Interfect Exploder". Remember to ask for it by name!
Cheers,
Re: (Score:2)
I think my old boss Doug had a better name for IE-"Internet Exploiter". After all if you use Internet Exploiter you can be pretty assured of being exploited by every scammer, bugwriter, and malware vendor on the planet. Between it and Outlook Excrement you are sure to have more viruses than a Bangkok whore with crotch itch! Accept no substitute!
Seriously though, why don't they just give up already? IE is already the joke of the IT world, and it seems like we are always hearing about IE getting pwned one
Re: (Score:2)
It's not a bug (Score:1, Redundant)
It's a feature.
Re: (Score:1)
You got it! It's Microsoft's version to Opera Unite! And to think they had it all along...
Would anyone know they were infected? (Score:1)
The exploit currently doing the rounds is not particularly stable and often just causes the browser to crash.
I doesn't sound like much of a threat and if anything, folks may think it's a bug and move to IE 8 or to another browser all together - solving the problem without installing any fixes.
That seems like a really strange thing to do... (Score:4, Interesting)
It seems to me that if the IE team is capable of telling that a combination of features is potentially dangerous, then why would they edit the source of the page to avoid triggering the vulnerability, rather than actually eliminating the vulnerability being attacked?
Law of unintended consequences. (Score:2)
MS thought they were being safe, like replacing single quotes with double before making an INSERT statement for a database, or removing less-than or greater than characters to prevent someone embedding <script> tags everywhere.
Someone is pre-formatting the data so that when it is re-written, it becomes dangerous. In other words, this is like EVER
Indeed. There is no facepalm epic enough. (Score:2)
MS thought they were being safe, like replacing single quotes with double before making an INSERT statement for a database, or removing less-than or greater than characters to prevent someone embedding tags everywhere.
I understand what they were trying to do. It's like every idiot web designer who manages to make it impossible for people named "d'Agostino" (or for that matter "da Silva") to register at their web site. This whole approach has been known to be made of 100% undiluted organic FAIL for a decade
Now that other companies browser has a huge flaw! (Score:2, Insightful)
When asked why they are disabling the XSS protection in IE8, Google responds that IE8 has a undiclosed vulnerability. Anyone here think Google is just mud-slinging to disparrage the main competitor to Chrome?
Re:Now that other companies browser has a huge fla (Score:2)
Re: (Score:2)
Even without the security problem, I would disable XSS protection on my sites. If I've made a mistake and let an HTML-injection flaw in my app, chances are it'll still be vulnerable (since IE8's XSS protection is a pathetic string-hack on the HTML source which is insufficient to protect against anything but the most basic of attacks), so IE8 is offering only to obfuscate and not fix my problems.
Meanwhile if I allow XSS “protection”, I have a problem when someone legitimately uses a term in the q
Re: (Score:1)
Looks like you went to the wrong article.
Re:Ummm (Score:5, Funny)
Please go to the "a new hole in IE8" article.
And if you're looking for the article to *read* it... yes, you are new here.
Parent
Re:IE8 is *not* vulnerable (Score:5, Informative)
Except, that was the FIRST security flaw linked in the article. The SECOND one (at The Register) is about a different security flaw, in the XSS filter. The XSS filter is new in IE8.
And, BTW, Google does indeed disable it so that they are not vulnerable to the flaw: their servers send a "X-XSS-Protection: 0" header.
Parent
Re: (Score:2)
Re: (Score:2)
That doesn't make sense:
1. Google serves all ads within Google.com from that same domain. No cross-site scripting anywhere, so nothing for the XSS filter to block.
2. For external sites (AdSense), disabling the XSS filter on Google.com won't help either: the external site would have to disable it. Otherwise anyone could just disable the XSS filter on their own domain and hack away on other sites.