Major IE8 Flaw Makes "Safe" Sites Unsafe

After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.

See, Microsoft is right

[Anonymous Coward]

IE8 is compatible with sites designed for IE6. You won't see other browsers going the extra mile like this.

Re:

[Penguinisto]

Strangely enough, I'm torn between demanding a funny mod or an insightful one for you.

...times like this that /. really need a "Funny-but-Damned-Clever" mod.

Re:

[Jurily]

...times like this that /. really need a "Funny-but-Damned-Clever" mod.

The best humor has an element of truth.

Re:

[shutdown -p now]

Strangely enough, I'm torn between demanding a funny mod or an insightful one for you.

+1, Bitter Truth?

Re:

[TheVelvetFlamebait]

We do. It's called -1 Troll.

Re:

[mcgrew]

I've had comments I meant to be funny modded "insightful". It shouldn't matter, modding it up will make it visible. Of course, "funny" won't help your karma any, but since he's AC the mod shouldn't affect him anyway.

Yeah, and NEW technology

[NoYob]

... run injected code.

Damn! Code injection! Is that like Fuel Injection? So, I'll get better performance and speed from it?

Re:

[elysiuan]

Maybe Taco & co. aren't adding 'coolforsale' to the lameness filters thinking they'll start some kind of escalating spam war?

Otherwise I don't know why the hell they don't just do it already.

Re:

[vishbar]

When the hell did "cool" become a noun anyway? That bothers the hell out of me.

Re:

[Meski]

It reminds me of those sub-literate bots you see on Warcraft trade channel. My finger itches to right-click report spam it.

Breaking News

[BeaverAndrew]

Oh my gosh! Internet explorer is not safe to use? This is incredible hot, breaking news to me.

Re:Breaking News

[palegray.net]

I must dispute your view in the strongest terms possible. Internet Explorer is perfectly safe for everyday use. However, as there is no such thing as perfect security, you must take additional precautions to keep evil hackers away from your data. Apply these rules according to the sensitivity of your data, from least important to most:

• Disconnect your computer from your local network. Download files on another computer, scan them for viruses, print them out, scan them into your Windows PC using ORC software, and then view the pages in IE.
• Do the above, but have a priest onsite to bless each page individually before scanning it. This is an excellent deterrent against viruses with the word "demon" in the name.
• Do the above, but encase your PC in acrylic and immerse it in a 10,000 gallon tank of holy water. Interact with it while wearing scuba gear.
• Do the above, but put a lid on the tank and immerse it in the ocean. Interact with your PC via a submersible robot in the tank from from outside while wearing scuba gear.

If you fail to follow these simple security guidelines, you can't blame Microsoft for the results.

Re:Breaking News

[Penguinisto]

Internet Explorer is perfectly safe for everyday use.

As long as you follow the old US gov't C3 security guidelines/settings for Windows NT 4.0 while you do it, sure.

Re:

[Swizec]

whooosh ...

Re:Breaking News

[lorenlal]

No no no... I think he's on to something there.

Re:Breaking News

[dkleinsc]

You forgot to do something to filter out those pages with the Evil Bit set (see RFC 3514 [ietf.org]).

In other news

[Dartz-IRL]

Rain is wet....

Despite MS best efforts, IE just won't shake it's 'insecure' tag, will it?

Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.

Re:

[palegray.net]

Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.

Dude, cutting yourself in half over a web browser seems a little extreme.

Re:

[selven]

I agree, that is excessive. BTW, do you use vim or emacs? I want to know whether or not I should call the hit.

Re:

[palegray.net]

Textmate :).

Re:

[vistapwns]

Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed.

Re:

[lorenlal]

As long as you have UAC enabled... Implying that you have Vista or Windows 7.

Re:

[DJRumpy]

That's the clincher. I can only imagine how many corporations are in the same boat as mine. Tons of IE6 specific apps and XP due to the Vista fiasco. I'm still waiting for an IE upgrade, years after 7 and 8 have been released. It's about as insecure as you can get, yet they still use it.

This alone should teach the dangers of relying on a single vendor too much. What's odd is they are actually very good about this on any other platforms, but they wear blinders when it comes to Microsoft products.

Re:

[LordLimecat]

Get win 7 professional. Have your IE8 in 7, and your IE6 in xpmode. Problem solved.

Re:In other news

[DJRumpy]

Yes, after months or years of testing. Had IE been standards compliant in the first place, without all of the OS specific hooks, many companies wouldn't be in this boat.

It is not an insignificant effort to get off of IE 6, especially without many thousands of users, and hundreds or thousands of apps that will break, or require testing under Windows 7's Virtual PC software.

Re:

[DJRumpy]

I beg to differ. If the hooks are OS specific, then chance are, that they will not work on any other OS but the one they are targeted for.

Change the OS, and your applications break. This proprietary path is most definitely NOT standards compliant. If your browser is using non-standard HTML tabs, methods, or properties, then it is not standards compliant. IE6 may have displayed the standard HTML without issue (debatable), but it also had non-standard MS specific implementations that are specific only to IE.

C

Re:

[RobertM1968]

Had IE been standards compliant in the first place, without all of the OS specific hooks, many companies wouldn't be in this boat.

Well, I still have to test in IE8, because it still is not standards compliant in many key respects. Them citing that it's compliant is irrelevant to reality. When key CSS or Javascript features are not yet compliant, and they are highly used ones, then it becomes an issue. DIV placement is still an issue. XML requests still need to be handled differently. Various CSS attributes still need to be handled differently or they will not render the same as in any other browser. Table attributes (no, I am not goin

Re:

[Zero__Kelvin]

"Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed."

I think you are going overboard there. Just because Microsoft IE engineers have their head in the sand, that's no reason to call the whole project sandboxed. You inspired me to write a little one question deductive reasoning test, just for you:

Q: The degree and number of IE security problems compared to Firefox is like:

A) The number of people starving in Ethiopia compared to the number of

Re:

[RobertM1968]

Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed.

Why you aren't marked troll, on a site with relatively technologically savvy people (and a decent collection of trolls making up the rest of it's populace) I don't know.

The differences between IE and Firefox when it comes to security issues is... deep space and day on Earth.

Why you ask?

Start with no such software tends to truly be secure.

When someone finds and posts about a security vulnerability in Firefox, it gets acknowledged and addressed. When someone posts about a security issue in IE, Microso

Re:

[Anonymous Coward]

Are you sure you should be feeling so smug?

Slashdot posted that Firefox may not be as secure as you might think it is.

http://tech.slashdot.org/story/09/11/11/1626224/Firefox-Most-Vulnerable-Browser-Safari-Close?art_pos=5

Re:

[erroneus]

The browser is a still an integral part of the OS. All else follows.

Re:

[Anonymous Coward]

You didn't RTFA. The flaw is located in normal user-mode code. Nothing about the flaw is in any way amplified or exacerbated by any perceived OS integration.
And for that matter, IE has been a normal program from day one, however much MS may choose to deny that. IE is only a part of the OS in the sense that its rendering engine is used by the help system and the like. Is Konqueror part of the Linux kernel? Of course not.

Re:

[quickOnTheUptake]

You mean the article that only a single pie graph comparing browsers? And no discussion at all of where he got his list of vulnerabilities from?
I don't think it is that they are selective, just that they refused to accept numbers on faith alone.

Re:

[furbearntrout]

FWIW, That article also had a link to a PDF, which also had a single pie graph comparing browsers, and no discussion at all of where he got his list of vulnerabilities from.

Re:

[RobertM1968]

An independant study is not (a) one funded by Microsoft or (b) one performed by a company that Microsoft has a large financial stake in. Please point me to ANY independent study that does not fit into category (a) or category (b) or both.

That aside, such statistics are irrelevant when one takes into account that if a Firefox vulnerability is reported and fixed/not fixed, the whole world knows about it or can at least look it up on the Firefox dev sites... while in the meantime, if an IE vulnerability is r

Got to love (joke) the MS spin

[hAckz0r]

The bug is not, however, present in Internet Explorer 5.01 SP4 or Internet Explorer 8.

Oh, wait. IE8 has a bunch of other security flaws that make it insecure anyway, and nobody would think to use IE 5.x on anything worth protecting.

Re:

[jonbryce]

If it is anything like IE 5.2 for Mac, then very few sites will work in it anyway. I am aware that it isn't exactly the same as the Windows version, it does support the <q> tag for example, whereas the Windows version doesn't.

Re:

[hrimhari]

Looks like you went to the wrong article.

Re:Ummm

[lorenlal]

Please go to the "a new hole in IE8" article.

And if you're looking for the article to *read* it... yes, you are new here.

Redundant

[gyrogeerloose]

"IE8 Flaw" is, in and of itself, a redundancy.

Re:

[selven]

IE = Internet Exploder. So an IE flaw would constitute IE not exploding the internet (ie. working as it should). So far the record is spotless.

No no, IE == "Interfect Exploder"

[zooblethorpe]

Again, that's "Interfect Exploder". Remember to ask for it by name!

Cheers,

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bobintetley]

Heh. We always called it "Insecure exploder"

It's not a bug

[Vinegar Joe]

It's a feature.

Re:

[hrimhari]

You got it! It's Microsoft's version to Opera Unite! And to think they had it all along...

Would anyone know they were infected?

[NoYob]

The exploit currently doing the rounds is not particularly stable and often just causes the browser to crash.

I doesn't sound like much of a threat and if anything, folks may think it's a bug and move to IE 8 or to another browser all together - solving the problem without installing any fixes.

Re:IE8 is *not* vulnerable

[praseodym]

Except, that was the FIRST security flaw linked in the article. The SECOND one (at The Register) is about a different security flaw, in the XSS filter. The XSS filter is new in IE8.

And, BTW, Google does indeed disable it so that they are not vulnerable to the flaw: their servers send a "X-XSS-Protection: 0" header.

Re:

[plague3106]

Or they do it because XSS screws up their ad-revenue system.

Re:

[praseodym]

That doesn't really make sense; if XSS is screws up their system, why disable IE's protection for it? The only reason must be that the XSS protection is flawed.

Re:

[plague3106]

If their ad tech relies on XSS, and IE successfully blocks XSS on google, then disabling it would allow googles ad tech to work again. Not that hard, really..

Re:

[praseodym]

That doesn't make sense:
1. Google serves all ads within Google.com from that same domain. No cross-site scripting anywhere, so nothing for the XSS filter to block.
2. For external sites (AdSense), disabling the XSS filter on Google.com won't help either: the external site would have to disable it. Otherwise anyone could just disable the XSS filter on their own domain and hack away on other sites.

That seems like a really strange thing to do...

[argent]

It seems to me that if the IE team is capable of telling that a combination of features is potentially dangerous, then why would they edit the source of the page to avoid triggering the vulnerability, rather than actually eliminating the vulnerability being attacked?

Law of unintended consequences.

[b4dc0d3r]

MS thought they were being safe, like replacing single quotes with double before making an INSERT statement for a database, or removing less-than or greater than characters to prevent someone embedding <script> tags everywhere.

The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones

Someone is pre-formatting the data so that when it is re-written, it becomes dangerous. In other words, this is like EVER

Indeed. There is no facepalm epic enough.

[argent]

MS thought they were being safe, like replacing single quotes with double before making an INSERT statement for a database, or removing less-than or greater than characters to prevent someone embedding tags everywhere.

I understand what they were trying to do. It's like every idiot web designer who manages to make it impossible for people named "d'Agostino" (or for that matter "da Silva") to register at their web site. This whole approach has been known to be made of 100% undiluted organic FAIL for a decade

New IE8 security feature.

[Anonymous Coward]

A New IE8 security feature... bug.... feature.... bug..... feature.... bug...... feature....bug.

Now that other companies browser has a huge flaw!

[fluffy99]

When asked why they are disabling the XSS protection in IE8, Google responds that IE8 has a undiclosed vulnerability. Anyone here think Google is just mud-slinging to disparrage the main competitor to Chrome?

Re:Now that other companies browser has a huge fla

[TropicalCoder]

No

Re:

[Bob Ince]

Even without the security problem, I would disable XSS protection on my sites. If I've made a mistake and let an HTML-injection flaw in my app, chances are it'll still be vulnerable (since IE8's XSS protection is a pathetic string-hack on the HTML source which is insufficient to protect against anything but the most basic of attacks), so IE8 is offering only to obfuscate and not fix my problems.

Meanwhile if I allow XSS “protection”, I have a problem when someone legitimately uses a term in the q

And the moral of this story is:

[Anonymous Coward]

"Friends don't let friends use Microsoft products without the services of a lawyer"

or was it, "in Soviet Redmond, browser uses you"?