New security mechanisms in IE 8
After the release of Internet Explorer Beta2 on numerous resources, including Habr, innovations were often discussed, which relate mainly to the interface and additional tools for the user. There are a lot of such innovations, here both accelerators and a modified input line for the address and grouping of tabs and an advanced tool for developers are much more. The change in the browser in terms of page rendering is also widely discussed, including the fact that this mechanism is largely written for the eighth version from scratch. All this is of course interesting and significant, but the goal of this article is to compile information about the security features of the new browser.
Not so long ago, on August 29, the article “Safe Navigation with IE8: A Compilation of Information” (Trustworthy Browsing with IE8: Summary) was posted on the MSDN IEBlog blog. In a rather extensive form, the article has compiled previous articles on the relationship to security in IE. In this article I don’t intend to translate all articles, for me it’s very heavy work, and I don’t consider it necessary. Articles are written in accessible language and anyone can read them. In this article I will try to briefly present information about the major changes in the security elements in IE.
The function "Enable memory protection to reduce the risk of attacks from the Internet" is available in the seventh version of the browser, but it is not enabled by default. True, this function does not exist on 64-bit platforms, but only because all processes in 64-bit versions of Windows are protected via DEP. Now, this feature will be enabled by default. Let me remind you that DEP / NX allows you to prevent the execution of code that is marked as data. Thus, a whole layer of attacks such as a buffer overflow is cut off.
In the eighth version of Internet Explorer, ActiveX controls can only be installed for a specific user (Per-User ActiveX), which reduces the risk of infection, given that the user does not work under administrator rights. In this case, only the profile of one user is under attack and nothing else.
Per-Site ActiveX is a new technique that allows you to set an ActiveX control to execute only on a single (your own) website and nowhere else. The user can also allow the use, say Silverlight, only on the server where he first needed it. Like everything else, control of the ActiveX installation mechanism will be available to administrators through group policies.
')
SmartScreen is a new feature of Internet Explorer against phishing that extends the phishing filter that was available in previous versions of the browser. Here is a list of major changes:
I will provide some screenshots with comments that show the technology in action:
Here is an improved information interface that is displayed to the user when visiting a suspicious site:
The same window, but only with a forbidden administrator moving to a dangerous site:
The following window will be displayed if Internet Explorer determines that files will be downloaded from a dangerous source:
In rare cases, the user may see the following window, which alerts the user about suspicious sites:
The most interesting innovation in my opinion is the built-in XSS filter, which allows you to protect the user from the “Cross-Site Scripting” attack. To at least approximately estimate the magnitude of the threat from XSS attacks, you can go to XSSed.com and see which not the smallest public resources are subject to these attacks. Any user can potentially become a victim simply by going to these resources, and now the number of such detected "leaky" sites has already exceeded 20 thousand.
Internet Explorer 8 XSS-filter is directed against the so-called xss-attacks. Type1 According to Wikipedia information, this type of attack is the most common.
For those sites that for some reason do not want to allow the user to enable protection against XSS on their resources, an option is available in the HTTP: X-XSS-Protection headers : 0 . It may be necessary for those who in their projects used techniques similar to XSS-attacks.
In addition to protection against xss-attacks, the following protection techniques and technologies will be supported in the new version of the browser:
The article reviewed several new mechanisms in terms of protection in Internet Explorer 8. Some of them seemed to me quite significant, others less. The most interesting mechanism is the XSS filter, a very timely technique, which is very relevant nowadays. In general, the size of the work on the security of a new browser personally impresses me. The eighth version is definitely a much greater step in security than all its predecessors.
Introduction
Not so long ago, on August 29, the article “Safe Navigation with IE8: A Compilation of Information” (Trustworthy Browsing with IE8: Summary) was posted on the MSDN IEBlog blog. In a rather extensive form, the article has compiled previous articles on the relationship to security in IE. In this article I don’t intend to translate all articles, for me it’s very heavy work, and I don’t consider it necessary. Articles are written in accessible language and anyone can read them. In this article I will try to briefly present information about the major changes in the security elements in IE.
Content
- DEP / NX memory protection;
- improvements in ActiveX;
- SmartScreen Filter;
- XSS filter;
- general protection.
DEP / NX Memory Protection
The function "Enable memory protection to reduce the risk of attacks from the Internet" is available in the seventh version of the browser, but it is not enabled by default. True, this function does not exist on 64-bit platforms, but only because all processes in 64-bit versions of Windows are protected via DEP. Now, this feature will be enabled by default. Let me remind you that DEP / NX allows you to prevent the execution of code that is marked as data. Thus, a whole layer of attacks such as a buffer overflow is cut off.
ActiveX Improvements
In the eighth version of Internet Explorer, ActiveX controls can only be installed for a specific user (Per-User ActiveX), which reduces the risk of infection, given that the user does not work under administrator rights. In this case, only the profile of one user is under attack and nothing else.
Per-Site ActiveX is a new technique that allows you to set an ActiveX control to execute only on a single (your own) website and nowhere else. The user can also allow the use, say Silverlight, only on the server where he first needed it. Like everything else, control of the ActiveX installation mechanism will be available to administrators through group policies.
')
SmartScreen Filter
SmartScreen is a new feature of Internet Explorer against phishing that extends the phishing filter that was available in previous versions of the browser. Here is a list of major changes:
- improved interface;
- improved performance;
- new heuristic improved telemetry;
- anti-malware support;
- improved support through group policies.
I will provide some screenshots with comments that show the technology in action:
Here is an improved information interface that is displayed to the user when visiting a suspicious site:
The same window, but only with a forbidden administrator moving to a dangerous site:
The following window will be displayed if Internet Explorer determines that files will be downloaded from a dangerous source:
In rare cases, the user may see the following window, which alerts the user about suspicious sites:
XSS filter
The most interesting innovation in my opinion is the built-in XSS filter, which allows you to protect the user from the “Cross-Site Scripting” attack. To at least approximately estimate the magnitude of the threat from XSS attacks, you can go to XSSed.com and see which not the smallest public resources are subject to these attacks. Any user can potentially become a victim simply by going to these resources, and now the number of such detected "leaky" sites has already exceeded 20 thousand.
Internet Explorer 8 XSS-filter is directed against the so-called xss-attacks. Type1 According to Wikipedia information, this type of attack is the most common.
For those sites that for some reason do not want to allow the user to enable protection against XSS on their resources, an option is available in the HTTP: X-XSS-Protection headers : 0 . It may be necessary for those who in their projects used techniques similar to XSS-attacks.
General protection
In addition to protection against xss-attacks, the following protection techniques and technologies will be supported in the new version of the browser:
- Support for HTML5 cross-document messaging ( HTML5 cross-document messaging );
- A new XDomainRequest object for transferring data across domains
- The new toStaticHTML function, which allows you to avoid embedding dangerous code on the page by formatting html tags, this function does the same as the Microsoft Anti-Cross Site Scripting Library functions described here ;
- Internet Explorer 8 implements ECMAScript 3.1 features for working with JSON. To ensure security, an object for working with JSON contains the parse function, which, like toStaticHTML, reliably formats potentially dangerous text;
- In the new version of Internet Explorer the browser contains improvements in the so-called. MIME-sniffing mechanism. This functionality allows the browser to determine the content of the page not by the "content-type", but by the content. Often, this definition allowed the implementation of dangerous code. Now, for example, with “content-type: image / *”, the embedded html or script code will not be rendered. To control the filter, the developer can use the new authoritative parameter and specify “Content-Type: text / plain; authoritative = true; "and in this case, IE8 will not try to determine the type of content, displaying it according to the instructions in the" Content-Type ";
- New parameters for HTTP headers X-Download-Options: noopen and Content-Disposition: attachment; filename = untrustedfile.html allows you to force the browser to save the content instead of displaying it. This may be necessary in cases where the web application needs to send a page with unsafe content to the user. If you save it on the client and then open it, these pages will not work in the context of the server, which will keep it safe;
- in the File Upload control, for security reasons, the status of the input field is now changed to read-only. In addition to this, for the same purpose, IE8 will no longer send the full path of the file, only its name will be sent instead;
- Internet Explorer 8 also contains some methods of countering attacks with the use of social engineering, for example, I will give two screenshots of the correct
and wrong paypal.
It is noticeable that the real domain names are highlighted with darker text.
Conclusion
The article reviewed several new mechanisms in terms of protection in Internet Explorer 8. Some of them seemed to me quite significant, others less. The most interesting mechanism is the XSS filter, a very timely technique, which is very relevant nowadays. In general, the size of the work on the security of a new browser personally impresses me. The eighth version is definitely a much greater step in security than all its predecessors.
Source: https://habr.com/ru/post/38664/
All Articles