Forgot your password?
typodupeerror
Internet Explorer Security The Internet IT

Major IE8 Flaw Makes "Safe" Sites Unsafe 83

Posted by kdawson
from the keep-your-scripts-to-yourself dept.
After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.
This discussion has been archived. No new comments can be posted.

Major IE8 Flaw Makes "Safe" Sites Unsafe

Comments Filter:
  • by Anonymous Coward on Tuesday November 24, 2009 @06:33PM (#30219820)

    IE8 is compatible with sites designed for IE6. You won't see other browsers going the extra mile like this.

    • Re: (Score:3, Insightful)

      by Penguinisto (415985)

      Strangely enough, I'm torn between demanding a funny mod or an insightful one for you.

      ...times like this that /. really need a "Funny-but-Damned-Clever" mod.

      • by Jurily (900488)

        ...times like this that /. really need a "Funny-but-Damned-Clever" mod.

        The best humor has an element of truth.

      • Re: (Score:1, Troll)

        Strangely enough, I'm torn between demanding a funny mod or an insightful one for you.

        +1, Bitter Truth?

      • Re: (Score:3, Interesting)

        We do. It's called -1 Troll.

      • Re: (Score:1, Troll)

        by mcgrew (92797) *

        I've had comments I meant to be funny modded "insightful". It shouldn't matter, modding it up will make it visible. Of course, "funny" won't help your karma any, but since he's AC the mod shouldn't affect him anyway.

    • ... run injected code.

      Damn! Code injection! Is that like Fuel Injection? So, I'll get better performance and speed from it?

  • by BeaverAndrew (1645577) on Tuesday November 24, 2009 @06:36PM (#30219854)
    Oh my gosh! Internet explorer is not safe to use? This is incredible hot, breaking news to me.
    • by palegray.net (1195047) <philip DOT paradis AT palegray DOT net> on Tuesday November 24, 2009 @06:52PM (#30220056) Homepage Journal
      I must dispute your view in the strongest terms possible. Internet Explorer is perfectly safe for everyday use. However, as there is no such thing as perfect security, you must take additional precautions to keep evil hackers away from your data. Apply these rules according to the sensitivity of your data, from least important to most:
      • Disconnect your computer from your local network. Download files on another computer, scan them for viruses, print them out, scan them into your Windows PC using ORC software, and then view the pages in IE.
      • Do the above, but have a priest onsite to bless each page individually before scanning it. This is an excellent deterrent against viruses with the word "demon" in the name.
      • Do the above, but encase your PC in acrylic and immerse it in a 10,000 gallon tank of holy water. Interact with it while wearing scuba gear.
      • Do the above, but put a lid on the tank and immerse it in the ocean. Interact with your PC via a submersible robot in the tank from from outside while wearing scuba gear.

      If you fail to follow these simple security guidelines, you can't blame Microsoft for the results.

  • In other news (Score:5, Insightful)

    by Dartz-IRL (1640117) on Tuesday November 24, 2009 @06:37PM (#30219864)

    Rain is wet....

    Despite MS best efforts, IE just won't shake it's 'insecure' tag, will it?

    Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.

    • Re: (Score:2, Funny)

      by palegray.net (1195047)

      Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.

      Dude, cutting yourself in half over a web browser seems a little extreme.

    • Re: (Score:1, Flamebait)

      by vistapwns (1103935)
      Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed.
      • Re: (Score:3, Informative)

        by lorenlal (164133)

        As long as you have UAC enabled... Implying that you have Vista or Windows 7.

        • Re: (Score:3, Interesting)

          by DJRumpy (1345787)

          That's the clincher. I can only imagine how many corporations are in the same boat as mine. Tons of IE6 specific apps and XP due to the Vista fiasco. I'm still waiting for an IE upgrade, years after 7 and 8 have been released. It's about as insecure as you can get, yet they still use it.

          This alone should teach the dangers of relying on a single vendor too much. What's odd is they are actually very good about this on any other platforms, but they wear blinders when it comes to Microsoft products.

          • Get win 7 professional. Have your IE8 in 7, and your IE6 in xpmode. Problem solved.
            • Re:In other news (Score:5, Insightful)

              by DJRumpy (1345787) on Tuesday November 24, 2009 @09:55PM (#30221816)

              Yes, after months or years of testing. Had IE been standards compliant in the first place, without all of the OS specific hooks, many companies wouldn't be in this boat.

              It is not an insignificant effort to get off of IE 6, especially without many thousands of users, and hundreds or thousands of apps that will break, or require testing under Windows 7's Virtual PC software.

              • Had IE been standards compliant in the first place, without all of the OS specific hooks, many companies wouldn't be in this boat.

                Well, I still have to test in IE8, because it still is not standards compliant in many key respects. Them citing that it's compliant is irrelevant to reality. When key CSS or Javascript features are not yet compliant, and they are highly used ones, then it becomes an issue. DIV placement is still an issue. XML requests still need to be handled differently. Various CSS attributes still need to be handled differently or they will not render the same as in any other browser. Table attributes (no, I am not goin

      • Re: (Score:3, Funny)

        by Zero__Kelvin (151819)

        "Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed."

        I think you are going overboard there. Just because Microsoft IE engineers have their head in the sand, that's no reason to call the whole project sandboxed. You inspired me to write a little one question deductive reasoning test, just for you:

        Q: The degree and number of IE security problems compared to Firefox is like:

        A) The number of people starving in Ethiopia compared to the number of

      • Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed.

        Why you aren't marked troll, on a site with relatively technologically savvy people (and a decent collection of trolls making up the rest of it's populace) I don't know.

        The differences between IE and Firefox when it comes to security issues is... deep space and day on Earth.

        Why you ask?

        Start with no such software tends to truly be secure.

        When someone finds and posts about a security vulnerability in Firefox, it gets acknowledged and addressed. When someone posts about a security issue in IE, Microso

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Are you sure you should be feeling so smug?

      Slashdot posted that Firefox may not be as secure as you might think it is.

      http://tech.slashdot.org/story/09/11/11/1626224/Firefox-Most-Vulnerable-Browser-Safari-Close?art_pos=5

    • Re: (Score:3, Insightful)

      by erroneus (253617)

      The browser is a still an integral part of the OS. All else follows.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        You didn't RTFA. The flaw is located in normal user-mode code. Nothing about the flaw is in any way amplified or exacerbated by any perceived OS integration.
        And for that matter, IE has been a normal program from day one, however much MS may choose to deny that. IE is only a part of the OS in the sense that its rendering engine is used by the help system and the like. Is Konqueror part of the Linux kernel? Of course not.

  • The bug is not, however, present in Internet Explorer 5.01 SP4 or Internet Explorer 8.

    Oh, wait. IE8 has a bunch of other security flaws that make it insecure anyway, and nobody would think to use IE 5.x on anything worth protecting.

    • by jonbryce (703250)

      If it is anything like IE 5.2 for Mac, then very few sites will work in it anyway. I am aware that it isn't exactly the same as the Windows version, it does support the <q> tag for example, whereas the Windows version doesn't.

  • Redundant (Score:4, Insightful)

    by gyrogeerloose (849181) on Tuesday November 24, 2009 @06:54PM (#30220094) Journal
    "IE8 Flaw" is, in and of itself, a redundancy.
    • by selven (1556643)

      IE = Internet Exploder. So an IE flaw would constitute IE not exploding the internet (ie. working as it should). So far the record is spotless.

      • Again, that's "Interfect Exploder". Remember to ask for it by name!

        Cheers,

        • by hairyfeet (841228)

          I think my old boss Doug had a better name for IE-"Internet Exploiter". After all if you use Internet Exploiter you can be pretty assured of being exploited by every scammer, bugwriter, and malware vendor on the planet. Between it and Outlook Excrement you are sure to have more viruses than a Bangkok whore with crotch itch! Accept no substitute!

          Seriously though, why don't they just give up already? IE is already the joke of the IT world, and it seems like we are always hearing about IE getting pwned one

        • Heh. We always called it "Insecure exploder"
  • It's not a bug (Score:1, Redundant)

    by Vinegar Joe (998110)

    It's a feature.

    • by hrimhari (1241292)

      You got it! It's Microsoft's version to Opera Unite! And to think they had it all along...

  • The exploit currently doing the rounds is not particularly stable and often just causes the browser to crash.

    I doesn't sound like much of a threat and if anything, folks may think it's a bug and move to IE 8 or to another browser all together - solving the problem without installing any fixes.

  • It seems to me that if the IE team is capable of telling that a combination of features is potentially dangerous, then why would they edit the source of the page to avoid triggering the vulnerability, rather than actually eliminating the vulnerability being attacked?

    • MS thought they were being safe, like replacing single quotes with double before making an INSERT statement for a database, or removing less-than or greater than characters to prevent someone embedding <script> tags everywhere.

      The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones

      Someone is pre-formatting the data so that when it is re-written, it becomes dangerous. In other words, this is like EVER

      • MS thought they were being safe, like replacing single quotes with double before making an INSERT statement for a database, or removing less-than or greater than characters to prevent someone embedding tags everywhere.

        I understand what they were trying to do. It's like every idiot web designer who manages to make it impossible for people named "d'Agostino" (or for that matter "da Silva") to register at their web site. This whole approach has been known to be made of 100% undiluted organic FAIL for a decade

  • by Anonymous Coward

    A New IE8 security feature... bug.... feature.... bug..... feature.... bug...... feature....bug.

  • When asked why they are disabling the XSS protection in IE8, Google responds that IE8 has a undiclosed vulnerability. Anyone here think Google is just mud-slinging to disparrage the main competitor to Chrome?

    • by Bob Ince (79199)

      Even without the security problem, I would disable XSS protection on my sites. If I've made a mistake and let an HTML-injection flaw in my app, chances are it'll still be vulnerable (since IE8's XSS protection is a pathetic string-hack on the HTML source which is insufficient to protect against anything but the most basic of attacks), so IE8 is offering only to obfuscate and not fix my problems.

      Meanwhile if I allow XSS “protection”, I have a problem when someone legitimately uses a term in the q

  • by Anonymous Coward

    "Friends don't let friends use Microsoft products without the services of a lawyer"

    or was it, "in Soviet Redmond, browser uses you"?

Passwords are implemented as a result of insecurity.

Working...