Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

IE 8 Security Features Could Be Turned Against Users, Researchers Say

At Black Hat Europe, presenters show how filters designed to prevent cross-site scripting can be used to launch those very attacks

The good news is that Microsoft's Internet Explorer 8 browser offers a new set of filters designed to prevent some cross-site scripting (XSS) attacks. The bad news is that those same filters could be used to enable XSS attacks.

That was the gist of a presentation offered today by security researchers David Lindsay and Eduardo Vela Nava at the Black Hat Europe conference in Barcelona, Spain.

In a paper (PDF) presented at the conference, the researchers described several methods that attackers could use to enable XSS on sites that would otherwise be immune to XSS.

"There's an irony here because you're using filters that are designed to improve security to launch attacks on sites that take security seriously," said Lindsay during a telephone interview prior to the presentation.

The vulnerabilities were found in several filters that Microsoft added to IE 8 to help identify and "neuter" simple XSS attacks, Lindsay explained.

"The filters work by scanning outbound requests for potential malicious strings," the paper states. "When such a string is detected, IE 8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server.

"If a match is made anywhere in the server's response, then the browser assumes that a reflected XSS attack is being conducted, and the browser will automatically alter the response so that the XSS attack will be unsucessful.

"The exact method used to alter a server's response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized, then a malicious script may still execute. On the other hand, it is also crucial that benign requests are not accidently detected.

"The Internet Explorer 8 team decided to use a 'neutering' technique to neutralize detected attacks. More specifically, when the the filters make a positive match against the server's response, the malicious part of the response will have a certain character modified so that the attack will not execute, or not render properly."

In their presentation, Lindsay and Vela Nava demonstrated several ways in which that simple character modification strategy could be abused to allow attacks on systems that otherwise would not be vulnerable to XSS.

"The neutering mechanism can be abused by an attacker to block benign content on a page," the paper says, altering the way a page is rendered. "For example, embedded JavaScript can be blocked from executing by 'faking' an XSS attack." This approach could paradoxically be used to disable JavaScript code that would otherwise protect the site, thus allowing an attack, the researchers say.

The researchers also outlined more complex attacks that also take advantage of the neutering mechanism.

Lindsay and Vela Nava notified Microsoft of their discovery earlier this year, and Microsoft subsequently issued a patch that alleviates the immediate problem. Google and other major sites have also been notified and have implemented fixes, as well, Lindsay says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15279
PUBLISHED: 2021-05-18
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to 6.6.23.320 allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
CVE-2021-3423
PUBLISHED: 2021-05-18
Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. This issue affects Bitdefender GravityZone Business S...
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."