September 2, 2008 at 10:47New Security Mechanisms in IE 8
After the release of Internet Explorer Beta2 on numerous resources, including Habr, innovations that relate mainly to the interface and additional tools for the user were often discussed. There are a lot of such innovations, here there are accelerators and a modified address input line and tab grouping, and an advanced tool for developers is much more. The change in the browser in terms of page rendering is also quite widely discussed, including the fact that in many respects this mechanism is written for the eighth version from scratch. All this is certainly interesting and significant, but the purpose of this article is to compile information about the security features of the new browser.
Not so long ago, on August 29, the MSDN blog IEBlog posted an article entitled “Safe Navigation with IE8: Compilation of Information” (Trustworthy Browsing with IE8: Summary). In a rather extensive form, the article compiled previous articles regarding the relation to security in IE. In this article I’m not going to translate all the articles, for me it’s an overwhelming job, and I don’t think it is necessary. Articles are written in an accessible language and anyone can read them. In this article I will try to summarize information on the main changes in security elements in IE.
The "Enable memory protection to reduce the risk of an attack from the Internet" function is also available in the seventh version of the browser, but it is not enabled by default. True, this function is not available on 64-bit platforms, but only because all processes in 64-bit versions of Windows are protected via DEP. Now, this feature will be enabled by default. Let me remind you that DEP / NX allows you to prevent the execution of code that is marked as data. This cuts off a whole layer of attacks such as buffer overflows.
In the eighth version of Internet Explorer, ActiveX controls can only be installed for a specific user (Per-User ActiveX), which reduces the risk of infection, given that the user does not work under administrator rights. In this case, only the profile of one user is under attack and nothing more.
Per-Site ActiveX is a new technique that allows you to set the ActiveX element to run only on one single (your own) site and nowhere else. The user can also allow the use of, say, Silverlight, only on the server where he was first needed. Like everything else, management of the ActiveX installation mechanism will be available to administrators through group policies.
SmartScreen is a new feature of Internet Explorer against phishing that extends the phishing filter that was in previous versions of the browser. Here is a list of major changes:
I will give some screenshots with comments that show the technology in action:
Here is an improved interface for the information that is displayed to the user when visiting a suspicious site:
The same window, but only with the administrator forbidden to
go to the dangerous site: The following window will be shown if Internet Explorer determines that files will be downloaded from a dangerous source:
In rare cases, the user can see the following window that warns the user about suspicious sites:
The most interesting innovation in my opinion is the built-in XSS filter, which allows you to protect the user from “Cross-Site Scripting” attack. In order to at least approximately estimate the magnitude of the threat from XSS attacks, you can go to XSSed.com and see what are not the smallest public resources prone to these attacks. Any user can potentially become a victim simply by going to these resources, and now the number of such "leaky" sites has exceeded 20 thousand.
XSS-filter Internet Explorer 8 is directed against xss-attacks of the so-called Type1 type . According to information from Wikipedia, attacks of this type are the most common.
For those sites that for some reason do not want to allow the user to enable protection against XSS on their resources, an option is available in the HTTP headers: X-XSS-Protection: 0 . It may be needed by those who used techniques similar to XSS attacks in their projects.
In addition to protection against xss attacks, the following protection techniques and technologies will also be supported in the new version of the browser:
The article discusses several new security mechanisms in Internet Explorer 8. Some of them seemed quite significant to me, others less. The most interesting mechanism is the XSS filter, a very timely technique, which in our time is very relevant. In general, the size of the work on the security of the new browser is personally impressive to me. The eighth version will definitely take a significantly greater step in providing security than all its predecessors.
Introduction
Not so long ago, on August 29, the MSDN blog IEBlog posted an article entitled “Safe Navigation with IE8: Compilation of Information” (Trustworthy Browsing with IE8: Summary). In a rather extensive form, the article compiled previous articles regarding the relation to security in IE. In this article I’m not going to translate all the articles, for me it’s an overwhelming job, and I don’t think it is necessary. Articles are written in an accessible language and anyone can read them. In this article I will try to summarize information on the main changes in security elements in IE.
Content
- memory protection using DEP / NX;
- ActiveX improvements
- SmartScreen Filter
- XSS filter;
- general protection.
Memory Protection with DEP / NX
The "Enable memory protection to reduce the risk of an attack from the Internet" function is also available in the seventh version of the browser, but it is not enabled by default. True, this function is not available on 64-bit platforms, but only because all processes in 64-bit versions of Windows are protected via DEP. Now, this feature will be enabled by default. Let me remind you that DEP / NX allows you to prevent the execution of code that is marked as data. This cuts off a whole layer of attacks such as buffer overflows.
ActiveX Enhancements
In the eighth version of Internet Explorer, ActiveX controls can only be installed for a specific user (Per-User ActiveX), which reduces the risk of infection, given that the user does not work under administrator rights. In this case, only the profile of one user is under attack and nothing more.
Per-Site ActiveX is a new technique that allows you to set the ActiveX element to run only on one single (your own) site and nowhere else. The user can also allow the use of, say, Silverlight, only on the server where he was first needed. Like everything else, management of the ActiveX installation mechanism will be available to administrators through group policies.
SmartScreen Filter
SmartScreen is a new feature of Internet Explorer against phishing that extends the phishing filter that was in previous versions of the browser. Here is a list of major changes:
- improved interface;
- improved performance;
- new heuristic improved telemetry;
- anti-malware support;
- Improved support through group policies.
I will give some screenshots with comments that show the technology in action:
Here is an improved interface for the information that is displayed to the user when visiting a suspicious site:
The same window, but only with the administrator forbidden to
go to the dangerous site: The following window will be shown if Internet Explorer determines that files will be downloaded from a dangerous source:
In rare cases, the user can see the following window that warns the user about suspicious sites:
XSS filter
The most interesting innovation in my opinion is the built-in XSS filter, which allows you to protect the user from “Cross-Site Scripting” attack. In order to at least approximately estimate the magnitude of the threat from XSS attacks, you can go to XSSed.com and see what are not the smallest public resources prone to these attacks. Any user can potentially become a victim simply by going to these resources, and now the number of such "leaky" sites has exceeded 20 thousand.
XSS-filter Internet Explorer 8 is directed against xss-attacks of the so-called Type1 type . According to information from Wikipedia, attacks of this type are the most common.
For those sites that for some reason do not want to allow the user to enable protection against XSS on their resources, an option is available in the HTTP headers: X-XSS-Protection: 0 . It may be needed by those who used techniques similar to XSS attacks in their projects.
General protection
In addition to protection against xss attacks, the following protection techniques and technologies will also be supported in the new version of the browser:
- HTML5 cross-document messaging support ;
- New XDomainRequest object for transferring data across domains
- the new toStaticHTML function, which will allow avoiding the introduction of dangerous code on pages by formatting html tags, this function does the same as the functions of the Microsoft Anti-Cross Site Scripting Library described here ;
- Internet Explorer 8 implements ECMAScript 3.1 features for working with JSON. To ensure security, the JSON object contains a parse function, which, like toStaticHTML, reliably formats potentially dangerous text;
- In the new version of Internet Explorer, the browser contains improvements in the so-called MIME sniffing mechanism. This functionality allows the browser to determine the content of a page not by its “content-type”, but by its content. Often, such a definition allowed the introduction of dangerous code. Now, for example, with "content-type: image / *", the embedded html or script code will not be rendered. To manage the filter, the developer can use the new authoritative parameter and specify “Content-Type: text / plain; authoritative = true; ”in which case IE8 will not try to determine the type of content by displaying it as directed in the“ Content-Type ”;
- New parameters for the HTTP headers X-Download-Options: noopen and Content-Disposition: attachment; filename = untrustedfile.html allows you to force the browser to save content instead of displaying it. This may be necessary in cases where a web application needs to transfer a page with insecure content to the user. If you save it on the client and then open it, such pages will not work in the context of the server, which will leave it safe;
- in the File Upload control, now for security reasons, they have changed the status of the input field to read-only. In addition to this, for the same purpose, IE8 will no longer send the full path of the file; instead, only its name will be sent;
- Internet Explorer 8 also contains some methods of counteracting attacks using social engineering, for example, I will give two screenshots of the correct
and incorrect PayPal.
It is noticeable that the real domain names are highlighted with darker text.
Conclusion
The article discusses several new security mechanisms in Internet Explorer 8. Some of them seemed quite significant to me, others less. The most interesting mechanism is the XSS filter, a very timely technique, which in our time is very relevant. In general, the size of the work on the security of the new browser is personally impressive to me. The eighth version will definitely take a significantly greater step in providing security than all its predecessors.