

Major IE8 flaw makes 'safe' sites unsafe - Mathnerd314
http://www.theregister.co.uk/2009/11/20/internet_explorer_security_flaw/

======
dasil003
_"We needed to find a way to make the filtering automatic and painless and
thus provide maximum benefit to users," he wrote. "In summary, the XSS Filter
will prove its worth by raising the bar and mitigating the types of XSS most
commonly found across the web today, by default;, for users of Internet
Explorer 8."_

This XSS filter has to be one of the most braindead far-reaching decisions
since the invention of magic_quotes in PHP.

It just smacks of marketing-driven technical incompetence. How could anyone at
Microsoft think this could do anything but make the situation worse? As if XSS
were somehow distinguishable from legit scripts. As if most sites have great
XSS protection and just need a little help with the edge cases. I just came up
with a brilliant idea to prevent buffer overrun exploits as well: a C compiler
that doesn't allow indexes past 1000. Developers shouldn't be using those high
indexes anyway, and they're just an accident waiting to happen.

Thanks for expanding the XSS vulnerability footprint Microsoft, browser
parsing wasn't opaque enough yet. Now we can enjoy another decade of IE-
induced headaches.

~~~
qeorge
"This XSS filter has to be one of the most braindead far-reaching decisions
since the invention of magic_quotes in PHP."

So, I'm guessing you're also against the XSS filter Firefox is adding, and
NoScript, and any other attempt to automatically mitigate XSS attacks? All
those are also "marketing-driven technical incompetence" right?

This bug in IE8's XSS filter is a bad one, and its much worse that they've
known about it and not fixed it. That doesn't mean its categorically a bad
idea.

~~~
bumblebird
NoScript is pretty braindead. It's like refusing to eat anything incase you
get food poisoning. There's far better ways to protect yourself.

~~~
Mathnerd314
"Better ways..." such as using IE8?

The key thing about NoScript is that it is far easier to allow a common subset
of safe actions rather than to deny every possible malicious action.

Consider why people like using sudo on *nix.

------
machrider
Can anyone explain how the browser can make a site unsafe? I thought rule #1
was "don't trust the client".

~~~
dasil003
XSS is not about the server trusting the client, it's the other way around.
XSS exploits the trust that a user has of a website. It is the site's
responsibility to prevent XSS by preventing any user from injecting executable
code into the HTML, because if they can do that on a public page then they can
write code that sends the private credentials of all users who visit that page
anywhere they want.

Preventing XSS is tricky because of the inability to sandbox user-generated
content. Everything in a page has the same security level. This means if you
allow user generated content you need to be aware of _all_ the ways that _all_
the browsers can trigger code execution. There are numerous tags, attributes,
CSS selectors, and url protocols that can trigger executable javascript code,
and on top of that there are layers of internal translation in the browser and
parsed content such as HTML entities, escaped unicode and other internal
browser transformations.

So what Microsoft has done, is to attempt to magically determine–without any
context–what code patterns look like they were probably submitted by a
malicious party, and then perform some opaque transformation to "prevent" the
vulnerability. In the process they will undoubtedly break legitimate code, and
make the job of preventing XSS more difficult because there is yet another
transformation that one browser does differently from the rest.

To answer your question, what IE8 has apparently been found to do is translate
some non-executable code form into something that is executable, thus
rendering something that previously would have been a safe sanitization method
across all known browsers into something that is exploitable in the latest
version of IE. Sure it's unintentional, but the whole approach is braindead.

If Microsoft wants to further the state of web security they need to pursue a
real security model such as real sandboxing of HTML documents, since all it
takes is one obfuscated hack in IE8 magic security model to render it useless
and more difficult to secure since some percentage of people will never
upgrade.

