22. November 2009 · Comments Off on Microsoft IE8 XSS prevention feature enables XSS attacks · Categories: Application Security · Tags: , , , , ,

Dan Goodin at The Register reports that Microsoft's IE 8's Cross Site Scripting prevention feature can be used to create an XSS attack.

IE8 attempts to block XSS attacks by modifying the response, i.e. the content of the web page generated by the web server coming to the browser in response to a request. The NoScript Firefox add-on, takes the opposite approach by modifying the content of the request from the browser to the web server. Here is more information. It appears that this vulnerability is not easily fixed because it's a design flaw rather than a coding flaw.

BTW, NoScript is the second most popular Firefox Privacy & Security add-on.

06. September 2009 · Comments Off on Browser vendors add innovative security features · Categories: Risk Management, Secure Browsing, Security Management · Tags: , , ,

The browser vendors are adding innovative security features to help protect users against web-based attacks. Here are some examples:

  • Firefox 3.5.3 will check your Adobe Flash add-in and warn you if it's not current. It is believed that as many as 80% of browser users are using older versions of Adobe that contain vulnerabilities that are fixed in new versions.
  • Internet Explorer 8 added a raft of security features including URL filtering, Cross Site Scripting (XSS) filtering, click-jack prevention, domain highlighting, and data execution prevention (requires Vista SP1). The Cross Site Scripting filter is very impressive. Here is a detailed explanation of XSS and how the IE8 filter works. XSS attacks are particularly nasty because it can
    happen through no fault of yours. All you have to do is go to a site
    that has been successfully exploited. Details on the other features are here.
  • Opera 10, just now shipping, also includes URL filtering.
  • Safari 4, when running on Windows, will integrate with your Windows anti-virus software to check any files, images, or other items you are downloading via Safari. It also has URL filtering watching for phishing sites and sites known to harbor malware.
  • Chrome 2.0.172.43 was released on August 25, 2009 and fixed several high severity issues.

Firefox has long benefited from third party security and privacy add-ons. NoScript is one of the more popular add-ons that blocks javascript and let's you selectively turn on javascript per content source.

While I have not personally checked these security features, assuming they all work as advertised,  Microsoft's Internet Explorer 8 leads the way in security innovation.