Microsoft has posted a rather lengthy post to the IEBlog on the new security features in Internet Explorer 8. The details of the IE8 security features come a week after the post on trustworthy browsing. In the latest development of Internet Explorer, Microsoft is taking a good long look at some of the common attack methods and outlines how they are going to try to stop them.
Microsoft talks about new security features for Internet Explorer 8. (IMG:J.Anderson)
The layered defense that is built into Internet Explorer 8 takes advantage of some interesting mitigations against some of the more common attacks. One of the first things mentioned is XSS or Cross Site Scripting attacks. IE8 will help stop some of the most common XSS attacks by filtering out reflection attacks. They mention that the XSS defense in IE8 is only one layer of an overall defense for XSS exploitation. “IE8 helps to mitigate the threat of XSS attacks by blocking the most common form of XSS attack (called “reflection” attacks). The IE8 XSS Filter is a heuristic-based mitigation that sanitizes injected scripts, preventing execution,” the blog said.
“To help developers build more secure mashups, for Internet Explorer 8, we’ve introduced support for the HTML5 cross-document messaging feature that enables IFRAMEs to communicate more securely while maintaining DOM isolation. We’ve also introduced the XDomainRequest object to permit secure network retrieval of “public” data across domains,” Eric Lawrence, Security Program Manager for Internet Explorer said.
There are two types of mashup defense, HTML Sanitization and JSON Sanitization. HTML Sanitization centers on how IE8 will use the window object named toStaticHTML. If HTML is passed through this function, executable code (XSS variables for example) is stripped.
JSON Sanitization is another improvement because IE8 implements the ECMAScript 3.1 proposal for native JSON-handling functions (which uses Douglas Crockford’s json2.js API), Lawrence said. “The JSON.stringify method accepts a script object and returns a JSON string, while the JSON.parse method accepts a string and safely revives it into a JavaScript object. The new native JSON methods are based on the same code used by the script engine itself, and thus have significantly improved performance over non-native implementations. If the resulting object contains strings bound for injection into the DOM, the previously described toStaticHTML function can be used to prevent script injection.”
IE8 is also adding changes to how MIME is handled. The post describes the feature of MIME-sniffing. Essentially Internet Explorer uses this feature to account for legacy servers online, and properly displays the correct MIME type regardless of header. “For instance, if Internet Explorer finds HTML content in a file delivered with the HTTP response header Content-Type: text/plain, IE determines that the content should be rendered as HTML.”
However, MIME-sniffing can lead to some problems, “Consider, for instance, the case of a picture-sharing web service which hosts pictures uploaded by anonymous users. An attacker could upload a specially crafted JPEG file that contained script content, and then send a link to the file to unsuspecting victims. When the victims visited the server, the malicious file would be downloaded, the script would be detected, and it would run in the context of the picture-sharing site,” Lawrence explains.
To offset these problems Microsoft has altered the MIME-type code in Internet Explorer 8. These changes restrict “upsniff” of files with a MIME-type of image/*. This would render the example used by Lawrence useless, as the image would be displayed, but the code would not run. Another MIME change for IE8 offers developers a chance to opt out of MIME sniffing altogether. Using a content type attribute of authoritative=true, IE8 will render exactly what the HTTP header says the page is.
Example: Content-Type: text/plain; authoritative=true;
The last change with MIME-type adds a force save function. If the new HTTP header X-Download-Options is set with noopen, files are prohibited from executing on the web server, instead just as the header suggests; files are force downloaded. This will help mitigate script injections, Lawrence said.
Looking locally, the security in IE8 includes various improvements to ActiveX, including Per-Site ActiveX, which helps prevent malicious repurposing of controls. In IE8 there were several API improvements, Lawrence said, that would enable add-on developers to better interact with Protected Mode instances. Protected Mode, enabled by default in Internet Explorer originally, is now disabled in the Intranet Zone. Protected Mode made its debut in IE7 and Vista; it helps prevent silent installs of malicious content. However, most users were annoyed by the feature and disabled it.
A rather nifty local security update centers on the file upload feature seen on various sites. Internet Explorer now forces these boxes, often seen in various methods of attack, are now set to read-only. Users will be forced to select a file directly in the dialog. Adding to this, the “include local directory path when uploading files” option is disabled in the Internet Zone. Instead of seeing C:/blah/blah_blah/blah/file.txt you will only see, and submit, file.txt via the browser.
Unrelated to form uploading, but just as cool, is the announcement that IE8 will prompt before launching applications. In the past launching applications through the browser was a pesky problem, so now to solve this confirmation is required. (This will prove to be an annoyance to some users, and like Protect Mode will be turned off by some. After all, when it says prompt for everything, that means streaming video and music as well as full on applications.)
The other security improvements are well known. The address bar, with EV SSL, is designed to help detect Phishing, and the Phishing filter in IE7 will make a revamped return in IE8. “For Internet Explorer 8, we’ve built upon the success of the Phishing Filter feature (which blocks millions of phishing attacks per week) and developed the SmartScreen® Filter. The SmartScreen Filter goes beyond anti-Phishing to help block sites that are known to distribute Malware, malicious software which attempts to attack your computer or steal your personal information,” Lawrence said.
To learn more about Internet Explorer 8 check out the articles on the IE8 blog, http://blogs.msdn.com/ie/default.aspx
Beta 2 of IE8 is due in August.
View blog reactions
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)