Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

IE 8 Security Features Could Be Turned Against Users, Researchers Say

At Black Hat Europe, presenters show how filters designed to prevent cross-site scripting can be used to launch those very attacks

The good news is that Microsoft's Internet Explorer 8 browser offers a new set of filters designed to prevent some cross-site scripting (XSS) attacks. The bad news is that those same filters could be used to enable XSS attacks.

That was the gist of a presentation offered today by security researchers David Lindsay and Eduardo Vela Nava at the Black Hat Europe conference in Barcelona, Spain.

In a paper (PDF) presented at the conference, the researchers described several methods that attackers could use to enable XSS on sites that would otherwise be immune to XSS.

"There's an irony here because you're using filters that are designed to improve security to launch attacks on sites that take security seriously," said Lindsay during a telephone interview prior to the presentation.

The vulnerabilities were found in several filters that Microsoft added to IE 8 to help identify and "neuter" simple XSS attacks, Lindsay explained.

"The filters work by scanning outbound requests for potential malicious strings," the paper states. "When such a string is detected, IE 8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server.

"If a match is made anywhere in the server's response, then the browser assumes that a reflected XSS attack is being conducted, and the browser will automatically alter the response so that the XSS attack will be unsucessful.

"The exact method used to alter a server's response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized, then a malicious script may still execute. On the other hand, it is also crucial that benign requests are not accidently detected.

"The Internet Explorer 8 team decided to use a 'neutering' technique to neutralize detected attacks. More specifically, when the the filters make a positive match against the server's response, the malicious part of the response will have a certain character modified so that the attack will not execute, or not render properly."

In their presentation, Lindsay and Vela Nava demonstrated several ways in which that simple character modification strategy could be abused to allow attacks on systems that otherwise would not be vulnerable to XSS.

"The neutering mechanism can be abused by an attacker to block benign content on a page," the paper says, altering the way a page is rendered. "For example, embedded JavaScript can be blocked from executing by 'faking' an XSS attack." This approach could paradoxically be used to disable JavaScript code that would otherwise protect the site, thus allowing an attack, the researchers say.

The researchers also outlined more complex attacks that also take advantage of the neutering mechanism.

Lindsay and Vela Nava notified Microsoft of their discovery earlier this year, and Microsoft subsequently issued a patch that alleviates the immediate problem. Google and other major sites have also been notified and have implemented fixes, as well, Lindsay says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.