Risk

IE 8 Security Features Could Be Turned Against Users, Researchers Say

At Black Hat Europe, presenters show how filters designed to prevent cross-site scripting can be used to launch those very attacks

The good news is that Microsoft's Internet Explorer 8 browser offers a new set of filters designed to prevent some cross-site scripting (XSS) attacks. The bad news is that those same filters could be used to enable XSS attacks.

That was the gist of a presentation offered today by security researchers David Lindsay and Eduardo Vela Nava at the Black Hat Europe conference in Barcelona, Spain.

In a paper (PDF) presented at the conference, the researchers described several methods that attackers could use to enable XSS on sites that would otherwise be immune to XSS.

"There's an irony here because you're using filters that are designed to improve security to launch attacks on sites that take security seriously," said Lindsay during a telephone interview prior to the presentation.

The vulnerabilities were found in several filters that Microsoft added to IE 8 to help identify and "neuter" simple XSS attacks, Lindsay explained.

"The filters work by scanning outbound requests for potential malicious strings," the paper states. "When such a string is detected, IE 8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server.

"If a match is made anywhere in the server's response, then the browser assumes that a reflected XSS attack is being conducted, and the browser will automatically alter the response so that the XSS attack will be unsucessful.

"The exact method used to alter a server's response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized, then a malicious script may still execute. On the other hand, it is also crucial that benign requests are not accidently detected.

"The Internet Explorer 8 team decided to use a 'neutering' technique to neutralize detected attacks. More specifically, when the the filters make a positive match against the server's response, the malicious part of the response will have a certain character modified so that the attack will not execute, or not render properly."

In their presentation, Lindsay and Vela Nava demonstrated several ways in which that simple character modification strategy could be abused to allow attacks on systems that otherwise would not be vulnerable to XSS.

"The neutering mechanism can be abused by an attacker to block benign content on a page," the paper says, altering the way a page is rendered. "For example, embedded JavaScript can be blocked from executing by 'faking' an XSS attack." This approach could paradoxically be used to disable JavaScript code that would otherwise protect the site, thus allowing an attack, the researchers say.

The researchers also outlined more complex attacks that also take advantage of the neutering mechanism.

Lindsay and Vela Nava notified Microsoft of their discovery earlier this year, and Microsoft subsequently issued a patch that alleviates the immediate problem. Google and other major sites have also been notified and have implemented fixes, as well, Lindsay says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.